24 April 2018
Thousands of the most popular apps and games available, mostly free of charge, in the Google Play Store, make potentially illegal tracking of children’s use habits, according to a large-scale international study co-authored by Narseo Vallina-Rodriguez, a researcher at the IMDEA Networks Institute in Madrid and ICSI, the International Computer Science Institute at the University of California, Berkeley (USA).
An international group of seven researchers analyzed 5,855 apps for children and found that 57% may be violating the US Children’s Online Privacy Protection Act (COPPA). Thousands of apps collect and share with third parties personal data of under 13s without parental consent. The services collecting this information, such as those devoted to online advertising and user monitoring, are for the most part designed to share data with third parties, according to this study.
The researchers found that 28% of these apps accessed confidential data protected by Android permissions and that 73% of the apps transmitted confidential data over the Internet. Among the apps analyzed, 4.8% presented “clear violations when apps share location or contact information without consent”, 40% shared personal information without applying reasonable security measures, 18% shared persistent identifiers (such as a mobile phone’s IMEI) with services or business partners for prohibited purposes, for example ad targeting, and 39% “do not seem to take sufficient measures to protect the privacy of children”, according to Vallina-Rodriguez
“While accessing a sensitive resource or sharing it over the internet does not necessarily mean that an app is in violation of COPPA, none of these apps attained veriﬁable parental consent: if the [automated testing we performed] was able to trigger the functionality, then a child would as well,” the researchers wrote.
In addition, many of these apps use services provided by third parties whose terms of service prohibit their use in apps targeted to minors. Therefore, the apps that embed the tracking software provided by these services may not only be infringing COPPA, but also the legal terms by which those services are governed. An example of such third parties, among the many that the study mentions, is the Crashlytics service owned by Alphabet (Google’s multinational parent company).
Each of the apps studied was installed, on average, more than 750,000 times, which means that they may be potentially in use by millions of devices on a global scale. Among the apps analyzed are some very popular games like Disney’s ‘Where’s My Water?’ and Gameloft’s ‘Minion Rush’, as well as ‘Duolingo’, a language learning app. Disney, Gameloft and Google have said in statements made to international media in response to this study that the protection of children’s rights is of great importance to them and they have committed themselves to investigate further.
These findings come to light at a time when Facebook, another Silicon Valley giant with crucial interest in the digital advertising business, is on the radar of international data protection agencies for the illegal filtering of information from 87 million Americans to Cambridge Analytica.
Critics of Google, Facebook and other stakeholders that dominate the digital-apps world say they have profited greatly from advances in data-tracking technology to promote their business purposes, even as regulators have failed to keep up with the resulting privacy intrusions. The law exists in the US and at the end of May the European Union will put into operation the new GDPR legislation for the regulation of privacy on the Internet. This Pan-European law is aimed at tackling and controlling the fraudulent and transnational use of the vast amount of personal data that flows through the network, a marketplace in vogue to buy and sell data, which is unknown to the consumer despite being its flagship product.
Nevertheless, according to Vallina-Rodriguez, “to date, regulatory attempts seem to have had little effect in curbing these practices. There are still countless examples of games and apps for children who use third-party services that collect tracking data without parental consent. For example, Google’s Designated for Families (DFF) program requires developers of children’s apps to comply with COPPA but, as our results show, there appears to not be any (or only limited) application of the law since it is not enforced”. In addition, the analysis performed of apps certified as “safe” by the US Federal Trade Commission’s (FTC) Safe Harbor program did not yield better results. Most were still violating COPPA, despite the certification obtained.
The results of this study aggravate the burning concern about the lack of transparency of the companies to which, every day, adults and minors, parents and children, trust highly sensitive information. “Based on our data, it is not clear that industry self-regulation has resulted in higher privacy standards; some of our data suggest the opposite. Thus, industry self-regulation appears to be ineﬀective,” the researchers wrote. According to them, centralized regulatory and control efforts by the government are required since the violation of the rights of consumers is massive and prevalent.
Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman (July 2018)
“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale [PDF]
In: The 18th Privacy Enhancing Technologies Symposium (PETS 2018), 24–27 July 2018, Barcelona, Spain.