Apps aimed at kids are a sponge of personal data, in direct violation of federal law, study reports

Thousands of apps targeted at children are silently and unlawfully gathering their data, study finds.

Kids apps.

Peekaboo, they see you. Image credits: Thomas Quinn.

In the wake of the Facebook / Cambridge Analytica meltdown, people are understandably quite concerned about the heap of data apps have gathered on them, and what happens to this wealth of information. Well, I’m sorry to break it to you, but according to a study published on April 16th, you should be even more concerned.

Hide your kids

Researchers from the International Computer Science Institute say that the majority of free Android apps intended for children are tracking their data — in direct violation of the Children’s Online Privacy Protection Act, or COPPA, a federal law that regulates data collection from users under 13 years of age.

The study analyzed 5,855 apps targeted at children, each gathering an average of 750,000 downloads between November 2016 through to March 2018, according to the paper. These apps, which had over 172 million downloads combined, were games like Fun Kid Racing and Motocross Kids — Winter Storm. Using a Nexus 5X as a platform, the team downloaded and ran each app for about 10 minutes, to simulate a usual session. The results were quite worrying.

Thousands of the apps the team looked at collected data from the device in some way or another, some including location (GPS) data or personal information. Up to 235 of these apps accessed the phone’s GPS data, 184 of which later transmitted this data to advertisers, according to the study. According to Serge Egelman, the paper’s co-author, the findings are bound to worry parents, particularly since they would need an ‘expert’ level of technical knowledge to be able to figure out which apps did this for themselves.

“They’re not expected to reverse-engineer applications in order to make a decision whether or not it’s safe for their kids to use,” he said.

People often give permission for apps to gather ad-tracking data in exchange for free service — we’re all guilty of doing this at one point or another. It isn’t only Android apps that do it, either. For better or for worse, there is a myriad of apps — and most likely a Facebook tracker — peeking at your data all the time.

However, we’re adults, and the right to make our own choices comes with its own risks, including giving away permissions for apps. Children, who aren’t discerning enough to know what consequences their buttoning might have, are given protected legal status through COPPA. Children’s apps are thus not allowed to track data without first gaining explicit parental consent. The study, however, found that many of the apps they analyzed didn’t conform to the law.

Egelman says that even if companies try to ensure they conform to COPPA, the results are still worrying. The simulated interactions were handled by a machine randomly pressing buttons, and most apps still tracked data in one form or another. COPPA requires producers to get “verifiable consent,” meaning that they have to take steps to ensure that people know what information they were releasing to the app.

“If a robot is able to click through their consent screen which resulted in carrying data, obviously a small child that doesn’t know what they’re reading is likely to do the same,” Egelman said.

Back in 2014, Google allowed users to reset their Android Advertising ID to give them better control over how online apps track their data. Developers are required to only use that ID when tracking user data, but the team says two-thirds of the apps they looked at didn’t allow users to reset their ID. Even more glaringly, over 1,000 of the apps also collected personal information in direct violation of Google’s terms of service, which prohibits such tracking in apps targeted towards children.

To add insult to injury, over 40% of the apps further failed to transfer the data in a secure way. Some 2,344 children’s apps transferring collected data did not use TLS encryption, a security standard that makes sure the data and its recipient are authentic. The security measure is the “standard method for securely transmitting information,” the researchers said.

The paper ” “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale,” has been published in the journal Proceedings on Privacy Enhancing Technologies.

Leave a Reply

Your email address will not be published.