Study finds apps for children may violate federal privacy law
A recent study by computer scientists shows that many free apps designed for children collect and share identifying information in violation of a federal privacy law.
The study, “Won’t Somebody Think of the Children?” examined 5,855 of the most popular free children’s apps in the Google Play Store and was conducted earlier this year by researchers at the University of British Columbia, University of Calgary, University of California Berkeley, Stony Brook University, IMDEA Networks and International Computer Science Institute.
Researchers touted the project as the first study to monitor actual program behavior in real time and at scale. Of the 5,855 apps they tested, researchers found that:
-256 of them collected information sufficient to figure out one’s location
-107 of the shared the device owner’s email address
-1,100 of them sent persistent identifiers to third parties whose terms of service explicitly state it should not receive data from children’s apps.
The researchers chose to test Android apps, because the operating system is open source, and the source code for iOS apps is not accessible.
Researchers said a majority of apps they tested are potentially in violation of COPPA, the Children’s Online Privacy Protection Rule.
Dr. Eric Cole, author of Online Danger and founder of Secure Anchor Consulting, said the results do not surprise him. He said if law enforcement goes after some of these companies, they are likely to shut down and start a new company.
“A lot of these folks know they’re breaking the law, but they’re making $80,000-$100,000 over a few months, so they’re going to do it and they sort of stay one step ahead of enforcement,” Cole said.
Cole added that it’s very hard to enforce different child safety laws, because there are a lot of apps in the marketplace, and they change quickly. He said without a detailed study, it’s hard to know what personal information the apps are collecting.
In response to questions about certain companies named by the study, a member of the Federal Trade Commission’s Office of Public Affairs, Juliana Gruenwald Henderson, told CNN, “We vigorously enforce COPPA and have brought nearly 30 enforcement actions and obtained more than $10 million in civil penalties against companies for violation of the COPPA Rule since it was enacted. FTC investigations are nonpublic so we can’t comment on whether we haven an open investigation on any particular company.”
Cole said the good news is that none of the apps in the study are tracking information secretly. He offered the following advice for parents:
1. Go to your phone settings. Turn off location services for any apps which you do not want to track your location.
2. Buy the paid version of the app. Cole said, “One of the words I hate is ‘free.’ Because everyone thinks free is free. Free is not free. With free, you or your child is the product.” A free app can make money by taking personal information to create targeted ads. While a paid app could presumably still do the same thing, it is already making money from your purchase.
3. Let your child play on the device in “airplane mode.” Cole said that interactive games, which require connectivity, allow for the possibility for information to be transmitted. Sticking to games local to the device, or playing in airplane mode, prevents that from happening.
4. Stick with well-known developers with apps that have high ratings and a high number of downloads.
This particular study was focused on the most popular games. So, if they’re collecting personal information, it’s for the purpose of creating personalized ads. But there are also more nefarious actors on the internet.
Cole said child predators are “putting out games, they’re tracking your child’s location, but instead of pushing them to a toy store, they’re going to try to abduct your children or cause harm. So, this is a much bigger problem than what the study really highlights.”
The good news is that these bad actors are usually caught quickly and taken down, without having much of a chance to develop high ratings or a high number of downloads. Cole advises to stay with the apps that have a much bigger following.
CNN reached out to some of the companies named in the study, that researchers said were collecting information in possible violation of the law.
One developer, Jonas Abromaitis of Tiny Lab, contended that the company was falsely accused. He added that after the negative media attention, only one parent wrote to complain to the company.
Abromaitis said he had planned to release a statement, “I was thinking either not to do it at all or add a section with main message that parents don’t really care about this.”
Dr. Aprille Joy Ericsson, a mom and an aeronautical engineer for NASA, disagreed.
Ericsson said it’s not that parents don’t care; it’s that they don’t understand. She admitted she does not know what apps are doing in the background. Her nine-year-old daughter, Arielle, said she plays a lot of games on her phone and iPad that continually give her pop-up ads.
Ericsson also doesn’t know where to look for resources that guide parents on how to avoid apps that collect her daughter’s information.
“There’s got to be a better way,” Ericsson said. “How do I even begin to figure out which ones do and which ones don’t? I’m just not computer savvy enough or have the time to sit there and surf through and do the homework.”
The researchers of the study created a site that may begin to help.
The site, called AppCensus, allows parents to search for apps tested by researchers to see what those apps do.