Thousands of Popular Kids’ Apps Collect, Share Children’s Personal Data
Thousands of the most popular kids’ apps and games available in the Google Play Store are tracking children’s use habits without parental consent, and sharing the data with third parties, according to a large-scale international study. The paper was co-authored by Narseo Vallina-Rodriguez, a researcher at the IMDEA Networks Institute in Madrid, Spain, and ICSI, the International Computer Science Institute at the University of California, Berkeley, in the US.
An international group of seven researchers analyzed 5,855 apps for children and found that 57% may be violating the US Children’s Online Privacy Protection Act (COPPA). Thousands of the children’s apps collect and share with third parties personal data of kids under 13 without parental consent. The services collecting this information, such as those devoted to online advertising and user monitoring, are for the most part designed to share data with third parties, according to this study.
Each of the apps studied was installed, on average, more than 750,000 times, which means that they may be potentially in use by millions of devices on a global scale. Among the apps are some very popular games like Disney’s ‘Where’s My Water?’ and Gameloft’s ‘Minion Rush,’ as well as ‘Duolingo,’ a language learning app. Disney, Gameloft and Google have said in statements made to international media in response to this study that the protection of children’s rights is of great importance to them and they have committed to investigate further.
The researchers found that 28% of these apps accessed confidential data protected by Android permissions and that 73% of the apps transmitted confidential data over the Internet. Among the apps analyzed, 4.8% presented “clear violations when apps share location or contact information without consent,” 40% shared personal information without applying reasonable security measures, 18% shared persistent identifiers (such as a mobile phone’s IMEI) with services or business partners for prohibited purposes, for example ad targeting, and 39% “do not seem to take sufficient measures to protect the privacy of children,” Vallina-Rodriguez said.
“While accessing a sensitive resource or sharing it over the Internet does not necessarily mean that an app is in violation of COPPA, none of these apps attained verifable parental consent: if the [automated testing we performed] was able to trigger the functionality, then a child would as well,” the researchers wrote.
In addition, many of these apps use services provided by third parties whose terms of service prohibit their use in apps for kids. Therefore, the apps that embed the tracking software provided by these services may not only be infringing COPPA, but also the legal terms by which those services are governed. An example of such third parties, among the many that the study mentions, is the Crashlytics service owned by Alphabet (Google’s multinational parent company).
These findings come to light at a time when Facebook, another Silicon Valley giant with crucial interest in the digital advertising business, is on the radar of international data protection agencies for the illegal filtering of information from 87 million Americans to Cambridge Analytica. Earlier, Facebook faced fire for its ostensibly COPPA-compliant kids’ app, Messenger Kids, which was launched amid much criticism by children’s rights advocates and online privacy experts.
COPPA, the US law aimed at protecting children’s online privacy, is currently a gold standard; indeed, globally, regulators have failed to keep up with digital invasions of privacy. The European Union will only enact its General Data Protection Regulation (GDPR) legislation for the regulation of privacy on the Internet next month.
Yet it may be too little too late — and in many parts of the world, it’s non-existent.
In India, there are no equivalent laws to COPPA, and a 2016 UNICEF report found that Indian laws have failed to adequately protect Indian children from online abuse. Additionally, there are no online privacy laws in place to protect even adult Indian Internet users. However, laws may not be what’s required to make the internet safer for children.
“To date, regulatory attempts seem to have had little effect in curbing these practices,” Vallina-Rodriguez said. “There are still countless examples of games and apps for children who use third-party services that collect tracking data without parental consent. For example, Google’s Designated for Families (DFF) program requires developers of children’s apps to comply with COPPA but, as our results show, there appears to not be any (or only limited) application of the law since it is not enforced.”
In addition, the analysis performed of apps certified as “safe” by the US Federal Trade Commission’s (FTC) Safe Harbor program did not yield better results. Most still violated COPPA, despite the certification obtained.
The results of this study aggravate the burning concern about the lack of transparency of the companies to which, every day, adults and minors, parents and children, trust highly sensitive information.
“Based on our data, it is not clear that industry self-regulation has resulted in higher privacy standards; some of our data suggest the opposite. Thus, industry self-regulation appears to be ineffective,” the researchers wrote.
According to them, centralized regulatory and control efforts by governmenta are required since the violation of the rights of consumers is massive and prevalent.