A new study by the Privacy Enhancing Technologies Symposium (PETS) has uncovered an alarming statistic: a majority of the most popular and free children’s Android apps collect private data in violation of the Children’s Online Privacy Protection Act (COPPA).
Out of nearly 6,000 apps that it analyzed, the group said that over 1,100 collected personally identifiable information (PII). Additionally, nearly 3,500 shared identification information with advertisers, and roughly 2,300 collected other types of data.
The researchers say the data these apps collect runs the gamut from phone numbers and e-mail addresses to geolocation information. Of these, geolocation data may present the biggest concern because it not only pinpoints where someone lives; it also can make way for interpretations about socioeconomic classes, every day habits, health conditions, and other information -- data that could have life-long implications for children.
Follow the money
There’s a domino effect in all of this, as well. According to the study, the data collected has cookie crumbs trailing back to mobile marketers and app developers who make their money off the data they collect. The five most popular data destinations were mobile app monetization platforms: mopub.com (85 apps), aerserv.com (84 apps), skydeo.com (80 apps), youapp.com (80 apps), and inner-active.mobi (76 apps).
“Although we cannot know the true number of children’s apps in the Play Store, we believe that our results are representative, given that the apps that we examined represent the most popular free ones,” PETS said in a statement.
With the number of apps released each year, one can only imagine how daunting a task it would be to police every corner of every app’s code -- even for a company like Google.
“While child-directed apps may use some Google services, developers are responsible for using these services according to their obligations under the law,” Google stated in a directive to app developers. “Please review the FTC’s guidance on COPPA and consult with your own legal counsel.”
It was only last week when Google’s place in a child’s data food chain came into question. The Campaign for a Commercial-Free Childhood asked the Federal Trade Commission to investigate YouTube for violating COPPA. Specifically, the organization alleged that YouTube illegally collects data about underage viewers, then leverages that data to advertise to that demographic.
What apps are the biggest culprits?
One particularly flagrant example, according to the study, is app developer TinyLab. PETS observed that 81 of the company’s 82 apps shared GPS coordinates with advertisers. Especially popular apps included:
Fun Kid Racing (10-50 million installations)
Motocross Kids–Winter Sports (5-10 million installations)
Fun Kid Racing–Motocross (10-50 million installations)
PETS’ deep dive also came up with a determination that human-readable network names (SSIDs) also allow some inferences about users’ locations, especially when collected over time and across locations. PETS found 148 apps engaging in this behavior, including Disney’s “Where’s My Water? Free” app (100–500 million installations).
If this raises concerns...
So-called “free” apps have to make money somewhere, and it’s usually on the backs of the data it collects and spins into advertising revenue.
Short of a parent poring over the fine print in an app’s terms of service and making a conscious decision based on what they find, it’s a smart idea to ask the app’s developer exactly what information it collects and repurposes.
COPPA also offers FAQs for parents and developers alike, as well as an e-mail address where users can ask questions. That e-mail address is CoppaHotLine@ftc.gov.