What are the rules?
When apps, games, or websites are geared specifically for use by kids under the age of 13, they must comply with the rules of the Children’s Online Privacy Protection Act or COPPA. COPPA regulates how games, apps, and websites are allowed to collect and use personal information from children under the age of 13.
That’s why the tech world was shaken recently by a new study released by the International Computer Science Institute (ICSI) that shows thousands of free apps aimed at kids may be improperly or illegally gathering info and/or tracking kids under 13, without the permission of their parents https://petsymposium.org/…/popets-2018-0021.pdf.
The study looked at 5,855 of the most popular free apps in the Google Play store that met Google’s requirements to be featured in the Designed for Families Program. It states that potential violations were found in a majority of these apps.
The study highlights examples of infringements by the company BabyBus, which specializes in developing games for young children. They analyzed 37 apps developed by the company and found that they did not access location information through the standard Android permissions system. Instead, they were observed transmitting hardware and network configuration info to a Chinese analytics company. This information included the names of saved Wi-Fi hotspots, their MAC addresses, and currently connected Wi-Fi access points.
The FTC is familiar with this form of info-sharing “work around”. They reached a 4 million dollar settlement with analysis firm inMobi for collecting location data in a very similar way.
Another example from the analysis of apps produced by the company TinyLab found 81 apps that shared GPS locations with advertisers.
The examples above highlight only two of the 1,889 unique developers that were responsible for creating the 5,855 apps analyzed.
Of those 5,855 apps, 28% accessed sensitive data protected by Android permissions and 73% of the apps transmitted sensitive data over the internet. The study also found 107 apps that shared the email address of the device owner and 10 that shared phone numbers.
How are all of these rule-breaking apps getting into the hands of kids?
When a parent is deciding which games are safe for their kids, they rely on things like 3rd party reviews, ratings, and special safeguards set up by companies that claim to vet the games to meet parental standards.
Both the Apple App Store and Google Play Store provide special child-targeted categories in their stores where developers can list their child-friendly games, and kids and parents can easily find them. And each company has rules the developers must follow to be able to list their apps in those special categories.
According to Google, for an app to be admitted into the Designed for Families section of the Google Play Store they must be age appropriate for the whole family, ensure the app is appropriate for children and is compliant with COPPA and other relevant laws (https://play.google.com/…/designed-for-families/).
So how did nearly all of the 5,855 apps analyzed from the Google Play Stor fail to be Coppa compliant?
Two reasons seem to stand out from the rest.
First, until this study, there was no way to reliably test an app for compliance other than to manually use each and every app, or to perform a static analysis of the code of each app to checking for potential infringements. And while this practice does happen, it is very long and laborious.
According to AppBrain, in the month of March 2018, 78,361 new apps were added to the Google Play Store. Yes, that is seventy-eight thousand plus, and yes, that is in one month (http://www.appbrain.com/…/number-of-android-apps).
Averaging out to just over 2,500 apps added each day for the month of March, you can see why it would be nearly impossible to keep up with compliance checks.
The Second reason it’s hard to ensure the compliance of these apps is, they are breaking the law unintentionally.
The ICSI study states that most violations are probably unintentional. The developers of these apps are using SDKs (software development kits) to build their apps from. SDKs have pre-built tools, libraries, code samples, processes, and guides for app developers to use to create their own apps that will work on specific platforms.
These SDKs come with data collection programming already on board. Many SDKs offer configuration options that disable tracking and behavioral advertising that the developer can use to remain compliant with the law. But the study showed that the majority of apps are either not using the configuration options or they are using them incorrectly.
In light of these major new findings, what can we do to keep our kids information safe?
Monitor which apps your kids are downloading
You can use Apple’s Family Share for iOS (https://www.apple.com/family-sharing/) or Google Play Family Library for Android (https://families.google.com/families) to monitor the list of apps your kids have and use.
Take a peek at their apps
There’s still really no better way to keep up on what your kids are doing than by playing the game or using the app yourself. If you’re too busy or disinterested, try watching your kids use the apps whenever you get the chance.
Look at independent reviews
Websites like Common Sense Media (https://www.commonsensemedia.org/app-reviews) offer age-based ratings and reviews of movies, games, and apps to keep parents informed and up-to-date on the latest in media geared toward kids.
Talk to your kids
Because kids are so immersed in their apps and games, they can easily look past info grabbing requests. Continue to tell your kids about these kinds of issues when they come up and warn them about sharing their personal information online or through their games.
Make your voice heard
Ultimately the power is in the hands of the consumer. By speaking out, sending an email to companies who have violated your trust, or uninstalling their products from your devices, you can create a shift in the way they do business.
Read the study by the international Computer Science Institute (ICSI)
Stay informed on the current analysis methods used by app stores and reviewers by keeping up with the latest studies and tech news. This report is comprehensive and easy to understand (https://petsymposium.org/…/popets-2018-0021.pdf).
For independent reviewers of apps, and companies like Apple and Google, the slow laborious method for analyzing apps has put them (and us) at a disadvantage.
These companies know how important privacy is to consumers. Newer and better ways of reviewing media geared toward children are obviously needed.
In light of this latest upset, I think we can look forward to seeing many app providers implementing a system like the one used in the ICSI study to review large groups of apps more efficiently.