Popular apps violate children's privacy

The privacy of children may be violated by thousands of mobile apps, according to a new international study.

Many of these apps are popular games that are free of charge through the Google Play Store and which track the use habits of children.

An international group of seven researchers from the IMDEA Networks Institute in Madrid and ICSI, the International Computer Science Institute at the University of California, Berkeley, analysed 5855 apps for children. They found that 57% may be violating the US Children’s Online Privacy Protection Act (COPPA). Thousands of apps collect and share with third parties personal data of under 13s without parental consent. The services collecting this information, such as those devoted to online advertising and user monitoring, are for the most part designed to share data with third parties, according to this study.

The researchers found that 28% of these apps accessed confidential data protected by Android permissions and that 73% of the apps transmitted confidential data over the internet. Among the apps analysed, 4.8% presented “clear violations when apps share location or contact information without consent”, 40% shared personal information without applying reasonable security measures, 18% shared persistent identifiers (such as a mobile phone’s IMEI) with services or business partners for prohibited purposes, for example ad targeting, and 39% “do not seem to take sufficient measures to protect the privacy of children”, according to Narseo Vallina-Rodriguez, one of the study’s authors.

“While accessing a sensitive resource or sharing it over the internet does not necessarily mean that an app is in violation of COPPA, none of these apps attained verifiable parental consent: if the [automated testing we performed] was able to trigger the functionality, then a child would as well,” the researchers wrote.

In addition, many of these apps use services provided by third parties whose terms of service prohibit their use in apps targeted to minors. Therefore, the apps that embed the tracking software provided by these services may not only be infringing COPPA, but also the legal terms by which those services are governed. An example of such third parties, among the many that the study mentions, is the Crashlytics service owned by Alphabet (Google’s multinational parent company).

Each of the apps studied was installed, on average, more than 750,000 times, which means that they may be potentially in use by millions of devices on a global scale. Among the apps analysed are some very popular games like Disney’s ‘Where’s My Water?' and Gameloft’s ‘Minion Rush’, as well as ‘Duolingo’, a language learning app. Disney, Gameloft and Google have said in statements made to international media in response to this study that the protection of children’s rights is of great importance to them and they have committed themselves to investigate further.

These findings come to light at a time when Facebook, another Silicon Valley giant with crucial interest in the digital advertising business, is on the radar of international data protection agencies for the illegal filtering of information from 87 million Americans to Cambridge Analytica.

Critics of Google, Facebook and other stakeholders that dominate the digital-apps world say they have profited greatly from advances in data-tracking technology to promote their business purposes, even as regulators have failed to keep up with the resulting privacy intrusions. The law exists in the US, and at the end of May the European Union will put into operation the new GDPR legislation for the regulation of privacy on the internet. This Pan-European law is aimed at tackling and controlling the fraudulent and transnational use of the vast amount of personal data that flows through the network, a marketplace in vogue to buy and sell data, which is unknown to the consumer despite being its flagship product.

Nevertheless, according to Vallina-Rodriguez, “To date, regulatory attempts seem to have had little effect in curbing these practices. There are still countless examples of games and apps for children who use third-party services that collect tracking data without parental consent.”

The results of this study aggravate the concern about the lack of transparency of the companies to which, every day, adults and minors, parents and children, trust highly sensitive information.

“Based on our data, it is not clear that industry self-regulation has resulted in higher privacy standards; some of our data suggest the opposite. Thus, industry self-regulation appears to be ineffective,” the researchers wrote.

Image credit: ©stock.adobe.com/au/Syda Productions

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.