Beneath Irwin Reyes’s desk are ten smartphones hooked up to a computer, running a dizzying number of apps to find out what user information those apps send back to their creators.
Reyes and his fellow Berkeley researchers at the Berkeley-affiliated International Computer Science Institute (ICSI) recently used the phones to survey thousands of free Android children’s apps from the Google Play store’s Designed for Families program. The researchers found that the majority of these apps were in potential violation of the Children’s Online Privacy Protection Act, or COPPA, which governs how children’s personal information is collected and handled.
According to the findings, published in the June issue of Proceedings on Privacy Enhancing Technologies, 5 percent of the apps harvested location or contact data without verifiable parental consent, and nearly a fifth of the apps collected “personally identifiable information” through third-party software development kits (SDKs) that were not supposed to be used in child-directed apps. Many also transmitted data without adequate security.
The reason app developers might be less than vigilant with kids’ privacy is no mystery. To make money on free apps, developers sell personal data to ad networks. Privacy concerns work against that business model.
Many of the surveyed app developers claimed not to know that children were among their users. Others, less credibly, said their products weren’t marketed to children. (One such app advertised itself as a “RACING GAME FOR KIDS” and boasted that “CHILDREN LOVE IT!”)
The biggest surprise may be that these privacy violations were happening on Google’s watch, which provides COPPA compliance guidelines that children’s app developers must agree to follow. Reyes doesn’t think the tech behemoth is doing everything it can to protect users, however. “We have a privacy-analysis system here; they should be using something similar, as well,” he said.
To help change matters, the team at ICSI has set up AppCensus, a database of tens of thousands of apps, showing potential violations. Serge Egelman, a Cal professor and an ICSI research director, said regulators have consulted the database, as have some companies that are trying to do better. As for Google, Egelman says his colleagues have submitted a report to the company “with a bunch of the most egregious apps, and basically it’s been crickets on their side.”
Not that app developers should be let off the hook. Amit Elazari Bar On, a Berkeley Law doctoral student who worked on the paper, says, “Not knowing the law is no excuse. You’re harvesting data of children.”