News / July 2017

CLTC Grantee Egelman: Half of Android “Family” Apps Violate Children’s Privacy Law

Serge Egelman

“When parents download a learning or gaming app from the ‘Designed for Families’ section of the Google Play store, they likely assume that those apps keep their kids’ data safe. After all, the Children’s Online Privacy Protection Act (COPPA) prohibits website operators and app developers from tracking or collecting personal data from children under the age of 13. Yet that assumption could be wrong.”

So begins an article on Washington Post’s “Switch” written by Serge Egelman, a CLTC-affiliated researcher and director of the Usable Security & Privacy group at the International Computer Science Institute.

Egelman, together with his colleagues at ICSI, created a testbed that allowed them to simulate the behavior of mobile app users, then monitor the traffic flowing in and out of the devices. “By monitoring an app for just 10 minutes, we can tell whether it tracks the user’s behavior, discloses this tracking, or shares personal data directly with third parties,” Egelman wrote.

Based on examination of more than 5,000 of the most popular apps available from Google Play, the researchers found that more than 50 percent of those targeted at children under 13 appear to be failing to protect data. “The apps we examined appear to regularly send potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third-party advertisers,” Egelman wrote. “Over 90 percent of these cases involve apps transmitting identifiers that cannot be changed or deleted, like hardware serial numbers—thereby enabling long-term tracking.”

Egelman acknowledged that the developers most likely do not intend for their apps to share data, as most failed to configure their software properly or did not realize their third-party advertisers were sending out data in violation of COPPA. But he points out that “such a high rate of potential COPPA violations . . . reveals a systemic and troubling lack of oversight. While app developers are ultimately liable for such violations, it is clear that app stores like Google Play and Apple’s iTunes Store, as well as agencies like the Federal Trade Commission (which is responsible for enforcing COPPA), need to play a greater role.”

Egelman and his colleagues developed a website, AppCensus, that shows the privacy behaviors of the apps they tested. “We hope that our website will shine light on these practices so that other developers take action,” he wrote. “COPPA exists for a noble reason — protecting the privacy of children. We urge key stakeholders in government and industry to work together to ensure that this law is properly enforced.”

Read the piece on the Washington Post’s website.