Are Kids’ Apps Collecting Data Illegally?

A study has found that more than 3,300 apps aimed at kids have potentially been violating US privacy laws by collecting data without parental consent.

The study found that “3,337 family and child-oriented Android apps on Google Play” were using data they had collected on children that could potentially be violating the Children’s Online Privacy Protection Act (COPPA). Researchers from universities and institutions in Canada and the US teamed up to produce the report which was published by Berlin-based academic publishers, De Gruyter.

The COPPA governs how online services gather data on children under the age of 13 in America. It prohibits the collection of certain types of data completely and states that parental consent is required for others. Collecting Personally Identifiable Information (PII) – such as a child’s full name, home address, phone number, email address – and distributing it to third parties, requires this consent.

Children are vulnerable web-users. Photo by Hal Gatewood

Overstepping the mark

The research found that of the 5,855 apps studied, 281 of them “collected contact or location data” without seeking parental consent. These apps collected children’s geolocation or “data sufficient to infer it” a fact that’s likely to be extremely alarming for parents.

Exact GPS location isn’t always necessary to determine a user’s address, however. Devices connected to wifi hotspots can be located with “street level precision”. This is due to the fact that wifi hotspots usually have fixed locations that identify them.

“This technique allows app developers to determine the user’s location without explicitly asking for the location permission or triggering the location notification icon” the study claims. Apps are also able to see the saved wifi networks on a device and determine location that way. The research says that “Retrieving the names of saved networks does not require an app to hold location privileges either”.

“While the COPPA rule does not require one specific method to obtain consent, it does require the method be ‘reasonably designed in light of available technology.’ Disclosing personal information to third parties, such as advertising agencies, requires reliable methods of verification of parental consent, such as payment systems, signed forms, or phone calls”

It is not clear that the apps engaging in the behaviour mentioned above sought the correct parental consent.

The flag of the Federal Trade Commission, responsible for the Children’s Online Privacy Protection Act. Photo by Wikimedia

Carelessness?

As reported by technology website Engadget, the researchers in this study are “adamant” their findings do not show “definitive legal liability”. They add that “Establishing legal liability requires nuanced case-by-case analysis of individual products and practices, which is beyond the scope of this work”.

The researchers instead suggest that while these apps may be acting wrongfully, it is ultimately a decision for the Federal Trade Commission (FTC), who protect consumer rights in America, to make.

The FTC’s mission is to “protect consumers and promote competition/Whether combatting telemarketing fraud, Internet scams or price-fixing schemes”. They have a guide to operating within the COPPA on their website, step four of which is titled “GET PARENTS’ VERIFIABLE CONSENT BEFORE COLLECTING PERSONAL INFORMATION FROM THEIR KIDS”.

How exactly are the FTC ensuring this is common practice? When contacted by The Versed, an FTC spokesperson said, “We provide a lot of guidance to businesses about complying with COPPA”.

“we have vigorously enforced COPPA and have brought more than two dozen law enforcement actions against companies for violating COPPA”.

The Apple App Store. Photo by PhotoAtelier

A new approach

Evgeny Ponomarev – Co-founder and CEO of Fluence, a company looking to eliminate data breaches using blockchain technology, says that the issue lies with smartphone operating systems.

“the problem with this is how the platform (iOS, Android, others) itself is built, since there’s no 100% guarantee that the app does not collect any sensitive data and no way to check this”.

“Decentralized apps have a different approach and architecture though. The user has total control over everything that happens. If you don’t want to share some content with the network, you have the means to restrict access”.

He goes on to say that “as adults, we have to be extra cautious with what and how our children do in digital, technology can help, but it won’t make important decisions for us.”

The study that discovered potential wrongdoing has discovered only that, a potential breach of the law. It will likely not result in legal action being taken against the companies behind the apps. It will however, draw attention to the issue, raise awareness among consumers and lead to solutions.

Start the discussion

to comment