Thousands of child apps and games potentially violate US data sharing law

child using smartphone

A study conducted on child-directed Android apps from US Google Play Store found over half may break US privacy law for under 13s


Thousands of child-directed Android apps and games are potentially violating US law on the collection and sharing of data on those under 13, research has revealed.
A study conducted on 5,885 child-directed Android apps from the US Play Store, which are included in Google’s Designed for Families programme, found that well over half of the apps potentially violated the US Children’s Online Privacy Protection Act (Coppa).
“We identified several concerning violations and trends,” wrote the authors of the Proceedings on Privacy Enhancing Technologies, led by researchers at the International Computer Science Institute at the University of California, Berkeley. “Overall, roughly 57% of the 5,855 child-directed apps that we analysed are potentially violating Coppa.”
Among the apps, 4.8% had “clear violations when apps share location or contact information without consent”, 40% shared personal information without applying reasonable security measures, 18% shared persistent identifiers with their parties for prohibited purposes such as ad targeting, and 39% showed “ ignorance or disregard for contractual obligations aimed at protecting children’s privacy”.

The researchers found that 28% of the apps accessed sensitive data protected by Android permissions and that 73% of the tested apps transmitted sensitive data over the internet.
“While accessing a sensitive resource or sharing it over the internet does not necessarily mean that an app is in violation of Coppa, none of these apps attained verifiable parental consent: if the [automated testing] was able to trigger the functionality, then a child would as well,” the researchers wrote.
The researchers said that Google had taken steps to help enforce Coppa compliance, with the Designed for Families programme that provides developers of children’s apps with information on the law and requires certification that apps comply. But they said “as our results show, there appears to not be any (or only limited) enforcement”.
While the researchers surmised that it is likely that “many privacy violations are unintentional and caused by misunderstandings of third-party Software Development Kitss” that are used to build the apps, they urged Google to do more active vetting process of apps for Coppa compliance.
The researchers also analysed whether apps with potential Coppa violations were part of the US Federal Trade Commission’s Safe Harbor programme, under which developers submit their apps for certification that they are Coppa-compliant. They found that few apps are actually certified under Safe Harbor and of those that are “potential violations are prevalent”.
“Based on our data, it is not clear that industry self-regulation has resulted in higher privacy standards; some of our data suggest the opposite. Thus, industry self-regulation appears to be ineffective,” the researchers wrote.
Google did not immediately respond to a request for comment.

Post a Comment

Previous Post Next Post