New study claims to reveal rampant COPPA failures in free kids’ apps

Children and Apps

In a recently published paper − humorously titled “‘Won’t Somebody Think of the Children?’ Examining COPPA Compliance at Scale” − the International Computer Science Institute analyzes the behavior of more than 5,800 Android apps that are offered free to children. The paper purports to measure how well this group of applications complies with the Children’s Online Privacy Protection Act (COPPA).

The findings, if correct, should give every app developer pause − even if they’ve engaged protective measures.

Method

The paper discusses a new method for analyzing these mobile applications. Previously, analysts who attempted to delve into the behaviors of apps would examine the underlying code and attempt to predict the application’s potential future behaviors. In this study, the authors claim to rely on a different, more dynamic method that tracks app behavior in a simulated user environment.

From late 2016 until 2018, their testing platform “scraped” free apps from the Google Play Store and focused on the most popular available apps in the Store. They then winnowed this group down to apps that were enrolled in Google’s “Designed for Families” (DFF) program − a voluntary initiative that identifies apps that target an under-13 audience and attests to the COPPA compliance of those apps.

Uncoveries

In the paper, the authors claimed that most of the apps in the DFF program potentially violate COPPA. The study attributes this to third-party software development kits (SDKs) that companies use to put their apps together. The authors claim that COPPA-compliant options in these SDKs are available, but are simply not used, or in some cases are not properly distributed during development.

The authors also claim that nearly 20 percent of the tested apps gather personal information through the use of SDKs that are identified as being inappropriate for children’s applications.

Interestingly, 28 percent of the apps enrolled in the DFF program, according to the authors, access sensitive data normally protected by Android permissions. Moreover, 73 percent of the apps transmitted sensitive data over the internet. In both groups, parental permission was not requested or given.

The Takeaway

This study also sheds light on compliance issues for some “Safe Harbor” programs, which are agreements in which companies submit apps to industry organizations for review and certification. Companies working within Safe Harbor programs are partially shielded from direct FTC enforcement actions based on their implementation of self-regulatory guidelines.

According to the study, the current roster of apps approved for Safe Harbor programs do not fare well. The paper stated that 41.7 percent of the apps in one Safe Harbor group transmitted location and contact information, such as phone numbers and email addresses, and nearly 46 percent of the first Safe Harbor group did not use encryption to protect the data. In another Safe Harbor group, 77.2 percent of apps transmitted persistent identifiers, which are unique tags identifying users across different websites and services.

The authors end their study by explaining the importance of their new test platform to end users who want to learn more about the apps their kids use and how developers could benefit from testing their apps before release.

Companies and developers creating apps under COPPA’s purview should review the Safe Harbor program requirements as well as COPPA requirements when developing an app. Regulators will continue to analyze apps’ functionalities with respect to children under the age of 13 and will undoubtedly hold companies with violations accountable.