When Facebook admitted that Cambridge Analytica, a right-wing data firm, had stolen millions of profiles, it was just the beginning of a series of revelations, as Facebook CEO Mark Zuckerberg has been forced to admit his company profiles people who don’t even use Facebook and that it attempts to predict what users do next on the site to cater to advertisers. But it’s easy to forget that Facebook is far from the only company collecting our data, or that any American under 13 is supposed to have strict privacy protections. But a new study has thrown both of those in sharp relief.
The International Computer Science Institute has been looking into the privacy controls on Android, especially the many, many third-party apps Google allows onto its operating system. In particular, they were curious about how apps aimed at kids comply with the Children’s Online Privacy Protection Act (COPPA), which strictly controls what information can be collected from children. So they designed an automatic tool that evaluates apps based on their use of third-party software development kits, or SDKs. The results were alarming:
Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA…Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps…[and] 66% transmit other, non-resettable, persistent identifiers as well…
In other wards, most of these apps track kids in ways explicitly banned by United States law. And since many of these apps have those violations buried deep in their code or via third-party code the app buys and uses, it may well be impossible for the average parent to determine which apps are safe.
The good news is that this appears, by and large, to be due to incompetence instead of malice. It’s not entirely clear developers, particularly those in other countries, were even aware of COPPA, and some of the configurations and standards are relatively obscure or left on by default. It also appears many of these apps are the equivalent of a car cobbled together with spare parts lying around; developers just find code that solves the problem, bolt it onto their app, and ignore the giant booklet of warnings that comes with it. But at the same time, the study found that nearly a fifth of the apps it looked at were violating Google’s terms of service, and the search giant appears not to have noticed.
There are already some fairly serious concerns surrounding smartphones. Both Apple and Google have gotten in trouble over their apps and their operating system gathering data without truly informed consent. But around children, who may not understand what a targeted ad is, it’s a particular concern. For now, parents should look at app permissions closely and delete apps they don’t trust, but truly fixing the problem will need Google to step in and enforce its own standards.