Some of us are just starting to realize all the ways companies like Facebook and Google use our data to make money. But legally, children are supposed to be exempt from that. Under the Children’s Online Privacy Protection Rule (COPPA), apps cannot store or track any unnecessary information, such as location data or profiling information for advertisers, on children under the age of 13.
But recent research has identified thousands of apps on the Google Play Store that could be in violation of COPPA, all of which have been certified as COPPA-compliant by Google.
The biggest violation, the researchers argue, often doesn't come from app developers themselves — third-party analytics companies are exploiting loopholes without going through the proper channels to report what kind of data they're collecting.
Consider, for example, the developer BabyBus, which has produced countless mobile games for kids under the age of six, including "Baby Panda Care," "Little Panda Restaurant," and "Toilet Training - Baby's Potty." BabyBus doesn't collect location data through the usual Android permissions system, so it's in the clear as far as COPPA is concerned. However, the company had been transmitting lists of saved WiFi networks and access points to TalkingData, an analytics company that BabyBus no longer partners with. It's possible that some of these developers might even be sharing information without knowing it, the researchers note, because sometimes they simply don't know how many there are (the developers are still legally responsible).
There are steep consequences for companies that violate COPPA — the Federal Trade Commission fined Yelp $450,000 for doing so in 2014.
But it's surprisingly challenging for regulators to identify rule-breakers. Pretty much the only way to tell whether or not an app illegally stored data was to simply scan through its source code and look for red flags.
It's menial and tedious labor. That’s why, for the most part, the industry has relied on self-regulation. But there's reason to believe that's not working all that well.
To get understand the scope of the problem, the team of computer scientists created software that runs each of 5,855 popular children’s apps for ten minutes, interacting with each app as a typical person might, and keeping track of all of the data that was transmitted or stored in the process.
The team quickly found troubling results: over half the apps they tested violated COPPA in some way and about 2,200 used permanent identifiers that could lead to targeted advertisements.
The researchers didn't look at the Apple app store, so the problem could be just as widespread there, too.
The good news? That same tool could be handy for regulators as they work to identify and penalize companies violating the law.
While the researchers point out in their paper that they are not lawyers and can only find possible violations, they’ve also published their tools and data sets so that Google and other regulators can have a go at it.