Sophos Cloud Optix
Many mobile apps aimed at children are sharing personal information – such as device ID, geolocation and phone numbers – with third parties, all without notifying parents or asking for permission.
A number of mobile apps also contain advertising, in-app purchasing ability, and links to social media. Some even send information to ad networks, analytics companies, or other third parties, all without disclosing such features to parents prior to download.
Those are the findings of a new report released on Monday by the US Federal Trade Commission (FTC), titled Mobile Apps for Kids: Disclosures Still Not Making the Grade [PDF].
The report, which examines privacy disclosures and practices of mobile apps available for children in the Google Play and Apple App stores, details the FTC’s second survey.
Since the FTC’s first survey, in 2011, not much has changed. The FTC found that parents still remain largely in the dark about how to figure out what data apps are collecting from their children, how it’s being shared, or who can access it.
FTC Chairman Jon Leibowitz said in a statement that in spite of what might be companies’ best intentions with regards to protecting children’s privacy, the FTC just isn’t seeing any progress when it comes to getting parents the information they need to make informed app choices:
"In fact, our study shows that kids' apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents. All of the companies in the mobile app space, especially the gatekeepers of the app stores, need to do a better job."
In fact, the FTC is launching investigations to gauge whether some companies in the mobile apps space might be violating the Children’s Online Privacy Protection Act (COPPA) or engaging in unfair or deceptive practices in violation of the Federal Trade Commission Act.
A majority of surveyed apps – 60%, or 235 – collected or transmitted device IDs. Sometimes they went back to the developer, but more often, the data was sent to an advertising network, analytics company, or other third party.
Device IDs matter because they’re the building blocks for a rich treasure trove of personal profiles, the report says.
These short strings of letters and/or numbers are unique identifiers for specific mobile devices. Smartphones typically have multiple device IDs, each assigned to a different purpose, such as enabling WiFi and Bluetooth or identifying devices on carriers’ networks.
Device IDs carry separate electronic DNA strands that can be amalgamated to form a rich, deep profile that contains user device model, carrier, operating system version, language settings, and personal data such as user name, phone number, email address, friends list, and geolocation.
Device IDs, which are difficult or impossible to change, can be used for good or not-so-good when it comes to privacy, according to the report:
"The extent to which the collection of device IDs raises privacy concerns depends in part on how it is used. Because device IDs are difficult or impossible to change, they can be used by apps, developers, and other companies to compile rich sets of data or 'profiles' about individuals. However, the use of device IDs when necessary for specific internal operations, such as protecting against fraud and theft, site maintenance, maintaining user preferences, or authenticating users, would not raise the same concerns."
"Concerns about the creation of detailed profiles based on device IDs become especially important where, as staff found, a small number of companies (like ad networks and analytics providers) collect device IDs and other user information through a vast network of mobile apps. This practice can allow information gleaned about a user through one app to be linked to information gleaned about the same user through other apps."
(Note that Apple no longer accepts apps that access UDIDs, given privacy backlash.)
More of the FTC’s findings from the report:
- Only 20% of the apps reviewed disclosed any information about privacy practices.
- A relatively small number of third parties received information from a large number of apps. This means the third parties that receive information from multiple apps could potentially develop detailed profiles of the children based on their behavior in different apps.
- 58% of reviewed apps contained advertising within the app, while only 15% disclosed the presence of advertising prior to download.
- 22% of the apps contained links to social networking services, while only 9% disclosed that fact.
- 17% of reviewed apps allow kids to make purchases for virtual goods within the app, with prices ranging from 99 cents to $29.99. Although both stores provided certain indicators when an app contained in-app purchasing capabilities, these indicators were not always prominent and, even if noticed, could be difficult for many parents to understand.
This study was released as support for an update to Coppa surges.
Congress passed COPPA in 1998 with bipartisan support, and it went into effect in 2000.
In the 12 years since then, technologies such as mobile marketing and behavioral profiling have emerged. Those are just two aspects of recent technological evolution that have caused nonprofits such as the Center for Digital Democracy (CDD) and Common Sense Media to push to update COPPA.
Proposed changes would limit the amount of time companies could keep data collected on children and would mandate that third parties adequately protect the information they collect.
As it now stands, the mobile apps industry is displaying flagrant disregard for children’s privacy, the CDD said in a statement about the FTC report.
The statement quotes American University Prof. Kathryn Montgomery, who helped to spearhead the passage of COPPA:
"This report reveals widespread disregard for children's privacy rules. In the rapidly growing children's mobile market, companies are seizing on new ways to target children, unleashing a growing arsenal of interactive techniques, including geo-location and use of personal contact data. It is clear that there is an urgent need for the FTC to update its COPPA regulations and to engage in ongoing enforcement."
Meanwhile, while we wait for updates to COPPA, the FTC wants to see some change, said FTC Chairman Leibowitz:
"We'll do another survey in the future and we will expect to see improvement."
It would be great if the industry stepped up to the plate and improved on these privacy failings.
But I wouldn’t be surprised if improvement were to need a dynamite stick of punitive FTC fines to get it moving.
That spark might not be long in coming.
As I was posting this, I saw that the CDD partnered with the FTC to file a complaint about Mobbles, a popular mobile app for kids that collects data without telling parents or asking for their consent.
Well, alrightey, then.
Kudos to the FTC and the CDD for fighting for children’s privacy rights and for parents’ rights to make informed decisions.
But who do you think should be ultimately responsible?
Kid with phone image courtesy of Shutterstock.
ID armband image courtesy of Shutterstock.
Hi Lisa,
Do you know where parents can find a list of apps that are misusing children's information? I gather this would be hard to collate, since so few are transparent about the way they gather and use info. I had a look at the FTC report and, as far as I can tell, it does not identify any apps. It seems to me naming and shaming is exactly what's needed if we are to see companies lift their game in regards to protecting kids' privacy.