Google in hot water over privacy of Android apps for kids

A report accusing large numbers of child-centred Android apps of potentially breaking US law? It’s the sort of finding that even a company of Google’s almost unassailable power can’t ignore.

The trouble started a week ago when International Computer Science Institute researchers published Won’t somebody think of the children? Examining COPPA Compliance at Scale, a reference to the Children’s Online Privacy Protection Act of 1998 which protects under-13s.

After analysing 5,855 Android apps that claim to comply with the Google Play Store’s Designed for Families (DFF) program, researchers found what’s best described as a privacy and surveillance mess.

40% were transmitting personal information “without applying reasonable security measures” (SSL/TLS encryption), while another 18.8% were sharing data with third parties that could be used to identify children and their devices for profiling.

Almost one in twenty were sharing personal data, such as email addresses and social media profiles, with third parties without consent. The long and short of this:

Overall, roughly 57% of the 5,855 child-directed apps that we analyzed are potentially violating COPPA.

The underlying problem appears to be the Wild West of third-party software development kits (SDK) which have privacy-protecting settings turned off or ignored – even, in some cases, when the terms of service of SDKs prohibit such a thing in apps designed for children.

It appears Google’s much-vaunted DFF program is big on promises but weak on the kind of enforcement that might hold app developers to account. Making the matter worse…

Google already performs static and dynamic analysis on apps submitted to the Play Store, so it should not be hard for them to augment this analysis to detect non-compliant entities.

Not to forget that it’s just over a year since Google threatened to remove apps that breach its general privacy terms and conditions.

A few months ago, this report might have attracted a few headlines and then been submerged by a tide of new stories and quickly forgotten. However, its publication only weeks after Facebook found itself hauled up for its privacy design, means that’s unlikely to be the case.

It’s not as if this is the first bunch of apps researchers have found problems with in terms of privacy and security and yet, unusually, Google felt compelled to issue a holding statement:

Protecting kids and families is a top priority, and our Designed for Families program requires developers to abide by specific requirements above and beyond our standard Google Play policies.

We’re taking the researchers’ report very seriously and looking into their findings. If we determine that an app violates our policies, we will take action.

Google, then, is going to look into the issue of app compliance with DFF and perhaps how this affects COPPA too.

The problem with this response is that it all sounds a bit like Facebook’s way of dealing with years of privacy complaints – kick the problem down the road but leave the model that caused it – self-regulation – untouched.