Report finds more than half of Android apps for children are in violation of COPPA

Image: Google

A new study titled Proceedings on Privacy Enhancing Technologies has found that more than half of Android apps directed toward children under 13 potentially violate the US Children’s Online Privacy Protection Act (COPPA), as reported by The Guardian. Additionally, the study — led by researchers at the International Computer Science Institute at the University of California, Berkeley — says the apps that are improperly collecting and sharing data are all included in Google’s Designed for Families program.

The study looked at 5,855 child-directed apps, and the researchers said they “Identified several concerning violations and trends.” According to the study, 4.8 percent had clear violations surrounding sharing location or contact information without consent, 18 percent shared identifiers for ad targeting, 40 percent shared personal information without proper security protocols, and 39 percent disregarded “contractual obligations aimed at protecting children’s privacy.”

In total, 28 percent of the apps accessed sensitive data protected by Android permissions, and 73 percent of the apps transmitted said sensitive data over the internet. Some of the apps named in the report include KidzInMind, TabTale’s “Pop Girls–High School Band,” and Fun Kid Racing.

While Google’s Designed for Families program provides developers with information on COPPA and says it requires they certify compliance, enforcement appears to not be thorough. The report notes that while developers and SDKs have financial incentive to ignore violations (restricting data collection results in lower revenue), they suspect that “many privacy violations are unintentional and caused by misunderstandings of third-party SDKs.”

COPPA was enacted by Congress in 1999 and was created in order to protect the privacy of children online. The act requires that companies designing apps for children under the age of 13 obtain consent from parents before collecting personal information. In 2013, the FTC revised COPPA to also include geolocation markers, IP addresses, and a mandate that third-party advertisers comply with these rules as well.

This is far from the first time child-directed apps have been found in violation of COPPA. Last year, a federal class action lawsuit was filed against Disney, alleging that 42 of its apps were collecting and sharing data with advertisers without parental consent. A similar complaint about selling information on underage users to advertisers was also levied against YouTube last month. In January, VTech Electronics — the parent company of popular educational brand LeapFrog — agreed to settle for a fine of $650,000 after charges that it violated children’s privacy.

Comments

There is a reason why families who can afford prefer iOS devices for their kids. I was tired of finding my 7 year old watching violent videos on YouTube Kids which was supposed to be a safe app for him. After reading about porn apps sneaking into children’s section of Android App Store, my wife deleted all Google made apps on our son’s iPad. Even though we don’t use Android, we can’t trust Google’s algorithms to protect our child’s privacy.

Use the parental controls, and install apps that you test yourself. I would never rely on Google, Amazon, Apple, Microsoft, or any other tech company to provide curated content to my kids.

My kids use an Amazon Kindles, with parental controls pretty much restricting their every move. I find it even better than IOS’s parental controls. Its actually sad that Microsoft’s Windows Phones died, because they had this thing called Kids Corner, which allowed you to select apps installed on the device that you wanted them to have access to. You could launch Kids Corner, hand your phone to them, and the only thing they could do is access apps you allow into Kids Corner. Too bad they didn’t get developer support, it was really ahead of its time:
https://binged.it/2H4Bg8j

Yep, people use tablets as babysitters, and then complain when they fail to monitor what their kids do with it.

The Kindle Fire has better controls for parents than iOS. Much cheaper too.

I know, Kindle Fire is a good affordable option for parents. In our case, we pass our older iPads to my son. It’s also not possible to find things like Osmo products for anything but iPads.

I’m not attempting to be trolly or fan-boyish here, but I am genuinely curious why this study only looks at Android. Did they check iOS as well? Does Apple not allow the same access to this kind of data for studies of this nature? Obviously, this appears troubling and app developers should be adhering to the necessary laws, but I’m curious if this is a cross-platform issue or not.

If you read the Guardian article, it’s clear that 28% of the apps were able to access sensitive information that is supposed to be protected by Android permissions. 73% of the apps transmitted sensitive data over the internet.

The point being, Android security is severely lacking and the Android ecosystem as a whole has a complete disregard to user privacy. News of this sort is a shock to exactly nobody that is reasonably tech savvy and follows this industry.

I read that to say that apps were accessing sensitive information that is supposed to be protected by android permissions by asking the children for it and not the parents, not that these apps were somehow circumventing the Android permission system to access this information. The article says that Google has a process for providing information about local laws to developers and letting them know when they may be in violation of COPPA, but clearly isn’t doing enough to enforce.

How does Apple handle apps like Pokemon Go, that rely on location data and send it out on the internet? If a 12-year old wants to play, does it tell them to ask their parents’ permission before enabling location access and prevent them from enabling it on their own? I know Google has a system for parents to institute parental controls on their children’s phones, but I’m not sure how widely available/used it is.

I don’t know… if information is supposed to be protected by OS permissions… but is not, it’s hard to read that any other way.

Regarding parental controls, yes, iOS has them as well. I think it’s a reasonable expectation for parents to setup a device or an account used by a child with the appropriate controls and settings in place. If they are set, there is an expectation that they are enforced.

From what I’ve seen the permission system in iOS remains far more robust than the Android one and Apple is far ahead in terms of modifying the permission system to prevent access to sensitive data.

Really? If I don’t wan’t Venmo to access my contacts I can click Deny and the app will still work. A lot of restrictions on iOS are exactly the reason I can’t use it. I need a real file system, background apps that don’t die after 10 minutes and I’d like to record myself speaking while derping around other apps. I don’t like artificial limitations on what I can do with my hardware.

I don’t think you have experience with iOS enough to comment on this. You don’t seem to understand the difference between a file system and a file browser. You don’t seem to understand how services work in iOS and how you can record yourself while using other apps, etc. iOS has indeed come from a more restrictive position. However, over the years, they’ve extended their capabilities, but in a way that is far more secure and even energy efficient than the Android equivalent.

I’ll ignore your ad homonyms and get to the meat.

Facetime shuts off in background https://discussions.apple.com/thread/6813244

iPad killing background apps we desperately need to stay alive https://www.theverge.com/circuitbreaker/2018/3/27/17152482/ipad-pro-web-development-setup-how-to-terminal-apps#VsLukT

If you want to record yourself speaking while using other apps there is a really handy screen recording function that also allows you to record mic audio at the same time. Plus, audio apps are actually one of the best categories of apps vs what’s available on Android.

I love messing around recording music (midi controllers and guitar) and that’s stuff that Android just still doesn’t have. JamUp, mobile POD, BIAS all run in the background for more than 10 minutes.

The FaceTime camera feed pauses because the app you’ve opened either A)may want to use the camera, or B)shouldn’t have access to the camera. Background recording by apps is a big no-no for privacy reasons. There’s also spilt screening on the iPads where you can use FaceTime and other apps alongside it.

Background recording by apps is a big no-no for privacy reasons.

Macbooks do it, Window’s PC’s do it, Android does it, Linux does it. It’s not really "background" if there is a notification telling me about it. I hate Apple telling me what I can and can’t do. With Android, I don’t always root, because most things are doable without it. The only things I still need root for is running a Linux VM and opening ports under 1024 in the Servers Ultimate app, and I’m sure I’ll be able to do that without root in the coming years.

Well if you look at the Facebook data breach in any details (i.e., beyond the deadlines and first paragraph) you will see the most sensitive data was only stolen from Android devices (your messages, your phone calls etc) because between Google and Android they don’t really reinforce segregation between the Apps. Apple does. An App on your iPhone cannot unilaterally decide to get access to your contacts, or location or photos. You have to agree, and Apple (not the app) enforces that.

With Android (until very recently) the App should ask permission but can ignore your response.

Absolutely no one should be surprised by this, and even if you LOVE Android and HATE Apple (which many many people do) that’s OK, but just understand what you’re signing up for.

The irony is that people choose Android for the reasons of ‘choice’… but choice is only choice when you’re actually free to choose, and that includes choosing not to transmit your entire life to the whole world.

The security model differences between iOS and Android are the blessing/curse of Android. It is less restrictive so can be less secure. That said, it can also be more secure under the right conditions.

The major point stands at – iOS is better for kids.

This is no different than PCs.

A PC is a computer made to be flexible. Because of this, you can do anything on it, including naughty stuff. Parents really need to stop blaming companies for their failure to be real parents.

Having said that, if Google wants to market their platform to kids, then they better get with the program. Maybe a nice class-action lawsuit, or some criminal charges, or massive fines would convince them that people are serious about their kids privacy.

If Google allows this stuff in their store, then they are responsible for it. They can’t pass the buck to developers. This is a company with billions, and they can’t seem to get this particular issue right. Seems that it should be a pretty simple thing for them to do.

If Google allows this stuff in their store, then they are responsible for it.

As much as I’d like to hold Google more accountable for this, your position on this isn’t exactly reasonable either. App reviews are largely automated for the most part. It’s unrealistic to expect Google to be accountable for every line of code of every third party app in their store.

Now, if you want to take the position that Google is responsible once they’ve been made aware of a situation, then I’d likely agree. The same applies for Apple. Both companies have had some forms of malware enter their store. There is no 100% fool proof method of preventing that. At best, you can rely on layers of security that will minimize the exposure or damage from such malware.

I think you’d be hard pressed to demonstrate your claim Android can be more secure "under the right conditions". At best, it can only hope to approach what iOS is already doing. As an example, as of this time last year, it was estimated that only 13% of Android phones are actually encrypted. Moreover, application sand-boxing is supposed to prevent the problems mentioned in this article. Yet, as the Guardian article stated, 28% of the apps were able to bypass it. etc, etc.
To your point, yes, the inherent flexibility of Android is both a blessing and a curse. The curse comes in the form of security and by extension, privacy.

Seems like this dovetails nicely with Vlad’s article about Android having an issue of trust.

Yea not a good week for Android

Is Android now rated PG-13?

View All Comments
Back to top ↑