Angry Birds is so 2009, you might say. “I haven’t played Angry Birds since 2012, at the latest,” you might insist. It doesn’t matter. Angry Birds is still part of your life.

As the first wildly successful mobile game, it’s an avatar for the way our understanding of what’s private and what’s personal has collapsed in the past decade. It’s not the only mobile game that’s sucked away intimate information, and it’s not the worst offender, but it was the first global hit. It was a Trojan horse — the first colorful, fun, utterly unthreatening game that was downloaded onto a billion phones, and the start of a decade of downloading free apps without having any real idea what they were getting from us.

A Pew study published this January found that 76 percent of Americans knew basically nothing about Facebook’s tracking and targeting policies, even though other research shows that most people understand that they shouldn’t trust the company. (Researchers at Georgetown University and NYU recently named it one of the least trusted American institutions, across political parties.) If the tactics of even the largest, most public, most well-documented violator of our privacy are a black box to the average person, what do most of us know about the tactics of, say, a Finnish game developer?

Though it doesn’t often come up and is confusing to think through, almost every app on your phone is full of third-party advertising intermediaries — at a minimum, ad software owned by Facebook or Twitter or Google, but often a couple dozen other companies you haven’t even heard of, as well. This includes game apps as innocuous if obnoxious-seeming as Angry Birds and its descendants, like Fruit Ninja (by the Australia-based Halfbrick Studios) and Candy Crush (by Malta-based developer King). These third parties collect information that allows them to keep intricate histories of your behavior, and use it to make money from you in ways you might not expect or even see.

Rovio and its peers may not even know exactly what they’re collecting about their users

The way mobile games collect information about their users, and the details of what type of information they’re collecting, remains incredibly opaque. To some extent, Rovio and its peers may not even know exactly what they’re collecting about their users or how the data is being exploited, thanks to the way software has evolved in the smartphone era. Mobile games are full of other companies’ code, a more efficient way of creating something cheap and functional and cute than building it from scratch.

The fact that it’s all so confusing is kind of the point, obviously. And as a result, mobile games have escaped the level of scrutiny we’ve applied to social media companies, despite being — as a category — nearly equally popular and far more likely to be used by children.

“When the whole Cambridge Analytica debacle happened, I read about that, and I think a lot of my colleagues and I thought the same thing: Why are people so upset?” David Nieborg, a gaming researcher and political economist at the University of Toronto, tells Vox. “The gaming industry has been doing this for a long time, only for a different goal: just to make a lot of money.”

Rovio was founded in 2003 by a group of students at the Helsinki University of Technology in Finland and created 51 unsuccessful apps before it created Angry Birds, released just before Christmas in 2009. That part is history. Everyone got it; everyone played it. It was a source of some concern, mostly around children making in-app purchases without their parents’ knowledge (aided by Facebook’s willful ignorance), but cheap games were such obvious things to download when you got your first smartphone that most people did it. As long as they don’t look openly scammy, they seem harmless.

In 2014, Edward Snowden leaked classified documents detailing many of the ways the National Security Administration was exploiting commercial data collection. Angry Birds was named as one of the “leaky” apps it used to access private information. But the scandal didn’t seem to stick.

Something as vague and banal-sounding as “gameplay data” is not as obviously salacious as the types of personal data collection we know we should be scandalized by. Nobody’s getting your Social Security number from Angry Birds. Nobody’s getting your private messages.

“With Facebook, you’re putting a lot more clearly personal information out there, and with a game you’re not really sure what it’s getting from you”

“With Facebook, you’re putting a lot more clearly personal information out there, and with a game you’re not really sure what it’s getting from you,” says Chris Hazard, an engineer with experience in gaming and AI, currently the CTO of a startup called Diveplane. “It’s not as front and center.” Basically, it’s not obvious that data about how you play a mobile game can be as useful and as personal as your wedding photos or a rattled-off screed about the Democratic National Committee.

But people should be worried. The intricacies of gameplay data can tell you a lot about what makes people tick, and what’s going on with them — studies have shown that you play games differently when you’re depressed, or dieting. “Nobody gets too upset about games,” Nieborg says. “But the underlying technology is really powerful. These people are really pushing the technology to the limits where the potential for abuse is massive.”

Developers collect data on who was playing, for how long, how well, and how much money they were spending. It doesn’t seem like sensitive information, and it’s useful mostly because it helps developers target their Facebook ads to find more people who will “monetize well” on these games. It’s a characteristic they’re incentivized to consider flatly, extracted from any ethical considerations of whether that sort of person ought to be marketed to. For instance, if the person spending hours playing a game where you fling upset cartoon birds was, in fact, a child, or someone who struggles with gambling addiction or impulse control, or is otherwise vulnerable. Facebook finds Angry Birds a new user and collects its check. Angry Birds finds users that will spend enough money to offset the cost of being found. It’s a good deal all around.

Using purely hypothetical numbers, Nieborg explains: Maybe a mobile game developer figures out, from the data they’ve collected, what type of person is likely to spend $150 a month in their game. They take that information to Facebook and pay Facebook $100 to find more people similar to that one. It sounds like a lot of money for one user, but it’s a pretty safe investment, and it gets safer the better you understand people.

“There’s a massive incentive to know a lot about your players,” he says, and the “dark twist” is that “If you can do this for a games company and you’re really good at it, you can [then go] start working for other companies that have less trivial goals than just selling digital gems to people.”

The average free game has at least one, and sometimes as many as 10 advertising intermediaries built into the game that track every move you make and additional purchase you contemplate, according to Nieborg. “If you’re interested in the data question, [Rovio is] not my worst fear. What I would be way more scared about is the hundreds of advertising intermediaries that can be in any country.”

So what do these third-party advertisers do that’s so bad? A study conducted last year by security researchers at UC Berkeley gives us some insight.

The study focused on children’s privacy and resettable advertising IDs —the string of numbers and letters that identify you and keep a log of your clicks, searches, purchases, and sometimes geographic location as you move through various apps — in contrast with non-resettable, persistent identifiers. Phone security experts recommend regularly resetting it to limit advertisers’ ability to track you. (You can do that in the Advertising section at the bottom of the Privacy settings on an iPhone, or in the Ads menu in the Services section of an Android device’s settings.)

The study found something alarming: Of 3,454 children’s apps that share resettable advertising IDs, 66 percent were sharing persistent identifiers as well. You could reset the advertising ID every 20 minutes on the device your child is using, if you wanted to, but it wouldn’t do anything to clear their history. The only way to reset that device ID is by factory-resetting the phone or tablet and starting from scratch. More importantly, the study found that 19 percent of children’s apps contained ad-targeting software with terms of service so predatory that they’re not even legal to include in apps designed for children. Kids under 13 aren’t supposed to be tracked between apps at all, especially for advertising purposes, and especially as part of a permanent history of their digital lives.

Advertisers would argue that all this information is anonymous, but a recent New York Times investigation found that it’s shockingly easy to de-anonymize, and that hundreds of apps collect “anonymous” real-time location data that needs only the slimmest additional context clues to tie to an individual person. (E.g. the phone goes to and from this house and this law office every day, or this house and this fourth-grade classroom. The NYT reporters even found the president using maps they pulled from two data brokers.)

Joel Reardon, a security researcher at the University of Calgary, explains the problem to me. There are horror stories, he says, listing a few openly exploitative app makers and egregious security loopholes. Rovio isn’t like that. It’s average. That’s why it’s so interesting.

Rovio, like basically all mobile games and most apps, built its code with a patchwork of things that already existed. It uses the ad platform Vungle to serve ads, so Vungle’s code (or software development kit) is written into the game and starts running as soon as you open it. It needs Unity, a game engine, to make the game run. It needs Twitter, Facebook, and so on. None of these things are inherently bad, but none of these companies are going to let Rovio look at their code — they’re only giving it a binary decision to include it or not include it, to opt in or opt out. Kind of like the choice that you’ll make later on about whether or not to download the game, except Rovio stands to make a ton of money and you don’t.

Rovio has deals with 43 data controllers and processors, including 14 advertising intermediaries

Rovio’s privacy policy lists all of the places it sends data. The company has deals with 43 data controllers and processors, including 14 advertising intermediaries. Three of them were identified in the Berkeley study as extremely likely to be violating the Children’s Online Privacy Protection Act (COPPA), and are currently being sued by New Mexico Attorney General Hector Balderas: Twitter and its ad platform MoPub, Google and its ad platform AdMob, and several other companies, including ironSource, a major adware company based in Israel.

“As the developer, you may be obliged to read through the Terms of Service of these third-party software providers and see if they’re compatible with your Terms of Service,” Reardon says. “You’re basically absorbing all of them, and that amalgamation is effectively the real terms of service that the user is facing.” But nobody does that.

This February, a follow-up study at UC Berkeley found about 17,000 Android apps that were collecting not only advertising IDs but all kinds of permanent device IDs, which can’t be reset. They can be combined to create activity histories more intimate and accurate than your own memory, and tell advertisers how you act in thousands of possible situations. They’re far more unshakable than the cookies that follow you across a web browser, and for that reason, they’re often referred to as “fingerprinting” technologies. This type of tracking isn’t allowed in the Google Play store (or the App Store), but Google doesn’t have a ton of incentive or even ability to enforce that policy. Google told CNET that it can only really know what kinds of information are being sent to its own ad platform.

Angry Birds was one of the apps sending these permanent IDs, according to the study. The company declined to comment directly on the report, saying only, “Rovio has spent considerable time and effort in creating its own in-house technology team that constantly reviews the code Rovio distributes,” and, “We strive to vet our partners carefully.”

A spokesperson for Rovio tells Vox that Rovio games use only the resettable advertising IDs provided by Apple and Google, and don’t include third-party advertiser software development kits, but the recent Berkeley study said otherwise. I ask Reardon to double-check, and he sifts through the source code of the latest version of the Angry Birds flagship app. Just as before, he finds several third-party software development kits, including those for Facebook and Vungle.

When I ask Rovio again, a spokesperson revises. The company has “always preferred” to use more transparent server-to-server connections rather than include third-party software development kits directly in their games, but that’s “not an option that is always available nor possible.”

Typically, if you were asking questions about what data was being collected by a mobile game and how, you would not have the option — as I did — to email a security researcher and have him poke around in the code for you on a moment’s notice. You would just not know. This is the point!

Google is incentivized to regulate the Play Store for Android apps to some degree, but since it’s in the advertising business itself, there’s a limit to that. And it relies heavily on third-party security researchers to uncover unsavory behavior and report it. Apple has been hawking privacy as one of the signature features of the iPhone for years — and particularly aggressively in the past few months, leading up to the launch of the first Apple credit card — but it doesn’t talk too much about the fact that the cut it takes of in-app purchases in games like these is a sizable chunk of its revenue.

The way all these games look — as if they should be totally fine for a kid to play — adds another layer to the problem.

COPPA, passed in 1998, protects children under the age of 13 from being tracked by advertisers, and makes it explicitly illegal to apply any kind of “persistent identifier” to a child. Children can’t be tracked across sites, or across apps, their device IDs can’t be stored, and no personal identifying information of any kind can be collected without explicit parental consent.

But the Federal Trade Commission has not enforced COPPA with any kind of uniformity. It has levied fines on a handful of companies, but it has also gone along with Google’s argument that children don’t use YouTube. A spokesperson declined to comment on whether the agency believes COPPA applies to Rovio.

Rovio’s current privacy policy insists that it does not know the age of its players unless they access a game through a Facebook account, which more or less means they can slip through the cracks. Its games are for “all ages,” even if its film, TV, and lifestyle brand empire is for 4-year-olds, and if it doesn’t have, according to the law, “actual knowledge” that its users are under the age of 13, it doesn’t have to build its data collection policies around those users.

“The FTC has been so lax in enforcing COPPA, it has effectively eviscerated the law through a lack of enforcement.”

Before the company went public on the Helsinki Stock Exchange in 2017, the company released a circular that expressed some intention to abide by COPPA, but was non-specific about which of its dozens of games it considered subject to the law. Contacted for comment in March, Rovio declined again to provide a clear list of the games that it considers subject to COPPA, and a spokesperson told Vox in an email, “Rovio recognizes that certain of its older and simpler games (e.g. the original Angry Birds Space, Bad Piggies and Angry Birds Go!) may be more appealing to children and as such, may be subject to COPPA.” Asked again to be more specific, a spokesperson responded, “As alluded to in the previous response, Rovio carefully analyzes its game portfolio in terms of whether the games are subject to COPPA or not.”

“The FTC has been so lax in enforcing COPPA, it has effectively eviscerated the law through a lack of enforcement,” Josh Golin, executive director of the Campaign for a Commercial-Free Childhood, tells me. Angry Birds shares in that legacy, he says, by way of signaling to the rest of the industry that you can get away with circumventing the law.

There is some optimism about the future of online privacy — mostly if you believe the FTC will start bringing down heavy fines on the world’s biggest tech companies, not just individual apps that spark its attention, and that we can all be made to understand what’s been going on in this candy-colored decade of free-to-play time wasters. In March, Sens. Ed Markey (D-MA) and Josh Hawley (R-MO) announced a plan for a bipartisan measure to expand the protections of COPPA. It would raise the age of the law’s privacy protections to 15, and create an “eraser button” that would allow a parent to remove all of a child’s data from any given service. It would also, crucially, create a new division within the FTC focused on youth privacy.

Then again, the point of COPPA is to prevent children from becoming commodities before their time. It’s pretty much accepted that when they grow up, they’ll have to face the music and be tracked like the rest of us — be that at age 13 or 15 — inside a system that is most profitable when it is the most invasive and regulated almost solely by other giant tech companies, and only when it protects their own interests.

“None of us asked for your data. But we have it anyway, and forever.”

Even game developers who want to behave ethically can struggle to do so in an ecosystem shaped so rigidly by Facebook’s way of doing things. Last March, game developer Ian Bogost wrote a mea culpa in the Atlantic about Cow Clicker, a game he made in three days in a loft in Greenpoint in 2010. He didn’t initially realize that it was extracting entire Facebook profiles from everyone who played it, and shut it down himself when he discovered it was, but he says he didn’t even know what he was supposed to do with all the data he had.

“Hundreds of thousands of creators of dumb toys, quizzes, games, and communities that might never have intended to dupe or violate users surely did so anyway, because Facebook rammed their data down our throats,” he wrote. “On the whole, none of us asked for your data. But we have it anyway, and forever.”

The original Angry Birds — the first of nearly two dozen games Rovio has created using the Angry Birds “characters” — was downloaded for the billionth time in May 2012, five months before Facebook would hit a billion active users. The mobile gaming industry is now worth tens of billions of dollars per year, and Rovio alone brought in $297 million last year ($248 million from games, most of the rest from brand licensing.)

But in February 2018, Rovio’s valuation dipped to $500 million, half its worth when it went public. “The irony of history is that Angry Birds never fully mastered the free-to-play model,” Nieborg says. “What they did so well is they monetized their intellectual property; the Angry Birds brand is so iconic and smart and translates globally. One thing they did really well was old-school, media industry intellectual property, just like Disney.” People just love those mad birds.

This year, Rovio plans to spend about 30 percent of its games revenue on enticing new users, just as it did last year. That involves, if it’s not obvious, a lot of data.

The business model that holds up the mobile gaming industry, digital advertising, and most major social media platforms is persistent and ravenous, very good at holding on to the information you’ve given it and even better at finding ways to enrich that information and keep it fresh, even after you’ve moved on to a different app. In other words, you may be over the phase of your life that involved Angry Birds, but Angry Birds isn’t over you.