Thousands of free apps available in the Google Play store are potentially violating a major federal data-privacy law intended to protect children from online tracking, according to a new study published by researchers affiliated with the International Computer Science Institute.

"These problems are rampant, and it's resulting in kids being exposed to targeted advertising and automatic profiling that could be illegal," said Serge Egelman, who co-authored the report and works as the director of usable security and privacy research at ICSI, which is connected witih the University of California, Berkeley.

The study, titled "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale," was published online this week in the scholarly journal Proceedings on Privacy Enhancing Technologies.

The researchers' findings highlight rising concerns over companies' widespread collection and sharing of sensitive user information, often for advertising purposes. The issue has been in the headlines this week, as Facebook CEO Mark Zuckerberg was grilled by Congress over data-privacy issues and more than 20 consumer-advocacy groups filed a federal complaint against YouTube for its data-collection and ad-targeting practices involving children.

But the study also highlights ongoing uncertainty over the scope of the Children's Online Privacy Protection Act, commonly known as COPPA.

Rampant Issues

That law guided Egelman and his fellow researchers as they developed a new automated process to review the inner workings of 5,855 popular Android apps that were marketed for families and children via the U.S. Google Play store between November 2016 and March 2018. Their focus was on determining if the apps were engaged in potential violations of COPPA, which limits companies' ability to collect and share sensitive online information about children under 13.

The researchers found:

5 percent of the apps included in the study collected users' location or contact data (such as phone number or email address) without first obtaining parental consent.

1,100 of the apps (19 percent of those studied) shared sensitive information with third-party services whose terms of service explicitly prohibited their use in children's apps, likely because they are engaged in behavioral advertising.

2,281 apps (39 percent of those studied) appeared to violate Google's terms of service regarding the sharing of persistent identifiers (which provide unique information that can be associated with an individual over time and across platforms, apps, or devices.)

40 percent of the apps in the study shared users' personal information via the internet without applying reasonable security measures.

Of the 1,280 apps included in the study that integrated with Facebook, 92 percent did not correctly utilize the company's configuration options in order to protect users under 13.

Among the apps implicated by the researchers for potential COPPA violations were the popular language-learning app Duolingo and a suite of "Fun Kid Racing" games made by a company called TinyLab. (A full list can be searched here.)

All told, about 57 percent of the apps that were analyzed were potentially violating the law, the researchers concluded.

The numbers were not appreciably better for apps that were certified to be COPPA-compliant via an industry self-regulation program known as Safe Harbor, the researchers said.

They took pains to note, however, that their study does not claim definitive legal liability for the makers of those apps.

In addition, a COPPA expert consulted by Education Week questioned whether the law actually applies to many of the mobile apps included in the study.



A spokesperson for Google did not immediately respond to a request for comment.

"This is an important study because it sheds light on the invisible background collection of information about users that many people in education are not aware of," said Douglas A. Levin of EdTech Strategies, a consulting group that has looked closely at the issue of ad-tracking on school district and state education websites.

"It would be warranted for the Federal Trade Commission to pursue these findings and make a clear statement about the legality of this kind of tracking," Levin said.

Increased Attention on COPPA

As data-privacy concerns in K-12 education have heated up, the Children's Online Privacy Protection Act has drawn increasing attention.

The law regulates third-party operators of websites, mobile apps, and digital services that collect information from online users who are younger than 13. In a nutshell, the law requires those operators to notify parents and obtain their consent before collecting information on children; allow parents to review their children's information and request that it be deleted; and let parents opt out of further data collection.

Big picture, the aim is to give parents more control over what information is collected from their children online.

But there are many gray areas under the law, as Education Week explored in-depth last summer.

Amelia Vance, the director of education privacy at the Future of Privacy Forum, a Washington think tank, said many of the companies included in the ICSI analysis may not legally be subject to COPPA, which only applies to online services that are either "directly targeted" to children under 13 or have "actual knowledge" of users who are under 13.

"The Federal Trade Commission has interpreted [those terms] fairly strictly," Vance said. "The vast majority of companies don't reach that standard."

The FTC has in the past levied fines and penalties on a number of companies for improperly collecting personal information from children.

But the process of manually searching for COPPA violations is generally "painstaking," the ICSI researchers wrote in their new study.

That's why the new automated techniques the researchers employed are so significant, Egelman said.

Essentially, the researchers retrieved apps from the Google Play store and installed them on phones running a version of Google's Android operating system that the researchers had customized with their own automated observation tools. Using simulated user data, the researchers watched how the apps functioned, collecting and storing detailed data about what sensitive user information the apps accessed and what information they transmitted to third parties.

That process allowed the researchers to "monitor actual program behavior in real time and at scale," by examining "how often and under what circumstances apps and third-party libraries access sensitive resources," according to the study.

Anyone, including the FTC, can use the techniques, Egelman said.

"All our data is publicly available," he said. "It comes down to resources and incentives to act."

'No One Really Cares'

Indeed, Egelman described a lack of will among all parties as the major barrier to better protections for children's online privacy.

Mobile app developers appear to be quite sloppy when determining whether third-party services are protecting children's information, he said. In turn, those third parties don't appear to be checking whether they are receiving children's information from the apps they integrate with. And Egelman said big companies such as Google and Facebook often aren't taking even the most basic steps to try to limit others' collection and sharing of children's information on their platforms.

Ultimately, he said, "the reason why no one really cares is because there's no enforcement."

But that's where things can get tricky.

Take, for example, Duolingo. The popular language-learning app claims 200 million users and markets itself to schools, but does not ask Android users their age and says it is not targeted to children under 13.

Egelman and his team say it was among the 1,100 apps that sent improper persistent identifiers (in Duolingo's case, the serial number of the mobile phone on which the app is being used) along to a third party that specifically prohibits developers from using its advertising service in apps for children.

"While we cannot definitively know whether or not those third parties are using the information for COPPA-prohibited practices, such as behavioral advertising, their terms of service and privacy policies suggest that violations are likely," the study says.

But in an emailed statement, a spokesman said "Duolingo is an online service directed at a general audience"—indicating that the company does not believe it is subject to COPPA, even though it apparently opted in to the Designed for Families section of the Google Play store.

The spokesman also noted that the third-party service it shares information with is to fix bugs and provide data on crashes, not advertising.

Such confusion makes it difficult to determine the nature and the scope of the legal exposure for the apps included in the ICSI study, said Vance of the Future of Privacy Forum.

But from a practical perspective, said Levin of EdTech Strategies, the researchers have highlighted just how significant the children's-online-privacy challenge is in the mobile age.

"We know that young children are increasingly relying on mobile apps—even services that may not have expressly been designed for them—for learning," Levin said.

"When their children are using those apps, parents should have a reasonable expectation of privacy."

See also:

Follow @BenjaminBHerold for the latest news on ed-tech policies, practices, and trends.