The study, which comes from researchers at the International Computer Science Institute in Berkeley, CA, analyzed 5,855 of the most popular free Android apps targeted at kids and families. The team found its results with an automatic test that detects how data is handled in Android apps.
Shockingly, a total of 57 percent of the apps studied appeared to be in potential violation of COPPA, the Children's Online Privacy Protection Act (COPPA), a 1998 law that looks to safeguard the privacy of users under the age of 13.
Part of the potential violations at hand include the nugget that 92 percent of the 1,280 apps that plug into Facebook's API may be using it for activities prohibited by COPPA.
Further, 19 percent of children's apps collect some kind of identifier "or other personally identifiable information" using software development kits (SDKs) whose terms of service say these programs shouldn't be used in children's apps.
And when it comes to collecting and sending user data, the study found that 2,344 of the 5,855 apps — that's 40 percent of them — did not use Transport Layer Security (TLS) for every transmission containing "identifiers or other sensitive information." Further, the amount of at-risk data is likely higher, as the study notes that it didn't examine if TLS was used correctly, only checking if it was there or not.
The study also discovered that 1,100 of these apps (that's 18.8 percent) send data using a software development kit that is not meant to be used with kids apps, and whose terms of service forbid it. Popular examples include the language learning app Duolingo, the infinite running game Minion Rush and the Disney puzzle game Where's My Water?.
“This study, by the authors’ own admission, does not claim to identify any actual violation of COPPA. Protecting children’s online privacy is very important to us and we are confident that our practices adhere to the law. We have a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families,” a Disney spokesperson said.
Scott Shackelford, associate professor of Business Law and Ethics at Indiana University's Kelley School of Business, and Cybersecurity Program Chair, at IU-Bloomington told us "This important study highlights the sad fact that tech companies are simply not doing enough to comply with the regulatory requirements Congress has put into place to help protect vulnerable, and impressionable, kids."
"It’s not a case here of not following the spirit of the law," he continued, "they don’t seem to be following even its letter." Shackelford sees the study fitting into our present conversation about social media: This should be a wakeup call to these developers, along with platforms like Google and Facebook that host them. It’s past time to treat privacy—especially for minors—as the human right it is.”
When we asked Shackelford if iOS is better for kids than Android, he said "No platform is perfect, but parents should be aware that, on average, iOS does have advantages in both privacy and security over Android."
Looking for help keeping your kids private? Shackleford advised being more proactive, "To really get ahead of the problem, though, parents should use software like FamilyTime to help keep a closer eye on the apps their kids are using, and make sure that private browsers and extensions—like DuckDuckGo and Privacy Badger—are the norm. Remember, the Internet is written in ink!”