Thousands of apps are illegally collecting data about kids

In the U.S., privacy legislation is supposed to protect kids from having their personal data collected and shared. But a new study found that more than half of apps directed at children potentially violated those privacy rules.
A child records a video with a smartphone. (Nicolas Asfouri/AFP/Getty Images)

In the U.S., privacy legislation is supposed to protect kids from having their personal data collected and shared. But a new study found that more than half of the apps they looked at, which were directed at children, potentially violated those privacy rules.

The study was led by the International Computer Science Institute at the University of California, Berkeley, which profiled thousands of popular apps targeted at children that are part of Google's "Designed for Families" program.

According to the Children's Online Privacy Protection Act, or COPPA, apps and websites intended for users under 13 should protect kids from advertising and overreaching data collection under U.S. privacy laws. Though the legislation is U.S.-based, all apps available in the U.S. must comply, including those also available in Canada

"It's one of the only strong privacy laws that the United States actually has," says Joel Reardon, a University of Calgary researcher and one of the authors of the study.

Joel Reardon is an assistant professor at University of Calgary. (Joe Pavia/CBC)

The problem is that off-the-shelf components used by software developers to enhance their products don't distinguish between underage users and adults thanks to a loophole, the study found.

Instead of restricting what data is collected, Reardon says, "[developers] will simply have in their lengthy terms of services … this cannot be used by children under the age of 13...Then you can claim you're not responsible."

Deep-dive into code

Software development kits (SDKs) used to create apps, like the ones analyzed in the study, provide developers with an easy way to build in certain elements, like support for ads. Incorporating these kits is common practice. "Reusability is a key component of good software design," he says.

The concern stems from when — and what — SDKs are used.

Uniquely yours

Unique identifiers are used to track your behaviour across apps and websites. This allows ad companies to serve you advertisements that may be of interest.

While some companies, like Google, have their own codes, others, use your phones IMEI, or International Mobile Equipment Identifier.

"In the United Kingdom it's illegal to change the IMEI of a phone. There is a legal process to change your name, but not a legal process to change your phone's IMEI," says Reardon.

"This is a very personal number that shouldn't really be used for the purposes of advertising."

Still, the UC Berkeley study found 10 per cent of apps were accessing this number.

COPPA bans internet services from attaching a unique identifier to a user for the purposes of behaviour-based advertising. SDKs that serve ads rely on these identifiers in order to monetize their service and provide revenue to developers. "We found more than half of [the apps] sending persistent identifiers, almost all of them were communicating to various internet companies," Reardon says.

Those unique identifiers are sent to ad delivery companies to micro-target advertisements based on your behaviour. Not only did those components track users' behaviour to target advertisements, they kept tabs on where users were, despite the intended age group. "We found a number of apps that were sending location and interestingly we found a number of apps that seemed to be hiding it," he says.

Worrisome, not nefarious

While the findings might be worrisome, Reardon suggests that app developers aren't intentionally harvesting data from underage users or trying to circumvent COPPA.

"We have a feeling that these developers are simply either misusing the libraries ... or in the case of including the wrong libraries, simply not reading the terms of service that says that this particular library can't be used for advertising to children," he says.

We've made this bargain for our children- Joel Reardon

Still, the sheer number of apps that are non-compliant with the legislation was surprising to Reardon, especially in the case of one app from Disney that was downloaded as many as 500 million times.

Avoiding these violations is possible, though not without changes.

Granular privacy settings that give users control over what parts of an app get access to data, like location services and unique identifiers, is one option. "Of course, nobody wants to manage these permissions individually," Reardon says. So he's working on an algorithm that might one day better understand what components need access to what based on specific cases requiring less user input.

But a more radical change would overhaul the app economy. Reardon believes we should reconsider our reliance on advertising as a way to monetize apps. In order to use apps for free, we've "negotiated" a "bargain," he says.

"As a result, we've made this bargain for our children."


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?