Mobile apps and youth privacy

On Monday, the Federal Trade Commission (FTC) published Mobile Apps for Kids in which they reported the results of their recent survey of how well mobile apps for kids conform to Children’s Online Privacy Protection Act (COPPA) requirements.

The results were alarming: 59% of apps transmitted the mobile device ID (which includes among other things the app name, the app version number, the developer, a time stamp, the operating system, and the device model), 3% of apps shared geolocation, and 1% shared a phone number. 56% of these apps transmitted this information to ad networks, analytics companies, or other third parties. However, only 20% of the apps disclosed information about their data collection practices. Put another way, 80% of the apps are in violation of both the letter and spirit of COPPA (which requires that websites and/or online services that collect information from children must : 1. Provide notice of what types of information is being collected, how it is being used, and disclosure practices and 2. Obtain verifiable parental consent in order to collect, use, or disclose children’s data).

Why is this a big deal?

The information collected from these apps could be used to find or contact children because they collect geolocation and phone numbers. Remember the uproar when the iPhone was secretly tracking and storing your every move? This, I would posit, is even worse. These apps are tracking children’s activities across different apps without their parents’ knowledge or consent. The information collected was often transmitted to advertising networks with no disclosures as to why the advertising networks needed it or how they would use it. Such tracking builds profiles of children (their likes, dislikes, browsing habits, etc.) for insidious forms of marketing. This is analogous to the tracking and advertising that happens on the web – of which most adults are unaware. Through such tracking, advertisers can build very accurate profiles of children to “push” advertising—it’s a generally subconscious and powerful form of tracking and marketing and one that we should be protecting children from until they have the cognitive capabilities to resist such influences.

I don’t know about you but I don’t trust tracking and ad agencies and undisclosed third parties.

What can we do about it?

If you are a parent, you can’t do much about it. Remember that 80% of the apps provided no disclosure about the fact they were collecting data so it’s not like you can discriminate between apps that send this information and those that don’t (unless of course, an app explicitly states that they don’t send this information).

We need to put pressure on app developers to provide appropriate disclosures. Reuters reported that the “Association for Competitive Technology, which represents more than 5,000 small and medium-sized app developers, said developers were often unsophisticated about legal obligations but that the group held workshops and boot camps to train them in best practices.” Ok sure, they may be unsophisticated about legal obligations; however, this statement suggests that developers seem to have little concern about the ethics of collecting and sharing data from minors.

A coalition that includes the Application Developers Alliance, the ACLU, and the World Privacy Forum has been working on standardizing a short-form notice for app privacy disclosures. Of course, the advertisers aren’t too keen on this and are trying to come up with their own self-enforcement policies.

Lastly, we need to support the FTC in expanding their enforcement of COPPA to include geolocation and personal identifiers such as device IDs. Many have argued that COPPA is outdated and this is yet another instance that emphasizes this point.

Image credit: ohmeaghan http://www.flickr.com/photos/ohmeaghan/6014480823

Tags: apps, mobile, policy, privacy, youth