The application for children may be doing more than keeping their children busy, according to a new international study.
Researchers at the International Institute of Computer Science say that most popular and free apps for Android children are tracking inappropriate information about children and violating the Children's Online Privacy Protection Act, or COPPA, a law Federal that regulates the collection of data of users who are under 13 years.
The investigation was published on April 6 and will be presented at the Symposium on Technologies for Improvement of Privacy in July.
The study analyzed 5,855 applications aimed at children, each of which had been downloaded an average of 750,000 times, the researchers said. Using a Nexus 5X phone, the researchers downloaded the main applications aimed at children from November 2016 to March 2018, executing them for approximately 10 minutes to simulate a real user.
The study found that thousands of applications targeting children were collecting device data, some including GPS location and personal information. The study raises concerns for parents, who would need the level of technical knowledge of an expert to solve it themselves, Serge Egelman said the co-author of the article.
"They are not expected to perform reverse engineering applications to make a decision on whether or not it is safe for their children," Egelman said.
Concerns about data privacy have been focused in the wake of the Cambridge Analytica Facebook scandal, with people and legislators paying more attention to the amount of information technology companies have about them. YouTube, which is also owned by Google, was the subject of a complaint filed earlier this month in which privacy groups said it was also violating COPPA.
With applications, people often give permission to track ads in exchange for a free service. Applications for children have a different standard because of COPPA, and they are usually not allowed to track data without the explicit consent of the parents. The study found that many of these applications aimed at children were violating that law.
Up to 235 applications accessed the GPS data of the phone, 184 of which transmitted the location of the device to advertisers, according to the study. These applications, which had 172 million combined downloads, were games like Fun Kid Racing and Kids Motocross – Winter Storm.
Fun Kid Racing only has more than 10 million downloads, according to the application's page. The developers of the application, Tiny Lab Productions, said in an email that their applications are "aimed at families" and not at children, because "we see that adults and teenagers play our games." It is assumed that players must enter their birth date, and if they are under 13, the application does not collect any data, said Jonas Abromaitis, CEO of Tiny Labs Productions.
"The researchers must have declared that they are over 13 years old while performing these simulations," he said.
Egelman denied that statement, and said that even if it were true, it was not relevant to the study. The simulated use was made through a machine pressing random buttons, said the researcher. It followed the FTC's requirement of "verifiable consent," which meant that developers had to take steps to ensure that people knew what information they were giving up.
"If a robot can click on his consent screen that resulted in data transport, it's obvious that a small child who does not know what he's reading will do the same," Egelman said.
More than 1,000 of the applications that analyzed the study also collected personal information, although Google's terms of service prohibit those crawlers in applications targeting children. Google did not respond in time for a request for comments.
In 2014, Google allowed people to reset their Android advertising ID, which gave them better control over how online services track their data. Developers should only use that identification as a way to track user data, but the study found that two-thirds of children's applications do not allow people to re-start that data.
The study also analyzed how the applications were transferring the data, and discovered that 40 percent of them did not do so safely.
Up to 2,344 applications for children transferring collected data did not use TLS encryption, a security standard that ensures that the data and its recipient are authentic. The safety measure is the "standard method for transmitting information safely," the researchers said.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.
Tech Enabled: CNET chronicles the role of technology in providing new types of accessibility.