“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale

@article{Reyes2018WontST,
  title={“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale},
  author={Irwin Reyes and Primal Wijesekera and Joel Reardon and Amit Elazari Bar On and Abbas Razaghpanah and Narseo Vallina-Rodriguez and Serge Egelman},
  journal={Proceedings on Privacy Enhancing Technologies},
  year={2018},
  volume={2018},
  pages={63 - 83}
}
Abstract We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. [] Key Result Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID.

Figures and Tables from this paper

Angel or Devil? A Privacy Study of Mobile Parental Control Apps
TLDR
This is the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view and finds that these apps are on average more permissions-hungry than the top 150 apps in the Google Play Store.
Do You Get What You Pay For? Comparing the Privacy Behaviors of Free vs. Paid Apps
TLDR
There is no clear evidence that paying for an app will guarantee protection from extensive data collection, and the degree to which “free” apps and their paid premium versions differ in their bundled code, their declared permissions, and their data collection behaviors and privacy practices is investigated.
Do You Get What You Pay For? Comparing The Privacy Behaviors of Free vs. Paid Apps-Submitted to FTC PrivacyCon2019
TLDR
There is no clear evidence that paying for an app will guarantee protection from extensive data collection, and the degree to which “free” apps and their paid premium versions differ in their bundled code, their declared permissions, and their data collection behaviors and privacy practices is investigated.
On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies
TLDR
Analysis of 68,051 apps from the Google Play Store, their corresponding privacy policies, and observed data transmissions, investigates the potential misrepresentations of apps in the Designed For Families program, inconsistencies in disclosures regarding third-party data sharing, as well as contradictory disclosures about secure data transmissions.
Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps
TLDR
It is found that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children, and that neither platform is clearly better than the other for privacy across the dimensions the authors studied.
Share First, Ask Later (or Never?) Studying Violations of GDPR's Explicit Consent in Android Apps
TLDR
The first large-scale measurement on Android apps in the wild is performed to understand the current state of the violation of GDPR’s explicit consent and derive concrete recommendations for all involved entities in the ecosystem to allow data subjects to exercise their fundamental rights and freedoms.
The Price is (Not) Right: Comparing Privacy in Free and Paid Apps
TLDR
This work empirically evaluates the validity of this assumption that paying for apps could offer consumers protection from behavioral advertising and long-term tracking by comparing the privacy practices of free apps and their paid premium versions, while also gauging consumer expectations surrounding free and paid apps.
Longitudinal Compliance Analysis of AndroidApplications with Privacy Policies
TLDR
The discrepancies between the purported and actual data practices show that privacy policies are often incoherent with the apps’ behaviors, thus defying the ‘notice and choice’ principle when users install apps.
SkillBot: Identifying Risky Content for Children in Alexa Skills
TLDR
Although voice apps designed for children are subject to more policy requirements and intensive vetting, children are still vulnerable to risky content, and a new threat to users of VPA apps is identified: confounding utterances, or voice commands shared by multiple apps that may cause a user to invoke or interact with a different app than intended.
A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps
TLDR
It is found that most apps engage in third-party tracking, but few obtained consent before doing so, indicating potentially widespread violations of EU and UK privacy law.
...
...

References

SHOWING 1-10 OF 53 REFERENCES
"Is Our Children's Apps Learning?" Automatically Detecting COPPA Violations
TLDR
This work presents an ongoing effort to develop a method to automatically evaluate mobile apps' COPPA compliance, and finds several likely COPPA violations, including omission of prior consent and active sharing of persistent identifiers with third-party services for tracking and profiling of children.
Can apps play by the COPPA Rules?
TLDR
A design for a new framework aimed at helping mobile apps to comply with COPPA aims to simplify the process for developers by providing appropriate tools and mechanisms to help comply with the COPPA rules while presenting an easily understandable interface for parents to review, navigate, understand and then grant access to their children's personal data.
Identifying and Analyzing the Privacy of Apps for Kids
TLDR
The design and evaluation of a machine learning model for predicting whether a mobile app is designed for children is presented, which is an important step in helping to enforce the Children's Online Privacy Protection Act (COPPA).
Bug Fixes, Improvements,... and Privacy Leaks
TLDR
Study of privacy leaks from historical and current versions of 512 popular Android apps finds several trends that include increased collection of personally identifiable information (PII) across app versions, slow adoption of HTTPS to secure the information sent to other parties, and a large number of third parties being able to link user activity and locations across apps.
POCKET: A tool for protecting children's privacy online
Don't kill my ads!: balancing privacy in an ad-supported mobile application market
TLDR
A market-aware privacy protection framework that aims to achieve an equilibrium between the developer's revenue and the user's privacy on mobile phones, in response to advertisement generated revenue is designed and implemented.
Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps
TLDR
This mixed methods investigation examines the question of whether revealing key data collection practices of smartphone apps may help people make more informed privacy-related decisions, and designed and prototyped a new class of privacy indicators, called Data Controller Indicators (DCIs), that expose previously hidden information flows out of the apps.
Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging
TLDR
A study that evaluates the benefits of giving users an app permission manager and sending them nudges intended to raise their awareness of the data collected by their apps finds that these approaches are complementary and can each play a significant role in empowering users to more effectively control their privacy.
Children's Exposure to Mobile In-App Advertising: An Analysis of Content Appropriateness
TLDR
This research suggests that these challenges cannot easily be tackled by one entity and advertisement providers, advertising networks, app developers, and mobile platforms should collaborate in developing policies and mechanisms to monitor the content appropriateness of the in-app advertisements.
Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem
TLDR
An automated methods to detect third-party advertising and tracking services at the traffic level are developed and the business relationships between the providers of these services are uncovered, revealing them by their prevalence in the mobile and Web ecosystem.
...
...