A University of Texas at Dallas study of 100 mobile apps for kids found that 72 violated a federal law aimed at protecting children’s online privacy.
Dr. Kanad Basu, assistant professor of electrical and computer engineering in the Erik Jonsson School of Engineering and Computer Science and lead author of the study, along with colleagues elsewhere, developed a tool that can determine whether an Android game or other mobile app complies with the federal Children’s Online Privacy Protection Act (COPPA).
The researchers introduced and tested their “COPPA Tracking by Checking Hardware-Level Activity,” or COPPTCHA, tool in a study published in the March edition of IEEE Transactions on Information Forensics and Security. The tool was 99% accurate. Researchers continue to improve the technology, which they plan to make available for download at no cost.Basu said games and other apps that violate COPPA pose privacy risks that could make it possible for someone to determine a child’s identity and location. He said the risk is heightened as more people are accessing apps from home, rather than public places, due to the COVID-19 pandemic.
“Suppose the app collects information showing that there is a child on Preston Road in Plano, Texas, downloading the app. A trafficker could potentially get the user’s email ID and geographic location and try to kidnap the child. It’s really, really scary,” Basu said.
Apps can access personal identifiable information, including names, email addresses, phone numbers, location, audio and visual recordings, and unique identifiers for devices such as an international mobile equipment identity (IMEI), media access control (MAC) addresses, Android ID and Android advertising ID. The advertising ID, for example, allows app developers to collect information on users’ interests, which they can then sell to advertisers.
“When you download an app, it can access a lot of information on your cellphone,” Basu said. “You have to keep in mind that all this info can be collected by these apps and sent to third parties. What do they do with it? They can pretty much do anything. We should be careful about this.”
The researchers’ technique accesses a device’s special-purpose register, a type of temporary data-storage location within a microprocessor that monitors various aspects of the microprocessor’s function. Whenever an app transmits data, the activity leaves footprints that can be detected by the special-purpose register.
COPPA requires that websites and online services directed to children obtain parental consent before collecting personal information from anyone younger than 13; however, as Basu’s research found, many popular apps do not comply. He found that many popular games designed specifically for young children revealed users’ Android IDs, Android advertising IDs and device descriptions.
Basu recommends that parents use caution when downloading or allowing children to download apps.
“If your kid asks you to download a popular game app, you’re likely to download it,” Basu said. “A problem with our society is that many people are not aware of — or don’t care about — the threats in terms of privacy.”
Basu advises keeping downloads to a minimum.
“I try to limit my downloading of apps as much as possible,” Basu said. “I don’t download apps unless I need to.”
Researchers from the Georgia Institute of Technology, Intel Corp. and New York University also contributed to the work.