Thousands of apps are under fresh scrutiny, as lawmakers raise concerns about whether they collect personal data—including location—and are misleadingly labeled as child-friendly.

Last week, Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) called on the Federal Trade Commission to investigate whether apps and their partner advertisers violate a federal law that protects children’s privacy online. They also asked the FTC to examine how app stores vet the apps they categorize as child-friendly.

This request follows a lawsuit filed last month in New Mexico that claims that app maker Tiny Lab Productions violated a federal children’s privacy law through a number of Android apps that shared children’s data. One of the apps the company developed, a car-racing game called Fun Kid Racing, allegedly sharing users’ data—including the precise location of their devices—with advertising and online-tracking companies. It had been downloaded more than 1 million times.



READ MORE ON KIDS AND PRIVACY

Inside school-issued tech: The privacy problem
Facebook helps motivate the next generation of hackers
5 ways to prepare your kid for social media
How to choose a hacking camp for kids
Big data could bring big problems for kids
VTech hack exposes parents’ nightmare: The Internet of broken toys


The Children’s Online Privacy Protection Act was designed to protect children under 13 from being improperly tracked, including for advertising purposes. This means that websites and apps marketed to this demographic are prohibited from collecting personal data, including children’s names, email or physical addresses, geolocation data, or persistent identifiers—a code or unique ID that companies could use to recognize a user over time, or across different sites and services.

“[Child] tracking is essentially the surveillance of your child—it’s monitoring everything they’re doing, and the information that’s gleaned can be used in unexpected ways,” says Girard Kelly, counsel and director of privacy review at Common Sense Media. Protecting children from tracking is a growing and complicated problem compounded by a lack of transparency from app makers, he says.

When an app uses tracking, it creates a persistent identifier for each user, Kelly explains. A persistent identifier associates data collected from the app to a particular user and transmits this info to the app vendor’s website in the cloud where it can be combined with other information to identify that same user across the internet.

Apps can also be configured to discover and track which other apps are installed on the device, Kelly adds.  And this is not restricted to partner or affiliated apps.

The multitude of data that these identifiers can collect puts children at risk, says Russ Schrader, executive director of the National Cyber Security Alliance.

Photo by Alex Kaloostian/The Parallax

“They’re building a file on a child that will follow them through life,” he says. “All that information can put a child at risk for things like identity theft, should that data wind up in the wrong hands.”

Persistent identifiers also help app developers use filter bubbles, which influence what users see based on their app activity or behavior, Kelly says.

“This could change the perception of the content they’re consuming and what they’re seeing,” he says. “These tracking mechanisms that determine what you do, when you do it, and who you do it with can be used to distort the content that you’re aware is available.”

Determining whether an app is safe from tracking isn’t always easy, Kelly says. While many app developers comply with COPPA rules, many others don’t. Here’s what Kelly and Schrader say you should do to determine whether an app is free from tracking and safe for your child to use.

  1. Pay attention to the source

Not all apps are created equal, Schrader says. Some might appear to be geared toward children but don’t offer the protections required by law. Others might be downright malicious. For this reason, he suggests downloading apps primarily offered by well-known developers.

Not all safe apps come from well-known developers, of course, Schrader notes. He recommends reading app reviews within app stores and on family-friendly reviews sites. Common Sense Media, for example, has curated list of apps it deems safe for toddlers through teens.

  1. Be wary of free apps

“If you’re not paying for the product, you probably are the product,” Schrader says.

Free apps usually serve users ads, which means the apps are likely performing tracking behind the scenes, Kelly says.

“A lot of the free applications and services are the ones that maybe have the more invasive or surveillance-tracking mechanisms,” he says. “Folks who don’t have the money or resources to pay for privacy, and can’t afford higher-quality apps, are disproportionately affected. Unfortunately, we’re seeing that gap widen.”

  1. Read the privacy policy

Privacy policies are long and detailed, but they often provide key indicators of tracking practices, Kelly says.

“The majority of vendors are not very transparent about disclosing whether or not they engage in tracking,” Kelly says. “While the majority of them follow the law, they don’t always explicitly say in the policies, ‘Hey, we know this is something you’re concerned about, and we don’t do it.”

Keywords and phrases to look for in privacy policies to determine how an app uses data include: “tracking,” “identifiers,” “advertising,” “behavioral advertising,” and “creating profiles for advertising,” he says. These keywords are hard to omit in language that discusses tracking and what it can provide to the company, he adds.

However, if the privacy policy acknowledges that its primary intended user is under 13 years of age, the app maker is likely already abiding by COPPA standards, Schrader says.

  1. Contact the vendor

If it’s not clear from the app’s product page or privacy policy whether it uses tracking, Kelly recommends directly reaching out to the vendor.

“All of this can be difficult to get your hands around without contacting the vendor because the vendors don’t talk about it,”  he says. “They’re not transparent, and the only way to get an answer is to go to them.”

Monitoring the apps kids use—and knowing the difference between ones that respect and exploit their privacy—can be an overwhelming responsibility, Schrader acknowledges, but it’s one that should be shared more equally with vendors.

“Cybersecurity is a shared responsibility. Parents need to take charge because their children don’t have the cognition or understanding of how this will affect them, and vendors need to be more transparent,” he says.

Taking an active role in your kids’ online activities is an important step in generating change, Kelly adds. “There needs to be a safe place where kids won’t be tracked, and information won’t be used against them in ways they don’t expect,” he says. “That’s the conversation we’re trying to have, but it’s definitely a difficult one.”