“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale

Open access

Abstract

We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of thirdparty SDKs. While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID.

[1] H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Acquisti, J. Gluck, L. Cranor, and Y. Agarwal. Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging. Technical Report CMU-ISR-14-116, Carnegie Mellon University, 2014.

[2] D. Amalfitano, A. R. Fasolino, and P. Tramontana. A GUI Crawling-Based Technique for Android Mobile Application Testing. In Proc. of IEEE ICSTW, 2011.

[3] D. Amalfitano, A. R. Fasolino, P. Tramontana, B. D. Ta, and A. M. Memon. MobiGUITAR: Automated Model-Based Testing of Mobile Apps. IEEE Software, 2015.

[4] Amplitude, Inc. Privacy policy. https://amplitude.com/privacy, February 12 2017. Accessed: September 29, 2017.

[5] Appboy, Inc. Terms of Service. https://www.appboy.com/legal/, September 1 2017. Accessed: September 29, 2017.

[6] Appnext Ltd. Terms & conditions - publishers. https://www.appnext.com/terms-conditions/, October 1 2017. Accessed: September 29, 2017.

[7] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing Android Permission Specification. In Proc. of ACM CCS, 2012.

[8] C. Babel. Protecting kids’ privacy - an ever-evolving effort. http://www.trustarc.com/blog/2017/04/06/protectingkids-privacy-ever-evolving-effort/, April 6 2017. Accessed: September 29, 2017.

[9] G. S. Babil, O. Mehani, R. Boreli, and M. A. Kaafar. On the Effectiveness of Dynamic Taint Analysis for Protecting Against Private Information leaks on Android-based Devices. In Proc. of SECRYPT, 2013.

[10] F. Bélanger, R. E. Crossler, J. S. Hiller, J. Park, and M. S. Hsiao. Pocket: A tool for protecting children’s privacy online. Decision Support Systems, 2013.

[11] R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In USENIX Security Symposium, 2014.

[12] Branch Metrics, Inc. Terms & policies. https://branch.io/policies/, May 16 2017. Accessed: September 29, 2017.

[13] Buongiorno UK Limited. Privacy. http://www.kidzinmind.com/uk/privacy. Accessed: September 29, 2017.

[14] X. Cai and X. Zhao. Online Advertising on Popular Children’s Websites: Structural Features and Privacy Issues. Computers in Human Behavior, 2013.

[15] P. Carter, C. Mulliner, M. Lindorfer, W. Robertson, and E. Kirda. CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes. In Proc. of FC, 2016.

[16] L. Cavallaro, P. Saxena, and R. Sekar. On the Limits of Information Flow Techniques for Malware Analysis and Containment. In Proc. of DIMVA, pages 143-163. Springer- Verlag, 2008.

[17] Y. Chen, S. Zhu, H. Xu, and Y. Zhou. Children’s Exposure to Mobile In-App Advertising: An Analysis of Content Appropriateness. In Proc. IEEE SocialCom, 2013.

[18] Children’s Advertising Review Unit. Supporters. http: //www.caru.org/support/supporters.aspx. Accessed: September 29, 2017.

[19] Class Twist, Inc. Privacy policy. https://www.classdojo.com/privacy/, September 14 2017. Accessed: September 29, 2017.

[20] U.S. Federal Trade Commission. FTC Testifies on Geolocation Privacy. https://www.ftc.gov/news-events/pressreleases/2014/06/ftc-testifies-geolocation-privacy. Accessed: September 29, 2017.

[21] U.S. Federal Trade Commission. FTC Warns Children’s App Maker BabyBus About Potential COPPA Violations, 2014.

[22] U.S. Federal Trade Commission. Complying with COPPA: Frequently Asked Questionss, 2015.

[23] U.S. Federal Trade Commission. Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission, 2016.

[24] U.S. Federal Trade Commission. Two App Developers Settle FTC Charges They Violated Children’s Online Privacy Protection Act. https://www.ftc.gov/news-events/pressreleases/2015/12/two-app-developers-settle-ftc-chargesthey-violated-childrens, 2016. Accessed: September 26, 2017.

[25] M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. Crêpe: A system for Enforcing Fine-grained Context-related Policies on Android. IEEE Transactions on Information Forensics and Security, 2012.

[26] Electronic Frontier Foundation. United States v. David Nosal. https://www.eff.org/cases/u-s-v-nosal, 2015.

[27] Electronic Privacy Information Center (EPIC). hiQ Labs, Inc. v. LinkedIn Corp. https://epic.org/amicus/cfaa/linkedin/, 2017.

[28] W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. Mc-Daniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of USENIX OSDI, 2010.

[29] Facebook. Coppa an - facebook audience net. https://developers.facebook.com/docs/audience-network/coppa. Accessed: November 30, 2017.

[30] FamilyTime. App privacy policy. https://familytime.io/legal/app-privacy-policy.html, March 28 2015. Accessed: September 29, 2017.

[31] Finny Inc. Privacy policy. https://www.myfinny.com/privacypolicy, March 7 2016. Accessed: September 29, 2017.

[32] Fuel Powered, Inc. Terms of service. https://www.fuelpowered.com/tos, March 23 2017. Accessed: September 29, 2017.

[33] C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proc. of TRUST. Springer-Verlag, 2012.

[34] Google, Inc. Coppa compliance and child-directed apps / families and coppa - developer policy center. https://play.google.com/about/families/coppa-compliance/. Accessed: November 26, 2017.

[35] Google, Inc. Distribution of android versions. http://developer.android.com/about/dashboards/index.html. Accessed: March 21, 2018.

[36] Google, Inc. Program requirements | families and coppa - developer policy center. https://play.google.com/about/families/designed-for-families/program-requirements/. Accessed: September 26, 2017.

[37] Google, Inc. The Google Maps Geolocation API. https://developers.google.com/maps/documentation/geolocation/intro. Accessed: September 29, 2017.

[38] Google, Inc. UI/Application Exerciser Monkey. https://developer.android.com/tools/help/monkey.html.

[39] Google, Inc. Crashlytics agreement. https://try.crashlytics.com/terms/terms-of-service.pdf, January 27 2017. Accessed: September 29, 2017.

[40] Google, Inc. Usage of android advertising id. https://play.google.com/about/monetization-ads/ads/ad-id/, 2017. Accessed: November 30, 2017.

[41] M. I. Gordon, D. Kim, J. Perkins, Gilhamy, N. Nguyenz, and M. Rinard. Information-Flow Analysis of Android Applications in DroidSafe. In Proc. of NDSS Symposium, 2015.

[42] S. Hao, B. Liu, S. Nath, W. G.J. Halfond, and R. Govindan. PUMA: Programmable UI-automation for Large-scale Dynamic Analysis of Mobile Apps. In Proc. of ACM MobiSys, 2014.

[43] H. Harkous, K. Fawaz, K. G Shin, and K. Aberer. PriBots: Conversational Privacy with Chatbots. In Proc. of USENIX SOUPS, 2016.

[44] Heyzap, Inc. Heyzap sdk. https://www.heyzap.com/legal/heyzap_sdk, April 24 2014. Accessed: September 29, 2017.

[45] B. Hu, B. Liu, N. Z. Gong, D. Kong, and H. Jin. Protecting your Children from Inappropriate Content in Mobile Apps: An Automatic Maturity Rating Framework. In Proc. of ACM CIKM, 2015.

[46] Inneractive Ltd. Inneractive general terms. http://inneractive.com/terms-of-use/, September 24 2017. Accessed: September 29, 2017.

[47] ironSource Ltd. Privacy policy. https://www.supersonic.com/privacy-policy/, July 14 2016. Accessed: September 29, 2017.

[48] J. Kim, Y. Yoon, K. Yi, and J. Shin. ScanDal: Static Analyzer for Detecting Privacy Leaks in Android Applications. IEEE MoST, 2012.

[49] I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Don’t kill my ads! Balancing Privacy in an Ad-Supported Mobile Application Market. In Proc. of ACM HotMobile, 2012.

[50] C. M. Liang, N. D. Lane, N. Brouwers, L. Zhang, B. F. Karlsson, H. Liu, Y. Liu, J. Tang, X. Shan, R. Chandra, and F. Zhao. Caiipa: Automated Large-scale Mobile App Testing Through Contextual Fuzzing. In Proc. of ACM MobiCom, New York, NY, USA, 2014.

[51] I. Liccardi, M. Bulger, H. Abelson, D. J. Weitzner, and W. Mackay. Can Apps Play by the COPPA Rules? In Proc. of IEEE PST, 2014.

[52] M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proc. of IEEE BADGERS Workshop, 2014.

[53] M. Liu, H. Wang, Y. Guo, and J. Hong. Identifying and Analyzing the Privacy of Apps for Kids. In Proc. of ACM HotMobile, 2016.

[54] H. Lockheimer. Android and security. http://googlemobile.blogspot.com/2012/02/android-and-security.html, February 2 2012.

[55] A. Machiry, R. Tahiliani, and M. Naik. Dynodroid: An Input Generation System for Android Apps. In Proc. of the Joint Meeting on Foundations of Software Engineering (ESEC/FSE), 2013.

[56] M. Madden, A. Lenhart, S. Cortesi, U. Gasser, M. Duggan, A. Smith, and M. Beaton. Teens, Social Media, and Privacy. Pew Research Center, 21:2-86, 2013.

[57] A.K. Massey, J. Eisenstein, A.I. Antón, and P.P. Swire. Automated Text Mining for Requirements Analysis of Policy Documents. In Proc. of IEEE Requirements Engineering Conference (RE), 2013.

[58] E. McReynolds, S. Hubbard, T. Lau, A. Saraf, M. Cakmak, and F. Roesner. Toys That Listen: A Study of Parents, Children, and Internet-Connected Toys. In Proc. of ACM CHI, 2017.

[59] Miniclip SA. Miniclip privacy policy. https://www.miniclip.com/games/page/en/privacy-policy/, October 29 2014. Accessed: September 29, 2017.

[60] MoPub Inc. Mopub privacy policy. https://www.mopub.com/legal/privacy/, July 19 2017. Accessed: November 30, 2017.

[61] MoPub Inc. Mopub terms of service. https://www.mopub.com/legal/tos/, August 22 2017. Accessed: September 29, 2017.

[62] NFL Enterprises LLC. Nfl.com privacy policy. http://www.nfl.com/help/privacy, September 15 2017. Accessed: September 29, 2017.

[63] A. Oltramari, D. Piraviperumal, F. Schaub, S. Wilson, S. Cherivirala, T.B. Norton, N.C. Russell, P. Story, J. Reidenberg, and N. Sadeh. PrivOnto: A Semantic Framework for the Analysis of Privacy Policies. Semantic Web, (Preprint), 2016.

[64] I. Pollach. What’s wrong with online privacy policies? Commun. ACM, 50(9):103-108, September 2007.

[65] A. Razaghpanah, A. Niaki, N. Vallina-Rodriguez, S. Sundaresan, J. Amann, and P. Gill. Studying TLS Usage in Android Apps. In Proc. of ACM CoNEXT, 2017.

[66] A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Proc. of NDSS Symposium, 2018.

[67] A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv:1510.01419, 2015.

[68] J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez. Bug Fixes, Improvements,... and Privacy Leaks. In In. Proc. of NDSS Symposium, 2018.

[69] J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes. ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic. In In Proc. ACM MobiSys, 2016.

[70] I. Reyes, P. Wijesekera, A. Razaghpanah, J. Reardon, N. Vallina-Rodriguez, S. Egelman, and S. Kreibich. “Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations. In IEEE ConPro, 2017.

[71] N. Sadeh, A. Acquisti, T. D Breaux, L. Cranor, A. M. Mc- Donald, J. R. Reidenberg, N. A. Smith, F. Liu, N. C. Russell, F. Schaub, et al. The Usable Privacy Policy Project. Technical report, Technical Report, CMU-ISR-13-119, Carnegie Mellon University, 2013.

[72] Samet Privacy, LLC. Official membership page. https://www.kidsafeseal.com/certifiedproducts/kidzinmind_app.html. Accessed: September 29, 2017.

[73] Samet Privacy, LLC. Official membership page. https://www.kidsafeseal.com/certifiedproducts/familytime_app.html. Accessed: September 29, 2017.

[74] Samet Privacy, LLC. Member list. https://www.kidsafeseal.com/certifiedproducts.html, 2011. Accessed: November 30, 2017.

[75] E.J. Schwartz, T. Avgerinos, and D. Brumley. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proc. of the IEEE Symposium on Security and Privacy (SP), Oakland ’10, 2010.

[76] Sirsi Corporation. Legal & privacy terms. http://www.sirsidynix.com/privacy, April 23 2004. Accessed: September 29, 2017.

[77] Y. Song and U. Hengartner. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In Proc. of ACM SPSM, 2015.

[78] Tapjoy, Inc. Publishers terms of service. https://home.tapjoy.com/legal/publishers-terms-service/, February 16 2016. Accessed: September 29, 2017.

[79] Upsight. COPPA. https://help.upsight.com/api-sdkreference/integration-checklist/#coppa, 2017. Accessed: November 30, 2017.

[80] U.S. Court of Appeals, Ninth Circuit. Oracle USA, Inc. v. Rimini Street, Inc. https://www.eff.org/document/oracle-vrimini-ninth-circuit-opinion. Accessed: March 24, 2018.

[81] U.S. Federal Trade Commission. Coppa safe harbor program. https://www.ftc.gov/safe-harbor-program. Accessed: September 28, 2017.

[82] U.S. Federal Trade Commission. FTC Approves Modifications to TRUSTe’s COPPA Safe Harbor Program. https://www.ftc.gov/news-events/press-releases/2017/07/ftcapproves-modifications-trustes-coppa-safe-harbor-program. Accessed: September 28, 2017.

[83] U.S. Federal Trade Commission. Mobile apps for kids: Disclosures still not making the grade. https://www.ftc.gov/sites/default/files/documents/reports/mobile-apps-kids-disclosures-still-not-making-grade/121210mobilekidsappreport.pdf, December 2012.

[84] U.S. Federal Trade Commission. Children’s online privacy protection rule: A six-step compliance plan for your business. https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance, June 2017. Accessed: November 30, 2017.

[85] E. van der Walt and J. Eloff. Protecting Minors on Social Media Platforms-A Big Data Science Experiment. Technische Berichte des Hasso-Plattner-Instituts für Softwaresystemtechnik an der Universität Potsdam, page 15, 2015.

[86] M. Van Kleek, I. Liccardi, R. Binns, J. Zhao, D.J. Weitzner, and N. Shadbolt. Better the Devil you Know: Exposing the Data Sharing Practices of Smartphone Apps. In Proc. of ACM CHI, 2017.

[87] WiGLE. Wigle: Wirless network mapping. https://wigle.net/. Accessed: September 29, 2017.

[88] P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wagner, and K. Beznosov. Android Permissions Remystified: A Field Study on Contextual Integrity. In Proc. of USENIX Security, 2015.

[89] P. Wijesekera, A. Baokar, L. Tsai, J. Reardon, S. Egelman, D. Wagner, and K. Beznosov. The Feasability of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In Proc. of IEEE Symposium on Security and Privacy (SP), Oakland ’17, 2017.

[90] B. Yankson, F. Iqbal, and P.C.K. Hung. Privacy preservation framework for smart connected toys. In Computing in Smart Toys, pages 149-164. Springer, 2017.

[91] S. Yong, D. Lindskog, R. Ruhl, and P. Zavarsky. Risk Mitigation Strategies for Mobile Wi-Fi Robot Toys from Online Pedophiles. In Proc. of IEEE SocialCom, pages 1220-1223. IEEE, 2011.

[92] S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu, F. Schaub, S. Wilson, N. Sadeh, S. M. Bellovin, and J. Reidenberg. Automated Analysis of Privacy Requirements for Mobile Apps. In Proc. of NDSS Symposium, 2017.

[93] S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu, F. Schaub, S. Wilson, N. Sadeh, S.M. Bellovin, and J.R. Reidenberg. Automated Analysis of Privacy Requirements for Mobile Apps. In Proc. of NDSS Symposium, 2017.

Journal Information

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 515 515 50
PDF Downloads 225 225 27