“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale

Open access

Abstract

We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of thirdparty SDKs. While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] H. Almuhimedi F. Schaub N. Sadeh I. Adjerid A. Acquisti J. Gluck L. Cranor and Y. Agarwal. Your Location has been Shared 5398 Times! A Field Study on Mobile App Privacy Nudging. Technical Report CMU-ISR-14-116 Carnegie Mellon University 2014.

  • [2] D. Amalfitano A. R. Fasolino and P. Tramontana. A GUI Crawling-Based Technique for Android Mobile Application Testing. In Proc. of IEEE ICSTW 2011.

  • [3] D. Amalfitano A. R. Fasolino P. Tramontana B. D. Ta and A. M. Memon. MobiGUITAR: Automated Model-Based Testing of Mobile Apps. IEEE Software 2015.

  • [4] Amplitude Inc. Privacy policy. https://amplitude.com/privacy February 12 2017. Accessed: September 29 2017.

  • [5] Appboy Inc. Terms of Service. https://www.appboy.com/legal/ September 1 2017. Accessed: September 29 2017.

  • [6] Appnext Ltd. Terms & conditions - publishers. https://www.appnext.com/terms-conditions/ October 1 2017. Accessed: September 29 2017.

  • [7] K. W. Y. Au Y. F. Zhou Z. Huang and D. Lie. PScout: Analyzing Android Permission Specification. In Proc. of ACM CCS 2012.

  • [8] C. Babel. Protecting kids’ privacy - an ever-evolving effort. http://www.trustarc.com/blog/2017/04/06/protectingkids-privacy-ever-evolving-effort/ April 6 2017. Accessed: September 29 2017.

  • [9] G. S. Babil O. Mehani R. Boreli and M. A. Kaafar. On the Effectiveness of Dynamic Taint Analysis for Protecting Against Private Information leaks on Android-based Devices. In Proc. of SECRYPT 2013.

  • [10] F. Bélanger R. E. Crossler J. S. Hiller J. Park and M. S. Hsiao. Pocket: A tool for protecting children’s privacy online. Decision Support Systems 2013.

  • [11] R. Bhoraskar S. Han J. Jeon T. Azim S. Chen J. Jung S. Nath R. Wang and D. Wetherall. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In USENIX Security Symposium 2014.

  • [12] Branch Metrics Inc. Terms & policies. https://branch.io/policies/ May 16 2017. Accessed: September 29 2017.

  • [13] Buongiorno UK Limited. Privacy. http://www.kidzinmind.com/uk/privacy. Accessed: September 29 2017.

  • [14] X. Cai and X. Zhao. Online Advertising on Popular Children’s Websites: Structural Features and Privacy Issues. Computers in Human Behavior 2013.

  • [15] P. Carter C. Mulliner M. Lindorfer W. Robertson and E. Kirda. CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes. In Proc. of FC 2016.

  • [16] L. Cavallaro P. Saxena and R. Sekar. On the Limits of Information Flow Techniques for Malware Analysis and Containment. In Proc. of DIMVA pages 143-163. Springer- Verlag 2008.

  • [17] Y. Chen S. Zhu H. Xu and Y. Zhou. Children’s Exposure to Mobile In-App Advertising: An Analysis of Content Appropriateness. In Proc. IEEE SocialCom 2013.

  • [18] Children’s Advertising Review Unit. Supporters. http: //www.caru.org/support/supporters.aspx. Accessed: September 29 2017.

  • [19] Class Twist Inc. Privacy policy. https://www.classdojo.com/privacy/ September 14 2017. Accessed: September 29 2017.

  • [20] U.S. Federal Trade Commission. FTC Testifies on Geolocation Privacy. https://www.ftc.gov/news-events/pressreleases/2014/06/ftc-testifies-geolocation-privacy. Accessed: September 29 2017.

  • [21] U.S. Federal Trade Commission. FTC Warns Children’s App Maker BabyBus About Potential COPPA Violations 2014.

  • [22] U.S. Federal Trade Commission. Complying with COPPA: Frequently Asked Questionss 2015.

  • [23] U.S. Federal Trade Commission. Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission 2016.

  • [24] U.S. Federal Trade Commission. Two App Developers Settle FTC Charges They Violated Children’s Online Privacy Protection Act. https://www.ftc.gov/news-events/pressreleases/2015/12/two-app-developers-settle-ftc-chargesthey-violated-childrens 2016. Accessed: September 26 2017.

  • [25] M. Conti B. Crispo E. Fernandes and Y. Zhauniarovich. Crêpe: A system for Enforcing Fine-grained Context-related Policies on Android. IEEE Transactions on Information Forensics and Security 2012.

  • [26] Electronic Frontier Foundation. United States v. David Nosal. https://www.eff.org/cases/u-s-v-nosal 2015.

  • [27] Electronic Privacy Information Center (EPIC). hiQ Labs Inc. v. LinkedIn Corp. https://epic.org/amicus/cfaa/linkedin/ 2017.

  • [28] W. Enck P. Gilbert B. Chun L. P. Cox J. Jung P. Mc-Daniel and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of USENIX OSDI 2010.

  • [29] Facebook. Coppa an - facebook audience net. https://developers.facebook.com/docs/audience-network/coppa. Accessed: November 30 2017.

  • [30] FamilyTime. App privacy policy. https://familytime.io/legal/app-privacy-policy.html March 28 2015. Accessed: September 29 2017.

  • [31] Finny Inc. Privacy policy. https://www.myfinny.com/privacypolicy March 7 2016. Accessed: September 29 2017.

  • [32] Fuel Powered Inc. Terms of service. https://www.fuelpowered.com/tos March 23 2017. Accessed: September 29 2017.

  • [33] C. Gibler J. Crussell J. Erickson and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proc. of TRUST. Springer-Verlag 2012.

  • [34] Google Inc. Coppa compliance and child-directed apps / families and coppa - developer policy center. https://play.google.com/about/families/coppa-compliance/. Accessed: November 26 2017.

  • [35] Google Inc. Distribution of android versions. http://developer.android.com/about/dashboards/index.html. Accessed: March 21 2018.

  • [36] Google Inc. Program requirements | families and coppa - developer policy center. https://play.google.com/about/families/designed-for-families/program-requirements/. Accessed: September 26 2017.

  • [37] Google Inc. The Google Maps Geolocation API. https://developers.google.com/maps/documentation/geolocation/intro. Accessed: September 29 2017.

  • [38] Google Inc. UI/Application Exerciser Monkey. https://developer.android.com/tools/help/monkey.html.

  • [39] Google Inc. Crashlytics agreement. https://try.crashlytics.com/terms/terms-of-service.pdf January 27 2017. Accessed: September 29 2017.

  • [40] Google Inc. Usage of android advertising id. https://play.google.com/about/monetization-ads/ads/ad-id/ 2017. Accessed: November 30 2017.

  • [41] M. I. Gordon D. Kim J. Perkins Gilhamy N. Nguyenz and M. Rinard. Information-Flow Analysis of Android Applications in DroidSafe. In Proc. of NDSS Symposium 2015.

  • [42] S. Hao B. Liu S. Nath W. G.J. Halfond and R. Govindan. PUMA: Programmable UI-automation for Large-scale Dynamic Analysis of Mobile Apps. In Proc. of ACM MobiSys 2014.

  • [43] H. Harkous K. Fawaz K. G Shin and K. Aberer. PriBots: Conversational Privacy with Chatbots. In Proc. of USENIX SOUPS 2016.

  • [44] Heyzap Inc. Heyzap sdk. https://www.heyzap.com/legal/heyzap_sdk April 24 2014. Accessed: September 29 2017.

  • [45] B. Hu B. Liu N. Z. Gong D. Kong and H. Jin. Protecting your Children from Inappropriate Content in Mobile Apps: An Automatic Maturity Rating Framework. In Proc. of ACM CIKM 2015.

  • [46] Inneractive Ltd. Inneractive general terms. http://inneractive.com/terms-of-use/ September 24 2017. Accessed: September 29 2017.

  • [47] ironSource Ltd. Privacy policy. https://www.supersonic.com/privacy-policy/ July 14 2016. Accessed: September 29 2017.

  • [48] J. Kim Y. Yoon K. Yi and J. Shin. ScanDal: Static Analyzer for Detecting Privacy Leaks in Android Applications. IEEE MoST 2012.

  • [49] I. Leontiadis C. Efstratiou M. Picone and C. Mascolo. Don’t kill my ads! Balancing Privacy in an Ad-Supported Mobile Application Market. In Proc. of ACM HotMobile 2012.

  • [50] C. M. Liang N. D. Lane N. Brouwers L. Zhang B. F. Karlsson H. Liu Y. Liu J. Tang X. Shan R. Chandra and F. Zhao. Caiipa: Automated Large-scale Mobile App Testing Through Contextual Fuzzing. In Proc. of ACM MobiCom New York NY USA 2014.

  • [51] I. Liccardi M. Bulger H. Abelson D. J. Weitzner and W. Mackay. Can Apps Play by the COPPA Rules? In Proc. of IEEE PST 2014.

  • [52] M. Lindorfer M. Neugschwandtner L. Weichselbaum Y. Fratantonio V. van der Veen and C. Platzer. Andrubis - 1000000 Apps Later: A View on Current Android Malware Behaviors. In Proc. of IEEE BADGERS Workshop 2014.

  • [53] M. Liu H. Wang Y. Guo and J. Hong. Identifying and Analyzing the Privacy of Apps for Kids. In Proc. of ACM HotMobile 2016.

  • [54] H. Lockheimer. Android and security. http://googlemobile.blogspot.com/2012/02/android-and-security.html February 2 2012.

  • [55] A. Machiry R. Tahiliani and M. Naik. Dynodroid: An Input Generation System for Android Apps. In Proc. of the Joint Meeting on Foundations of Software Engineering (ESEC/FSE) 2013.

  • [56] M. Madden A. Lenhart S. Cortesi U. Gasser M. Duggan A. Smith and M. Beaton. Teens Social Media and Privacy. Pew Research Center 21:2-86 2013.

  • [57] A.K. Massey J. Eisenstein A.I. Antón and P.P. Swire. Automated Text Mining for Requirements Analysis of Policy Documents. In Proc. of IEEE Requirements Engineering Conference (RE) 2013.

  • [58] E. McReynolds S. Hubbard T. Lau A. Saraf M. Cakmak and F. Roesner. Toys That Listen: A Study of Parents Children and Internet-Connected Toys. In Proc. of ACM CHI 2017.

  • [59] Miniclip SA. Miniclip privacy policy. https://www.miniclip.com/games/page/en/privacy-policy/ October 29 2014. Accessed: September 29 2017.

  • [60] MoPub Inc. Mopub privacy policy. https://www.mopub.com/legal/privacy/ July 19 2017. Accessed: November 30 2017.

  • [61] MoPub Inc. Mopub terms of service. https://www.mopub.com/legal/tos/ August 22 2017. Accessed: September 29 2017.

  • [62] NFL Enterprises LLC. Nfl.com privacy policy. http://www.nfl.com/help/privacy September 15 2017. Accessed: September 29 2017.

  • [63] A. Oltramari D. Piraviperumal F. Schaub S. Wilson S. Cherivirala T.B. Norton N.C. Russell P. Story J. Reidenberg and N. Sadeh. PrivOnto: A Semantic Framework for the Analysis of Privacy Policies. Semantic Web (Preprint) 2016.

  • [64] I. Pollach. What’s wrong with online privacy policies? Commun. ACM 50(9):103-108 September 2007.

  • [65] A. Razaghpanah A. Niaki N. Vallina-Rodriguez S. Sundaresan J. Amann and P. Gill. Studying TLS Usage in Android Apps. In Proc. of ACM CoNEXT 2017.

  • [66] A. Razaghpanah R. Nithyanand N. Vallina-Rodriguez S. Sundaresan M. Allman C. Kreibich and P. Gill. Apps Trackers Privacy and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Proc. of NDSS Symposium 2018.

  • [67] A. Razaghpanah N. Vallina-Rodriguez S. Sundaresan C. Kreibich P. Gill M. Allman and V. Paxson. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv:1510.01419 2015.

  • [68] J. Ren M. Lindorfer D. J. Dubois A. Rao D. Choffnes and N. Vallina-Rodriguez. Bug Fixes Improvements... and Privacy Leaks. In In. Proc. of NDSS Symposium 2018.

  • [69] J. Ren A. Rao M. Lindorfer A. Legout and D. Choffnes. ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic. In In Proc. ACM MobiSys 2016.

  • [70] I. Reyes P. Wijesekera A. Razaghpanah J. Reardon N. Vallina-Rodriguez S. Egelman and S. Kreibich. “Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations. In IEEE ConPro 2017.

  • [71] N. Sadeh A. Acquisti T. D Breaux L. Cranor A. M. Mc- Donald J. R. Reidenberg N. A. Smith F. Liu N. C. Russell F. Schaub et al. The Usable Privacy Policy Project. Technical report Technical Report CMU-ISR-13-119 Carnegie Mellon University 2013.

  • [72] Samet Privacy LLC. Official membership page. https://www.kidsafeseal.com/certifiedproducts/kidzinmind_app.html. Accessed: September 29 2017.

  • [73] Samet Privacy LLC. Official membership page. https://www.kidsafeseal.com/certifiedproducts/familytime_app.html. Accessed: September 29 2017.

  • [74] Samet Privacy LLC. Member list. https://www.kidsafeseal.com/certifiedproducts.html 2011. Accessed: November 30 2017.

  • [75] E.J. Schwartz T. Avgerinos and D. Brumley. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proc. of the IEEE Symposium on Security and Privacy (SP) Oakland ’10 2010.

  • [76] Sirsi Corporation. Legal & privacy terms. http://www.sirsidynix.com/privacy April 23 2004. Accessed: September 29 2017.

  • [77] Y. Song and U. Hengartner. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In Proc. of ACM SPSM 2015.

  • [78] Tapjoy Inc. Publishers terms of service. https://home.tapjoy.com/legal/publishers-terms-service/ February 16 2016. Accessed: September 29 2017.

  • [79] Upsight. COPPA. https://help.upsight.com/api-sdkreference/integration-checklist/#coppa 2017. Accessed: November 30 2017.

  • [80] U.S. Court of Appeals Ninth Circuit. Oracle USA Inc. v. Rimini Street Inc. https://www.eff.org/document/oracle-vrimini-ninth-circuit-opinion. Accessed: March 24 2018.

  • [81] U.S. Federal Trade Commission. Coppa safe harbor program. https://www.ftc.gov/safe-harbor-program. Accessed: September 28 2017.

  • [82] U.S. Federal Trade Commission. FTC Approves Modifications to TRUSTe’s COPPA Safe Harbor Program. https://www.ftc.gov/news-events/press-releases/2017/07/ftcapproves-modifications-trustes-coppa-safe-harbor-program. Accessed: September 28 2017.

  • [83] U.S. Federal Trade Commission. Mobile apps for kids: Disclosures still not making the grade. https://www.ftc.gov/sites/default/files/documents/reports/mobile-apps-kids-disclosures-still-not-making-grade/121210mobilekidsappreport.pdf December 2012.

  • [84] U.S. Federal Trade Commission. Children’s online privacy protection rule: A six-step compliance plan for your business. https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance June 2017. Accessed: November 30 2017.

  • [85] E. van der Walt and J. Eloff. Protecting Minors on Social Media Platforms-A Big Data Science Experiment. Technische Berichte des Hasso-Plattner-Instituts für Softwaresystemtechnik an der Universität Potsdam page 15 2015.

  • [86] M. Van Kleek I. Liccardi R. Binns J. Zhao D.J. Weitzner and N. Shadbolt. Better the Devil you Know: Exposing the Data Sharing Practices of Smartphone Apps. In Proc. of ACM CHI 2017.

  • [87] WiGLE. Wigle: Wirless network mapping. https://wigle.net/. Accessed: September 29 2017.

  • [88] P. Wijesekera A. Baokar A. Hosseini S. Egelman D. Wagner and K. Beznosov. Android Permissions Remystified: A Field Study on Contextual Integrity. In Proc. of USENIX Security 2015.

  • [89] P. Wijesekera A. Baokar L. Tsai J. Reardon S. Egelman D. Wagner and K. Beznosov. The Feasability of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In Proc. of IEEE Symposium on Security and Privacy (SP) Oakland ’17 2017.

  • [90] B. Yankson F. Iqbal and P.C.K. Hung. Privacy preservation framework for smart connected toys. In Computing in Smart Toys pages 149-164. Springer 2017.

  • [91] S. Yong D. Lindskog R. Ruhl and P. Zavarsky. Risk Mitigation Strategies for Mobile Wi-Fi Robot Toys from Online Pedophiles. In Proc. of IEEE SocialCom pages 1220-1223. IEEE 2011.

  • [92] S. Zimmeck Z. Wang L. Zou R. Iyengar B. Liu F. Schaub S. Wilson N. Sadeh S. M. Bellovin and J. Reidenberg. Automated Analysis of Privacy Requirements for Mobile Apps. In Proc. of NDSS Symposium 2017.

  • [93] S. Zimmeck Z. Wang L. Zou R. Iyengar B. Liu F. Schaub S. Wilson N. Sadeh S.M. Bellovin and J.R. Reidenberg. Automated Analysis of Privacy Requirements for Mobile Apps. In Proc. of NDSS Symposium 2017.

Search
Journal information
Cited By
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 1149 641 23
PDF Downloads 584 361 10