1. bookVolume 2018 (2018): Issue 3 (June 2018)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale

Published Online: 28 Apr 2018
Page range: 63 - 83
Received: 30 Nov 2017
Accepted: 16 Mar 2018
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English

We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of thirdparty SDKs. While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID.

[1] H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Acquisti, J. Gluck, L. Cranor, and Y. Agarwal. Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging. Technical Report CMU-ISR-14-116, Carnegie Mellon University, 2014.Search in Google Scholar

[2] D. Amalfitano, A. R. Fasolino, and P. Tramontana. A GUI Crawling-Based Technique for Android Mobile Application Testing. In Proc. of IEEE ICSTW, 2011.Search in Google Scholar

[3] D. Amalfitano, A. R. Fasolino, P. Tramontana, B. D. Ta, and A. M. Memon. MobiGUITAR: Automated Model-Based Testing of Mobile Apps. IEEE Software, 2015.Search in Google Scholar

[4] Amplitude, Inc. Privacy policy. https://amplitude.com/privacy, February 12 2017. Accessed: September 29, 2017.Search in Google Scholar

[5] Appboy, Inc. Terms of Service. https://www.appboy.com/legal/, September 1 2017. Accessed: September 29, 2017.Search in Google Scholar

[6] Appnext Ltd. Terms & conditions - publishers. https://www.appnext.com/terms-conditions/, October 1 2017. Accessed: September 29, 2017.Search in Google Scholar

[7] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing Android Permission Specification. In Proc. of ACM CCS, 2012.Search in Google Scholar

[8] C. Babel. Protecting kids’ privacy - an ever-evolving effort. http://www.trustarc.com/blog/2017/04/06/protectingkids-privacy-ever-evolving-effort/, April 6 2017. Accessed: September 29, 2017.Search in Google Scholar

[9] G. S. Babil, O. Mehani, R. Boreli, and M. A. Kaafar. On the Effectiveness of Dynamic Taint Analysis for Protecting Against Private Information leaks on Android-based Devices. In Proc. of SECRYPT, 2013.Search in Google Scholar

[10] F. Bélanger, R. E. Crossler, J. S. Hiller, J. Park, and M. S. Hsiao. Pocket: A tool for protecting children’s privacy online. Decision Support Systems, 2013.Search in Google Scholar

[11] R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In USENIX Security Symposium, 2014.Search in Google Scholar

[12] Branch Metrics, Inc. Terms & policies. https://branch.io/policies/, May 16 2017. Accessed: September 29, 2017.Search in Google Scholar

[13] Buongiorno UK Limited. Privacy. http://www.kidzinmind.com/uk/privacy. Accessed: September 29, 2017.Search in Google Scholar

[14] X. Cai and X. Zhao. Online Advertising on Popular Children’s Websites: Structural Features and Privacy Issues. Computers in Human Behavior, 2013.10.1007/978-3-319-04048-6Open DOISearch in Google Scholar

[15] P. Carter, C. Mulliner, M. Lindorfer, W. Robertson, and E. Kirda. CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes. In Proc. of FC, 2016.Search in Google Scholar

[16] L. Cavallaro, P. Saxena, and R. Sekar. On the Limits of Information Flow Techniques for Malware Analysis and Containment. In Proc. of DIMVA, pages 143-163. Springer- Verlag, 2008.Search in Google Scholar

[17] Y. Chen, S. Zhu, H. Xu, and Y. Zhou. Children’s Exposure to Mobile In-App Advertising: An Analysis of Content Appropriateness. In Proc. IEEE SocialCom, 2013.Search in Google Scholar

[18] Children’s Advertising Review Unit. Supporters. http: //www.caru.org/support/supporters.aspx. Accessed: September 29, 2017. Search in Google Scholar

[19] Class Twist, Inc. Privacy policy. https://www.classdojo.com/privacy/, September 14 2017. Accessed: September 29, 2017.Search in Google Scholar

[20] U.S. Federal Trade Commission. FTC Testifies on Geolocation Privacy. https://www.ftc.gov/news-events/pressreleases/2014/06/ftc-testifies-geolocation-privacy. Accessed: September 29, 2017.Search in Google Scholar

[21] U.S. Federal Trade Commission. FTC Warns Children’s App Maker BabyBus About Potential COPPA Violations, 2014.Search in Google Scholar

[22] U.S. Federal Trade Commission. Complying with COPPA: Frequently Asked Questionss, 2015.Search in Google Scholar

[23] U.S. Federal Trade Commission. Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission, 2016.Search in Google Scholar

[24] U.S. Federal Trade Commission. Two App Developers Settle FTC Charges They Violated Children’s Online Privacy Protection Act. https://www.ftc.gov/news-events/pressreleases/2015/12/two-app-developers-settle-ftc-chargesthey-violated-childrens, 2016. Accessed: September 26, 2017.Search in Google Scholar

[25] M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. Crêpe: A system for Enforcing Fine-grained Context-related Policies on Android. IEEE Transactions on Information Forensics and Security, 2012.Search in Google Scholar

[26] Electronic Frontier Foundation. United States v. David Nosal. https://www.eff.org/cases/u-s-v-nosal, 2015.Search in Google Scholar

[27] Electronic Privacy Information Center (EPIC). hiQ Labs, Inc. v. LinkedIn Corp. https://epic.org/amicus/cfaa/linkedin/, 2017.Search in Google Scholar

[28] W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. Mc-Daniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of USENIX OSDI, 2010.Search in Google Scholar

[29] Facebook. Coppa an - facebook audience net. https://developers.facebook.com/docs/audience-network/coppa. Accessed: November 30, 2017.Search in Google Scholar

[30] FamilyTime. App privacy policy. https://familytime.io/legal/app-privacy-policy.html, March 28 2015. Accessed: September 29, 2017.Search in Google Scholar

[31] Finny Inc. Privacy policy. https://www.myfinny.com/privacypolicy, March 7 2016. Accessed: September 29, 2017.Search in Google Scholar

[32] Fuel Powered, Inc. Terms of service. https://www.fuelpowered.com/tos, March 23 2017. Accessed: September 29, 2017.Search in Google Scholar

[33] C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proc. of TRUST. Springer-Verlag, 2012.Search in Google Scholar

[34] Google, Inc. Coppa compliance and child-directed apps / families and coppa - developer policy center. https://play.google.com/about/families/coppa-compliance/. Accessed: November 26, 2017.Search in Google Scholar

[35] Google, Inc. Distribution of android versions. http://developer.android.com/about/dashboards/index.html. Accessed: March 21, 2018.Search in Google Scholar

[36] Google, Inc. Program requirements | families and coppa - developer policy center. https://play.google.com/about/families/designed-for-families/program-requirements/. Accessed: September 26, 2017.Search in Google Scholar

[37] Google, Inc. The Google Maps Geolocation API. https://developers.google.com/maps/documentation/geolocation/intro. Accessed: September 29, 2017.Search in Google Scholar

[38] Google, Inc. UI/Application Exerciser Monkey. https://developer.android.com/tools/help/monkey.html.Search in Google Scholar

[39] Google, Inc. Crashlytics agreement. https://try.crashlytics.com/terms/terms-of-service.pdf, January 27 2017. Accessed: September 29, 2017.Search in Google Scholar

[40] Google, Inc. Usage of android advertising id. https://play.google.com/about/monetization-ads/ads/ad-id/, 2017. Accessed: November 30, 2017.Search in Google Scholar

[41] M. I. Gordon, D. Kim, J. Perkins, Gilhamy, N. Nguyenz, and M. Rinard. Information-Flow Analysis of Android Applications in DroidSafe. In Proc. of NDSS Symposium, 2015.Search in Google Scholar

[42] S. Hao, B. Liu, S. Nath, W. G.J. Halfond, and R. Govindan. PUMA: Programmable UI-automation for Large-scale Dynamic Analysis of Mobile Apps. In Proc. of ACM MobiSys, 2014.Search in Google Scholar

[43] H. Harkous, K. Fawaz, K. G Shin, and K. Aberer. PriBots: Conversational Privacy with Chatbots. In Proc. of USENIX SOUPS, 2016.Search in Google Scholar

[44] Heyzap, Inc. Heyzap sdk. https://www.heyzap.com/legal/heyzap_sdk, April 24 2014. Accessed: September 29, 2017.Search in Google Scholar

[45] B. Hu, B. Liu, N. Z. Gong, D. Kong, and H. Jin. Protecting your Children from Inappropriate Content in Mobile Apps: An Automatic Maturity Rating Framework. In Proc. of ACM CIKM, 2015.Search in Google Scholar

[46] Inneractive Ltd. Inneractive general terms. http://inneractive.com/terms-of-use/, September 24 2017. Accessed: September 29, 2017.Search in Google Scholar

[47] ironSource Ltd. Privacy policy. https://www.supersonic.com/privacy-policy/, July 14 2016. Accessed: September 29, 2017.Search in Google Scholar

[48] J. Kim, Y. Yoon, K. Yi, and J. Shin. ScanDal: Static Analyzer for Detecting Privacy Leaks in Android Applications. IEEE MoST, 2012.Search in Google Scholar

[49] I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Don’t kill my ads! Balancing Privacy in an Ad-Supported Mobile Application Market. In Proc. of ACM HotMobile, 2012.Search in Google Scholar

[50] C. M. Liang, N. D. Lane, N. Brouwers, L. Zhang, B. F. Karlsson, H. Liu, Y. Liu, J. Tang, X. Shan, R. Chandra, and F. Zhao. Caiipa: Automated Large-scale Mobile App Testing Through Contextual Fuzzing. In Proc. of ACM MobiCom, New York, NY, USA, 2014.Search in Google Scholar

[51] I. Liccardi, M. Bulger, H. Abelson, D. J. Weitzner, and W. Mackay. Can Apps Play by the COPPA Rules? In Proc. of IEEE PST, 2014.Search in Google Scholar

[52] M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proc. of IEEE BADGERS Workshop, 2014.Search in Google Scholar

[53] M. Liu, H. Wang, Y. Guo, and J. Hong. Identifying and Analyzing the Privacy of Apps for Kids. In Proc. of ACM HotMobile, 2016.Search in Google Scholar

[54] H. Lockheimer. Android and security. http://googlemobile.blogspot.com/2012/02/android-and-security.html, February 2 2012.Search in Google Scholar

[55] A. Machiry, R. Tahiliani, and M. Naik. Dynodroid: An Input Generation System for Android Apps. In Proc. of the Joint Meeting on Foundations of Software Engineering (ESEC/FSE), 2013.Search in Google Scholar

[56] M. Madden, A. Lenhart, S. Cortesi, U. Gasser, M. Duggan, A. Smith, and M. Beaton. Teens, Social Media, and Privacy. Pew Research Center, 21:2-86, 2013.Search in Google Scholar

[57] A.K. Massey, J. Eisenstein, A.I. Antón, and P.P. Swire. Automated Text Mining for Requirements Analysis of Policy Documents. In Proc. of IEEE Requirements Engineering Conference (RE), 2013.Search in Google Scholar

[58] E. McReynolds, S. Hubbard, T. Lau, A. Saraf, M. Cakmak, and F. Roesner. Toys That Listen: A Study of Parents, Children, and Internet-Connected Toys. In Proc. of ACM CHI, 2017.Search in Google Scholar

[59] Miniclip SA. Miniclip privacy policy. https://www.miniclip.com/games/page/en/privacy-policy/, October 29 2014. Accessed: September 29, 2017.Search in Google Scholar

[60] MoPub Inc. Mopub privacy policy. https://www.mopub.com/legal/privacy/, July 19 2017. Accessed: November 30, 2017.Search in Google Scholar

[61] MoPub Inc. Mopub terms of service. https://www.mopub.com/legal/tos/, August 22 2017. Accessed: September 29, 2017.Search in Google Scholar

[62] NFL Enterprises LLC. Nfl.com privacy policy. http://www.nfl.com/help/privacy, September 15 2017. Accessed: September 29, 2017.Search in Google Scholar

[63] A. Oltramari, D. Piraviperumal, F. Schaub, S. Wilson, S. Cherivirala, T.B. Norton, N.C. Russell, P. Story, J. Reidenberg, and N. Sadeh. PrivOnto: A Semantic Framework for the Analysis of Privacy Policies. Semantic Web, (Preprint), 2016.Search in Google Scholar

[64] I. Pollach. What’s wrong with online privacy policies? Commun. ACM, 50(9):103-108, September 2007.10.1145/1284621.1284627Open DOISearch in Google Scholar

[65] A. Razaghpanah, A. Niaki, N. Vallina-Rodriguez, S. Sundaresan, J. Amann, and P. Gill. Studying TLS Usage in Android Apps. In Proc. of ACM CoNEXT, 2017.Search in Google Scholar

[66] A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Proc. of NDSS Symposium, 2018.Search in Google Scholar

[67] A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv:1510.01419, 2015.Search in Google Scholar

[68] J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez. Bug Fixes, Improvements,... and Privacy Leaks. In In. Proc. of NDSS Symposium, 2018.Search in Google Scholar

[69] J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes. ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic. In In Proc. ACM MobiSys, 2016.Search in Google Scholar

[70] I. Reyes, P. Wijesekera, A. Razaghpanah, J. Reardon, N. Vallina-Rodriguez, S. Egelman, and S. Kreibich. “Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations. In IEEE ConPro, 2017.Search in Google Scholar

[71] N. Sadeh, A. Acquisti, T. D Breaux, L. Cranor, A. M. Mc- Donald, J. R. Reidenberg, N. A. Smith, F. Liu, N. C. Russell, F. Schaub, et al. The Usable Privacy Policy Project. Technical report, Technical Report, CMU-ISR-13-119, Carnegie Mellon University, 2013.Search in Google Scholar

[72] Samet Privacy, LLC. Official membership page. https://www.kidsafeseal.com/certifiedproducts/kidzinmind_app.html. Accessed: September 29, 2017.Search in Google Scholar

[73] Samet Privacy, LLC. Official membership page. https://www.kidsafeseal.com/certifiedproducts/familytime_app.html. Accessed: September 29, 2017.Search in Google Scholar

[74] Samet Privacy, LLC. Member list. https://www.kidsafeseal.com/certifiedproducts.html, 2011. Accessed: November 30, 2017.Search in Google Scholar

[75] E.J. Schwartz, T. Avgerinos, and D. Brumley. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proc. of the IEEE Symposium on Security and Privacy (SP), Oakland ’10, 2010.Search in Google Scholar

[76] Sirsi Corporation. Legal & privacy terms. http://www.sirsidynix.com/privacy, April 23 2004. Accessed: September 29, 2017.Search in Google Scholar

[77] Y. Song and U. Hengartner. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In Proc. of ACM SPSM, 2015.Search in Google Scholar

[78] Tapjoy, Inc. Publishers terms of service. https://home.tapjoy.com/legal/publishers-terms-service/, February 16 2016. Accessed: September 29, 2017.Search in Google Scholar

[79] Upsight. COPPA. https://help.upsight.com/api-sdkreference/integration-checklist/#coppa, 2017. Accessed: November 30, 2017.Search in Google Scholar

[80] U.S. Court of Appeals, Ninth Circuit. Oracle USA, Inc. v. Rimini Street, Inc. https://www.eff.org/document/oracle-vrimini-ninth-circuit-opinion. Accessed: March 24, 2018.Search in Google Scholar

[81] U.S. Federal Trade Commission. Coppa safe harbor program. https://www.ftc.gov/safe-harbor-program. Accessed: September 28, 2017.Search in Google Scholar

[82] U.S. Federal Trade Commission. FTC Approves Modifications to TRUSTe’s COPPA Safe Harbor Program. https://www.ftc.gov/news-events/press-releases/2017/07/ftcapproves-modifications-trustes-coppa-safe-harbor-program. Accessed: September 28, 2017.Search in Google Scholar

[83] U.S. Federal Trade Commission. Mobile apps for kids: Disclosures still not making the grade. https://www.ftc.gov/sites/default/files/documents/reports/mobile-apps-kids-disclosures-still-not-making-grade/121210mobilekidsappreport.pdf, December 2012.Search in Google Scholar

[84] U.S. Federal Trade Commission. Children’s online privacy protection rule: A six-step compliance plan for your business. https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance, June 2017. Accessed: November 30, 2017.Search in Google Scholar

[85] E. van der Walt and J. Eloff. Protecting Minors on Social Media Platforms-A Big Data Science Experiment. Technische Berichte des Hasso-Plattner-Instituts für Softwaresystemtechnik an der Universität Potsdam, page 15, 2015.Search in Google Scholar

[86] M. Van Kleek, I. Liccardi, R. Binns, J. Zhao, D.J. Weitzner, and N. Shadbolt. Better the Devil you Know: Exposing the Data Sharing Practices of Smartphone Apps. In Proc. of ACM CHI, 2017.Search in Google Scholar

[87] WiGLE. Wigle: Wirless network mapping. https://wigle.net/. Accessed: September 29, 2017.Search in Google Scholar

[88] P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wagner, and K. Beznosov. Android Permissions Remystified: A Field Study on Contextual Integrity. In Proc. of USENIX Security, 2015.Search in Google Scholar

[89] P. Wijesekera, A. Baokar, L. Tsai, J. Reardon, S. Egelman, D. Wagner, and K. Beznosov. The Feasability of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In Proc. of IEEE Symposium on Security and Privacy (SP), Oakland ’17, 2017.Search in Google Scholar

[90] B. Yankson, F. Iqbal, and P.C.K. Hung. Privacy preservation framework for smart connected toys. In Computing in Smart Toys, pages 149-164. Springer, 2017.Search in Google Scholar

[91] S. Yong, D. Lindskog, R. Ruhl, and P. Zavarsky. Risk Mitigation Strategies for Mobile Wi-Fi Robot Toys from Online Pedophiles. In Proc. of IEEE SocialCom, pages 1220-1223. IEEE, 2011.Search in Google Scholar

[92] S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu, F. Schaub, S. Wilson, N. Sadeh, S. M. Bellovin, and J. Reidenberg. Automated Analysis of Privacy Requirements for Mobile Apps. In Proc. of NDSS Symposium, 2017.Search in Google Scholar

[93] S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu, F. Schaub, S. Wilson, N. Sadeh, S.M. Bellovin, and J.R. Reidenberg. Automated Analysis of Privacy Requirements for Mobile Apps. In Proc. of NDSS Symposium, 2017.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo