Privacy leaks are still rampant in kids' apps, FTC reports

An evaluation of apps aimed at children finds that most do not apply the restrictions of disseminating personal information required by law

Parents beware: Many iPhone and Android apps designed for children are playing fast and loose with privacy, according to the Federal Trade Commission.

The FTC just released a survey PDF on kids' apps in Apple's App Store and the Google Play Store for Android. Of the 400 apps surveyed, 60 percent sent out the device ID, mainly to third-parties such as ad networks or analytics companies.

Although the IDs alone don't provide any personal information, some ad networks may store these IDs alongside more sensitive data, such as email addresses or social networking details. In that sense, they can act as a "key" to more data, as The Wall Street Journal points out. Apple, at least, is phasing out the Unique Device Identifier, or UDID, in favor of a method that isn't tied to personal information.

But device IDs aren't the only point of concern. Here the other key findings from the FTC's survey:

  • 58 percent of apps contained advertising, but only about a quarter of those apps gave any indication prior to download.
  • 22 percent of apps contained links to social networking services, but only 40 percent of them gave advanced warning to the downloader.
  • 3.5 percent of apps transmitted the device's geolocation and/or phone number along with the device ID.
  • Only 20 percent of apps disclosed any information about their privacy policies.

Among the apps that did disclose their privacy policies, many of them simply offered links filled with legal jargon instead of clear answers, the FTC's report says.

As for in-app purchases, 17 percent of the apps surveyed contained allow purchase of virtual goods within the app. Both the Google Play Store and iOS App Store state when in-app purchases are present, but the indicators aren't always prominent and may be hard to understand, says the FTC. (Fortunately, both Google and Apple allow parents to password-protect all purchases.)

Little progress

The FTC, which issued an initial survey six months ago, says it's disappointed with its latest findings.

"Industry appears to have made little or no progress in improving its disclosures since the first kids' app survey was conducted, and the new survey confirms that undisclosed sharing is occurring on a frequent basis," the FTC's report says.

To improve the situation, the FTC wants the app industry to develop "best practices" to protect privacy, and says it will launch its own consumer education efforts. The agency will also investigate "certain entities in the mobile app marketplace" to see if any of them have violated the Children's Online Privacy Protection Act, or have engaged in unfair or deceptive practices. The report doesn't call out any specific apps.

On the bright side, some efforts by Apple and Google may help. In iOS 6, Apple added the capability to limit ad tracking (under Settings > General > About > Advertising) and to restrict access to location and other personal data (under Settings > Privacy). Google has added new restrictions for app developers to crack down on privacy violations, and allows users to turn off personalized AdMob ads under Google Play settings.

Device makers could also put forth more concerted efforts to create kid-friendly environments. Amazon's subscription-based FreeTime Unlimited service is a good example: it provides pre-screened apps for kids that have no advertisements or social media links. The Kid's Corner feature in Windows Phone 8 also creates a safer environment for kids, with social media sharing disabled, but it doesn't control advertising behavior.

Those types of features at the operating system level may be more effective in the end than trying to shame app developers into behaving. With so many apps on the market, the FTC may always find room for disappointment.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleFederal Trade CommissionGooglesecurityThe Wall Street Journalmobile securityConsumer Adviceprivacy

More about Amazon Web ServicesAppleFederal Trade CommissionFTCGoogleWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jared Newman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts