Android apps improperly tracking kids' data, says study
The researchers found that the worst offenders, constituting five percent of the sample, collected location or contact data without verifiable parent consent.
Google is looking into the findings of a new study that says thousands of the most popular free kids' apps in its Google Play store may be illegally tracking their young users — without getting parents' permission first.
Researchers at the University of California's International Computer Science Institute analyzed 5,855 of the most downloaded kids apps, concluding that most of them are "are potentially in violation" of the Children's Online Privacy Protection Act 1998, or COPPA, a federal law making it illegal to collect personally identifiable data on children under 13.
In addition, almost half of that sample didn’t follow standard security measures for sending sensitive data online, potentially in violation of the data security measures required by COPPA.
Some of the potentially problematic apps identified by the researchers included TabTale’s “Pop Girls–High School Band," Disney’s “Where’s My Water?" and Tiny Lab’s “Motocross Kids–Winter Sports," as well as Yousician’s “Guitar Tuner Free—GuitarTuna.”
Some of the apps were "transmitting location data, where you go, potentially where you live," said study co-author Serge Egelman, director of privacy research at the International Computer Science Institute.
Other information that some of the apps transmitted included names, phone numbers, email addresses and serial numbers or other codes that could be used to identify the device. Even if the data gathered only contained a string of numbers and letters as part of an identification code, tracking companies could partner with third-party data brokers to connect that code with other slices of information collected — and form a complete user profile to deliver targeted advertising.
"There's no way for the average consumer to tell an app can do this," Egelman told NBC News. The solution? "Don't use apps," said Egelman. Instead, it's up to regulators to get involved, he said.
Each app had been installed by users more than 750,000 times on average, the researchers wrote.
Whereas Apple iOS users do have a function where they can "reset" the advertising identification token by digging into their settings (Settings -> Privacy -> Advertising -> Reset Advertising Identifier -> Reset Identifer), Egelman said the Android system has more persistent identifiers that can't be changed.
His group is maintaining a website where parents can research kids apps and see whether and what kind of privacy issues they may have, Appcensus.mobi.
In a statement, Google said it's taking the researchers' report "very seriously and looking into their findings." The company said "Protecting kids and families is a top priority" and promised to "take action" on any app that violates its policies.
The Federal Trade Commission, which enforces COPPA, didn't immediately respond to an NBC News request for comment.