COPPA Compliance at Scale

Proceedings on Privacy Enhancing Technologies ; 2018 (3):63–83
Irwin Reyes*, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo
Vallina-Rodriguez, and Serge Egelman
“Won’t Somebody Think of the Children?”
Examining COPPA Compliance at Scale
Abstract: We present a scalable dynamic analysis frame-
work that allows for the automatic evaluation of the
1 Introduction
privacy behaviors of Android apps. We use our system
In the United States, there are few comprehensive pri-
to analyze mobile apps’ compliance with the Children’s
vacy regulations. However, one notable exception is the
Online Privacy Protection Act (COPPA), one of the few
Children’s Online Privacy Protection Act (COPPA),
stringent privacy laws in the U.S. Based on our auto-
which regulates how mobile apps, games and websites
mated analysis of 5,855 of the most popular free chil-
are allowed to collect and process personal information
dren’s apps, we found that a majority are potentially in
from children under the age of 13 [22]. COPPA outright
violation of COPPA, mainly due to their use of third-
prohibits certain data collection practices, and requires
party SDKs. While many of these SDKs offer configu-
parental consent for others. Of course, enforcement is a
ration options to respect COPPA by disabling tracking
painstaking process, as investigations generally rely on
and behavioral advertising, our data suggest that a ma-
manual examination of programs and websites to ob-
jority of apps either do not make use of these options
serve violations [83]. In this paper, we apply our An-
or incorrectly propagate them across mediation SDKs.
droid dynamic analysis framework to automate the pro-
Worse, we observed that 19% of children’s apps collect
cess of detecting potential COPPA violations.
identifiers or other personally identifiable information
Most current approaches to detecting suspicious ap-
(PII) via SDKs whose terms of service outright prohibit
plication activity on mobile platforms rely on static
their use in child-directed apps. Finally, we show that
analysis [e.g., 33, 41, 48, 93] or dynamic analysis [e.g.,
efforts by Google to limit tracking through the use of a
28]. However, previous approaches fall short because
resettable advertising ID have had little success: of the
they either do not observe actual violations, and in-
3,454 apps that share the resettable ID with advertis-
stead only detect when a program might contain viola-
ers, 66% transmit other, non-resettable, persistent iden-
tive code (in the case of static analysis), or do not scale
tifiers as well, negating any intended privacy-preserving
(in the case of prior dynamic analysis approaches).
properties of the advertising ID.
We propose a new analysis framework built on prior
DOI 10.1515/popets-2018-0021 work [67, 70, 89], which allows us to monitor actual
Received 2017-11-30; revised 2018-03-15; accepted 2018-03-16. program behavior in realtime and at scale. Our test-
ing platform allows us to examine how often and un-
der what circumstances apps and third-party libraries
access sensitive resources guarded by permissions. By
combining this infrastructure with a modified version of
*Corresponding Author: Irwin Reyes: International Lumen [67], an advanced network monitoring tool, we
Computer Science Institute, E-mail: ioreyes@icsi.berkeley.edu obtain a sophisticated holistic view of when sensitive
Primal Wijesekera: University of British Columbia, E-mail:
data is accessed and where it gets sent.
primal@ece.ubc.ca
Joel Reardon: University of Calgary, E-mail: We show that our test platform could have immedi-
joel.reardon@ucalgary.ca ate impact on the enforcement of and compliance with
Amit Elazari Bar On: University of California, Berkeley, E- COPPA (and other privacy regulations) by automat-
mail: amit.elazari@berkeley.edu ing a largely manual task of identifying potential pri-
Abbas Razaghpanah: Stony Brook University, E-mail:
vacy violations [83]. To give an example: one observa-
arazaghpanah@cs.stonybrook.edu
Narseo Vallina-Rodriguez: IMDEA Networks and
tion generated from our analysis was that 37 apps—
International Computer Science Institute, E-mail: all developed by BabyBus, a company specializing in
narseo.vallina@imdea.org games for young children—did not access the location
Serge Egelman: University of California, Berkeley of the device through the standard Android permissions
and International Computer Science Institute, E-mail: system. Yet, we observed them transmitting hardware
egelman@cs.berkeley.edu
and network configuration details to a Chinese analytics
“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale 65
what data do they access and with whom do they share 2.1 Enforcement Actions
it) and (ii) direct notice and ask for verifiable parental
consent prior to collection, usage, or disclosure of any The FTC has moved against a number of app developers
PII, and ensure that the consenting party is in fact a le- and third-party service providers for gathering PII from
gal parent or guardian. While the COPPA rule does not children: in 2014, children’s app developer BabyBus re-
require one specific method to obtain consent, it does ceived a warning about its potential collection of geolo-
require the method be “reasonably designed in light of cation data [21]; in 2015, the FTC collected a $360K set-
available technology.” Disclosing personal information to tlement from app studios LAI Systems, LLC and Retro
third parties, such as advertising agencies, requires re- Dream for allowing integrated third-party services to ac-
liable methods of verification of parental consent, such cess and collect persistent identifiers [24]; and in 2016,
as payment systems, signed forms, or phone calls [84]. the ad network InMobi was fined $1 million for gather-
COPPA’s definition of PII is relatively broad, cov- ing the locations of users—including children—without
ering such items as contact information (e.g., email ad- proper consent [23]. While these actions might push de-
dresses and phone numbers), audio or visual recordings, velopers and third-party providers to be more vigilant,
and precise geolocation data (i.e., at the granularity these are isolated incidents. Our work offers a system-
of street name and city/town). Additionally, under the atic analysis of app behaviors that can help to uncover
2013 amendments to the COPPA rule, persistent iden- widespread misbehavior amongst apps, so that regula-
tifiers (e.g., IMEI and MAC addresses) are considered tors and policymakers can improve accountability.
PII if they “can be used to recognize a user over time
and across different websites or online services.”3
There are certain rules that developers and third- 2.2 Industry Response
party services must follow when using legitimately col-
lected PII. Any PII collected from children cannot be While COPPA places liability on operators of child-
used for profiling (e.g., behavioral advertising) or cross- directed services, the law exempts platforms, hosting
device tracking. However, certain limited pieces of PII services, and distribution channels that “merely offer
may be collected without parental consent if the data the public access to someone else’s child-directed con-
is used in “support for the internal operations” of the tent.”5 Still, while the two largest app distribution plat-
service. The regulation defines supporting internal op- forms are therefore exempt, both the Google Play Store
erations as “those activities necessary to:”4 and the Apple App Store have implemented measures
to help developers to comply with the law. Namely, de-
(i) Maintain or analyze the functioning of the Web site or velopers can list their child-directed products in special
online service;
child-targeted categories, provided that they observe re-
(ii) Perform network communications;
(iii) Authenticate users of, or personalize the content on, quirements set by privacy laws and the distribution plat-
the Web site or online service; form’s terms of service. The FTC further clarifies that
(iv) Serve contextual advertising on the Web site or online distribution platforms be mindful of Section 5 of the
service or cap the frequency of advertising; Federal Trade Commission Act, which prohibits decep-
(v) Protect the security or integrity of the user, Web site,
tive practices, and to not “misrepresent the level of over-
or online service;
(vi) Ensure legal or regulatory compliance; or
sight they provide for a child-directed app” [22].6
(vii) Fulfill a request of a child as permitted by §312.5(c)(3) The Google Play Store’s Designed for Families pro-
and (4). gram (DFF) is an optional review process that enti-
tles developers to list compliant apps under those spe-
This exemption allows, for instance, third-party ana- cial family-friendly categories and sections specifically
lytics services to gather persistent identifiers, provided relevant to children under 13. Developers participat-
that no other personal information is associated with ing in DFF agree that “apps submitted to Designed
it, that any identifiers collected are not used to contact for Families are compliant with COPPA and other rel-
or build profiles of specific users (i.e., for behavioral ad- evant statutes, including any APIs that your app uses
vertising), and that this data collection is necessary. to provide the service” [34, 36]. DFF also sets restric-
3 16 C.F.R. §312.2. 5 78 Fed. Reg. 3977.

4 Ibid. 6 78 Fed. Reg. 3978.
3.2 Analysis Environment Our testing pipeline schedules each app to run for
10 minutes on a Nexus 5X, with the Monkey gener-
Our dynamic analysis focuses on two aspects: how apps ating input events during this time period. After each
access sensitive data and with whom they share it. The 10 minute execution slot, logs are generated based on
former is achieved through a custom version of Android, the observed behaviors. After each execution, the device
while the latter is achieved through a custom VPN ser- goes through a cleaning phase to isolate each test run
vice, which acts as a localhost man-in-the-middle proxy. from one another. In the current setup, we can analyze
In our custom Android platform (based on v6.0.1), approximately 1,000 apps/day on 8 phones.
we modified Android’s permission system to enable the One obvious question regarding the Monkey is how
real-time monitoring of apps’ access to protected re- well it is able to uncover the same app functionality that
sources (e.g., location data, address book contacts, etc.). a real user might encounter [2]. Unlike real users, a pseu-
We instrumented all the functions in the Android plat- dorandom input generator does not process app visual
form that access these sensitive resources (i.e., whenever cues. For example, it does not immediately know that it
an app accesses a permission-protected resource, the in- needs to click a button to dismiss a dialog. This might
strumentation logs the access request). By building this result in sub-optimal execution path coverage. There-
capability into the Android platform, we can observe fore, the evaluation presented in this paper is a lower-
any Android app without modifying the app itself. bound of what an app can do while interacting with a
Our framework also includes a modified version of human user: more potential violations are possible due
Lumen [67], a network monitoring tool that captures to the execution paths unexplored by the Monkey.
all network traffic generated by the app being tested. To better understand the effectiveness of the Mon-
Lumen leverages Android’s VPN API to redirect all the key, we compared its performance to that of a human
device’s network traffic through a localhost service that user. We evaluated it both in terms of the number of
inspects all network traffic, regardless of the protocol Android “Activities” uncovered—unique screens within
used, through deep-packet inspection. Lumen installs a an app—as well as the number of data flows recorded.
root certificate in Android’s trusted store so it can also We instructed our human tester to explore each app for
analyze communications protected by TLS (certificate 10 minutes and to manipulate all interactive elements.
pinning notwithstanding) [65]. Similarly, we configured the Monkey to test each app
While there have been some previous attempts at for 10 minutes, producing a random input every second.
monitoring resource usage and data sharing in the We used the Monkey’s built-in options to constrain its
wild [1, 67, 69, 77, 88, 92], we believe that ours is the exploration to the app being tested.
first end-to-end analysis platform that can automati- We performed this parallel testing on an initial cor-
cally monitor when data is first accessed and where it pus of 401 apps in December 2016. When comparing the
is ultimately sent. coverage of each method, the human tester missed 9% of
the Activities that the Monkey uncovered, whereas the
Monkey missed 39% of the Activities that the human
3.3 Automated App Exploration uncovered. That is, the Monkey matched or exceeded
the human’s app screen coverage 61% of the time. In
Since our analysis framework is based on dynamic anal- terms of network flows, the human and Monkey testers
ysis, apps must be executed so that our instrumentation missed 20% and 34%, respectively. Based on this analy-
can monitor their behaviors. Ideally, our testbed would sis, we concluded that the Monkey may incur false neg-
explore the same code paths that would be triggered atives (i.e., not detecting potential privacy violations),
when apps are used normally. but any potential privacy violations uncovered in our
We use Android’s UI/Application Exerciser Mon- testing environment are observations of actual app be-
key (the “Monkey”) [38]—a tool provided by Android’s haviors, so it does not generate false positives. There-
development SDK—to automate and parallelize the ex- fore, the results produced by our method represent a
ecution of apps by simulating user inputs. The Monkey lower bound of potential COPPA violations.
injects a pseudorandom stream of simulated user input
events into the app, thereby simulating random UI in-
teractions; it essentially “fuzzes” an app’s UI. Because
this pseudorandom input is generated from a random
seed, it is also reproducible.
3.4 Post Processing PII Description
AAID Android Advertising ID

The final stage of the pipeline is to analyze the log files Android ID Unique ID created at Android setup
generated by our framework. These logs contain both GSF ID Google Services Framework ID
observed permission requests and network flows. We HW ID Phone hardware ID (serial number)
parse these logs by searching them for custom string IMEI Mobile phone equipment ID
SIM ID SIM card ID
queries depending on the type of data.
MAC Address MAC address of WiFi interface
For permission requests, we search the permission
Email Email address of phone owner
log for output from our instrumentation, which records
Phone # Mobile phone’s number
the type and context under which guarded resources are Latitude, Longitude User location
accessed. For network flows, we search for identifiers as Router MAC Address MAC addresses of nearby hotspots
string values associated to the particular testing device, Router SSID SSIDs of nearby hotspots
such as the phone number, IMEI, MAC address, loca- Table 1. The types of personal information that are detected in
tion, etc., which are listed explicitly alongside each log our analysis logs. The top half of the table lists persistent IDs.
file at the time we perform our experiment. We only re-
port leaks of these identifiers if we find any of them in app), as well as MAC addresses and other PII using
an outgoing flow emitted by the tested app. a Vigenère-style XOR-based encoding using the mask
Because we wrote the instrumentation that moni- “encryptionkey” and a leetspeak mutation of their
tors guarded resource accesses, detecting these accesses company name. Flurry rounds the location coordinates
is straightforward. Finding PII inside network transmis- to three decimals and then sends the binary encoding
sions, however, is a greater challenge because different of the resulting floating-point number. ComScore sends
apps and SDKs use different encodings to transmit PII. the MD5 hash of the hardware serial number by first
Our approach to decoding obfuscated network flows prefixing it with a per-developer secret ID. Two devel-
is to find packets that appear to be sending some mean- opers, Disney and Turner, comprise the majority of apps
ingful data, but for which we were not identifying any using comScore in our dataset, and so we reversed the
PII. We manually inspect and decode this traffic, and secret ID for both developers, compute the resulting
then create regular expressions to automatically decode hashed serial number, and categorize any transmissions
all similarly encoded traffic in the future. Aside from of it as a transmission of the serial number.
standard encodings, such as base64, URL encoding, and Table 1 lists the types of information that we search
HTML character encoding, we also search for permuta- for in our log files. The top half of the table lists spe-
tions of identifiers: upper and lower cases, strings and cific identifiers. The Android Advertising ID (AAID)
binary representations, as well as the values resulting was created by Google as a compromise between allow-
from the MD5, SHA1, and SHA256 hashing algorithms. ing user tracking (e.g., for behavioral advertising and
We observe that these hash functions are intended profiling) and giving users more control over their pri-
to be non-reversible, but the resulting value remains a vacy: users can reset this identifier or check a box to
unique identifier with the same persistent properties as prevent long-term tracking (the latter option causes a
the original, meaning that its suitability for tracking re- “do not track” flag to be transmitted). Of course, if this
mains the same. Moreover, a brute-force search to re- identifier is collected alongside other persistent identi-
verse a hash value is easily feasible for many identifiers fiers, this would undermine the intended privacy pro-
simply because their domain is insufficiently large. Ex- tections. To prevent this, Google’s terms of use indicate
amples of identifiers with a small domain include serial that “the advertising identifier must not be connected
numbers, IMEIs, and phone numbers. to personally-identifiable information or associated with
Additionally, for a handful of advertising and ana- any persistent device identifier (for example: SSAID,
lytics SDKs, we also reversed their use of bespoke en- MAC address, IMEI, etc.) without explicit consent of
codings to transmit PII. For example, ironSource uses the user” [40]. The other identifiers we examine are ei-
AES/CBC with a fixed encryption key (embedded in ther hardware-based and cannot be reset (e.g.,, IMEI,
the SDK) to transmit an initial request for configura- MAC address) or cannot be reset easily: the Android
tion options that includes the advertising ID and some- ID can only be changed via a factory reset, the GSF ID
times other identifiers, including the e-mail address and can be reset by creating a new Google account, and the
IMEI. They use this mechanism despite the use of TLS. SIM ID can be reset by replacing the SIM card.
StartApp sends location data (when available to the
As geolocation coordinates are numerical values, we 4.1.1 Geolocation via Location APIs
detect the presence of geolocation data in network flows
by identifying the latitude and longitude as numbers Geolocation data not only reveals where individuals live,
written out as a string in decimal that matches the in- but could also enable inferences about their socioeco-
teger component and at least the first three decimal val- nomic classes, everyday habits, and health conditions,
ues. We also search for the precise latitude and longitude among others [20]. Such inferences could carry life-long
written as a floating-point number and in binary, as well implications for children. The 2013 revision to COPPA
as those values rounded to 3, 4, and 5 decimal places. was in part motivated by the widespread availability
We require that both the latitude and the longitude ap- of geolocation-enabled mobile apps for children. Un-
pear in the same packet for our instrumentation to con- like other types of identifiers that have exemptions to
sider it a transmission of location. This degree of preci- COPPA’s consent requirements for performing activi-
sion means that our location information was sent with ties like “contextual advertising” or “giving notice” [84],
100 meters of accuracy—well within COPPA’s standard any access to geolocation information requires verifiable
of street-level accuracy [22]. parental consent. That the Monkey was able to trigger
this functionality with random taps and swipes implies
that verifiable parental consent is not being obtained.
Of the 5,855 apps analyzed during the study period,
4 Analysis 706 declared either the access_fine_location or ac-
cess_coarse_location permissions in their mani-
We performed automated analysis on 5,855 Android
fests, which means that they—and their bundled third-
apps that agree to abide by COPPA as part of their in-
party libraries—could potentially access location data.
clusion in the Play Store’s Designed for Families (DFF)
Our instrumentation observed 235 apps (4.0% of 5,855)
program. Of these 5,855 apps, 28% accessed sensitive
actually accessing this data by calling Android location
data protected by Android permissions. We also ob-
APIs that reveal GPS coordinates. These apps had a
served that 73% of the tested applications transmitted
cumulative install count of 172M (an average of 734K).
sensitive data over the Internet.7 While accessing a sen-
Given the lack of verifiable parental consent, just
sitive resource or sharing it over the Internet does not
accessing this data appears to be a potential violation,
necessarily mean that an app is in violation of COPPA,
based on the FTC’s guidance [84]. Furthermore, 184
none of these apps attained verifiable parental consent:
of these apps also transmitted the location data, shar-
if the Monkey was able to trigger the functionality, then
ing it with a median of 3 unique domains. A total of
a child would as well. This suggests that many poten-
107 unique domains received location data from these
tial violations are likely occurring, which we discuss
apps. The most popular destinations were: mopub.com
in the remainder of this paper: we examine access to
(85 apps), aerserv.com (84 apps), skydeo.com (80 apps),
personally-identifiable information, sharing of persistent
youapp.com (80 apps), and inner-active.mobi (76 apps).
identifiers, the timing of when data is transmitted, and
One particularly egregious example is app developer
the effectiveness of the Safe Harbor programs.
TinyLab. We observed that 81 of their 82 apps that we
tested shared GPS coordinates with advertisers. Espe-
cially popular apps included:
4.1 Personal Information
– Fun Kid Racing (v3.12, 10-50M installs): GPS
In this section, we present our results regarding apps’ data shared with ads.aerserv.com (non-TLS),
use of geolocation and contact information. From the location-api.skydeo.com, and sdk.youappi.com
5,855 applications tested, we found: 256 apps (4.4% of
– Fun Kid Racing–Motocross (v3.12, 10-50M in-
5,855) collecting geolocation data or data sufficient to
stalls): GPS data shared with ads.aerserv.com
infer it; 107 sharing the device owner’s email address;
(non-TLS), location-api.skydeo.com,
and 10 sharing the phone number.
sdk.youappi.com, and sdkng.youappi.com
– Motocross Kids–Winter Sports (v3.15,
5-10M installs): GPS data shared with
7 Some of the COPPA-governed resources are not controlled
by Android permissions (e.g., access to many of the persistent
wv.inner-active.mobi (non-TLS),
identifiers), which is why we observed many more examples of c.adsymptotic.com (non-TLS), sdk.youappi.com,
data exfiltration than access to permission-protected resources. and location-api.skydeo.com
Many of the companies receiving location data are cially when collected over time and across locations. Re-
advertising firms whose business models rely on user trieving the names of saved networks does not require
profiling to perform behavioral advertising, which is ex- an app to hold location privileges either. Because string
plicitly prohibited by COPPA. It is particularly impor- searching for SSID names is prone to false positives, we
tant to note that MoPub, the most popular destination manually verified that the SSID values we discovered
for location data among children’s apps, clearly states were indeed valid transmissions. We found 148 apps en-
in their terms of service that their service should not gaging in this behavior, including:
be used by any app that collects data from anyone un-
der 13 [61], likely because their privacy policy explicitly – Disney’s “Where’s My Water? Free” (v1.10.0,
states that collected data may be used for behavioral 100–500M installs): Wi-FI router name transmitted
advertising. We discuss the use of prohibited libraries to control.kochava.com
in more detail in Section 4.3.1. – Tiny Lab’s “Motocross Kids–Winter Sports”
(v2.4.2, 10–50M installs): Wi-FI router name trans-
mitted to api.greedygame.com
4.1.2 Wi-Fi Router Geolocation
As an alternative to querying a phone’s GPS hardware, 4.1.3 Contact Information

apps can retrieve the MAC address of the currently-
connected Wi-Fi hotspot to infer a user’s location with Android API access to contact information is pro-
street-level precision. This is because Wi-Fi hotspots tected by two different permissions: get_accounts
tend to have fixed locations and MAC addresses that can identify email addresses and other accounts
uniquely identify them. Developers and tracking services (e.g., Twitter username) accessed by the device, and
can use Wi-Fi-based geocoding services, such as the read_phone_state can read the device’s phone num-
Google Maps Geolocation API [37] or WiGLE.net [87], ber. Out of the 5,855 applications we tested, 775 de-
to map these MAC addresses to GPS coordinates. clared the get_accounts permission, which means
This technique allows app developers to determine that 13% could access contact information. Subse-
the user’s location without explicitly asking for the lo- quently, we observed 254 apps (4.3%) actually accessing
cation permission or triggering the location notification this information during testing. Similarly, 1,780 appli-
icon. The FTC has been pursuing companies engaging cations declared the read_phone_state permission,
in this deceptive practice. For instance, in 2016, they and we observed 634 (10.8%) actually accessing infor-
reached a $1M settlement with InMobi over this [23]. mation protected by this permission. The mere collec-
To identify children’s apps that potentially engage tion of this information may not be a violation of the
in Wi-Fi geolocation, we searched network flows for law by itself, since there are several limited exemptions
MAC addresses and SSIDs of the currently-connected for collecting contact information without first attain-
Wi-Fi router. We observed 101 children’s apps sharing verifiable parental consent [84].
ing Wi-Fi router MAC addresses with third parties. However, the transmission of contact information,
The most common recipients were: greedygame.com in particular to third parties, may be more indica-
(61 apps), startappservice.com (60 apps), startappex- tive of a potential COPPA violation. Our testing found
change.com (57 apps), kochava.com (30 apps), and app- 107 children’s apps that transmitted the device owner’s
nxt.net (13 apps). Example apps include: email address to remote servers. The five most common
destinations were: appspot.com (79 apps), tinylabpro-
– Yousician’s “Guitar Tuner Free— ductions.com (19 apps), google.com (10 apps), sky-
GuitarTuna” (v4.3.6, 10–50M installs): Wi-Fi deo.com (5 apps), and drgames.fr (3 apps). The trans-
router MAC transmitted to control.kochava.com mission of phone numbers was less common: just 10 out
– TabTale’s “Pop Girls–High School Band” of the 5,855 children’s apps shared this data with remote
(v1.1.9, 1–5M installs): Wi-FI router MAC trans- services. The following domains received phone num-
mitted to init.startappservice.com bers: drgames.fr (3 apps), cafe24.com (2 apps), oneau-
dience.com (2 apps), gameloft.com (1 apps), and mam-
Although not as distinct as Wi-Fi router MAC ad- abearapp.com (1 app).
dresses, human-readable network names (SSIDs) can
still allow some inferences about users’ locations, espe-
4.2 Insecure Transmissions Service Name App Count Total Terms

Installs of Service
COPPA requires that children’s apps “must establish
Crashlytics 300 556M [39]
and maintain reasonable procedures to protect the con- Supersonic / ironSource 466 481M [47]
fidentiality, security, and integrity of personal informa- Tapjoy 101 386M [78]
tion collected from children.”8 To examine apps’ com- MoPub 148 296M [61]
pliance with this clause, we examined the usage of TLS, Inneractive 180 239M [46]
Heyzap 263 150M [44]
when transmitting any type of personal information (in-
Appnext 46 55M [6]
cluding persistent identifiers). Overall, we observed that Amplitude 17 52M [4]
2,344 DFF apps do not use TLS in at least one trans- Branch 19 42M [12]
mission containing identifiers or other sensitive informa- Appboy 1 10K [5]
tion (40.0% of 5,855 apps analyzed). This number also
likely represents an upper bound on usage of reasonable Table 2. Most popular third-party service bundled in apps target-
procedures to transmit personal information, because ing children under 13, whose terms of service prohibit their ser-
we did not examine whether apps that do use TLS are vice from being used in children’s apps.
doing so correctly (e.g., proper validation) [65]. Given

that TLS is the standard method for securely transmit-
ting information, it could be argued that almost half poses. Similarly, many third-party SDKs include docu-
the apps we examined are not taking “reasonable pro- mentation that explains how app developers can make
cedures to protect the confidentiality, security, and in- use of certain configuration options to disable user pro-
tegrity of personal information collected from children.” filing and behavioral advertising. In this section, we
identify apps that use third-party SDKs that are poten-
tially violating COPPA based on their privacy policies
4.3 Persistent Identifiers and terms of service, we examine whether app develop-
ers make proper use of configuration options designed to
Persistent identifiers in Android can be used to identify prevent COPPA violations, and then we examine pro-
devices and their users over time and across different hibited uses of the Android Advertising ID (AAID).
services (Table 1). Using persistent identifiers without
verifiable parental consent is allowed under COPPA, as
long as the identifiers are being used for “internal opera- 4.3.1 Verboten SDKs
tions,” which the Rule has defined to include “serv[ing]
contextual advertisements” [84]. Contextual advertise- We examined the most popular third parties receiving
ments refer to ads that are targeted only based on the data from the children’s apps that we tested, and iden-
type of app or service being used, without regard for the tified several that specifically prohibit developers from
user’s behaviors or previous interactions: behavioral ad- using these services in children’s apps. Excerpts from
vertising and user profiling are explicitly prohibited. these agreements are included in Appendix A. Some
Definitively determining whether a persistent iden- services’ privacy policies explicitly state that collected
tifier is being used to serve contextual versus behavioral data may be used for COPPA-prohibited purposes. For
ads is likely impossible, as it would require knowing a instance, MoPub’s privacy policy specifically mentions
third party’s internal business practices. that data may be used “to infer interests and serve ads
However, by examining which identifiers are be- to users based on their app and website activity and in-
ing shared with which remote services, we can identify ferred interests” [60].
potential violations. For instance, when identifiers are Table 2 lists the third-party SDKs whose terms of
shared with companies whose primary business models service prohibit their use in children’s apps. The table
are to perform user profiling or behavioral advertising, shows the number of apps in our dataset using each
and those companies explicitly prohibit the use of their SDK, the total number of installs of those apps, and
SDKs in children’s apps, that would suggest that the a reference to the SDK’s terms of service. Overall, we
identifiers are being used for COPPA-prohibited pur- observed that 1,100 (18.8% of 5,855) apps transmitted
persistent identifiers to at least one of these third par-
ties. These apps have collectively seen ∼1.6B installs.
8 16 C.F.R. §312.8.
Some examples of popular apps doing this include:
– Duolingo (v3.58.0, 100-500M installs): AAID, An- same developer’s “Princess Salon: Frozen Party” (v1.2,
droid ID, and serial number (HW ID) are sent to 10M installs) sends “COPPA=false.” We detected the
reports.crashlytics.com Facebook API being used in 1,280 children’s apps we
– Gameloft’s Minion Rush (v2.7.5b, 100-500M in- tested (21.9% of 5,855): 342 have the COPPA value set
stalls): Android ID sent to content.tapjoy.com, to “false,” 75 send the value as “true,” 27 are inconsis-
connect.tapjoy.com, and ws.tapjoyads.com tent within single tests or across versions, and 836 never
– Disney’s Where’s My Water (v1.10.0, 100-500M send this flag. If we take COPPA=false or unset as poten-
installs): AAID sent to ads.mopub.com tial violations, then this suggests that 92% of the apps
that use the Facebook API may be using it for COPPA-
While we cannot definitively know whether or prohibited activities (whether intentionally or not).
not these third parties are using this information for This is not an isolated example, as we have seen
COPPA-prohibited practices, such as behavioral adver- this in other apps and SDKs: 57 apps—of which 56 are
tising, their terms of service and privacy policies suggest by Tiny Lab—sent COPPA flags to Mediabrix, with 56
that violations are likely. sending “coppa:true” and 1 sending “coppa:false”;
and 76 apps received ad data from Fyber, an ad media-
tor, containing GET requests to angsrvr.com, of which
4.3.2 Client-Side COPPA Options 19 had “ang_coppa=yes” and 57 “ang_coppa=no.”
In our corpus, 12 apps transmitted data to Upsight,
Some third-party SDKs offer client-side options—SDK who also offers developers configuration options to be
methods and parameters that can be invoked by app COPPA compliant. Of these, only one app transmitted
developers in their app code—that allow developers to the opt_out=1 or opt_out=true flag [79], while 9 others
configure the SDKs to be COPPA-compliant. To use all set the flag to either “0” or “false,” indicating user
these, developers will often pass parameters when ini- tracking would occur (the remaining 2 had inconsistent
tializing the SDK. Later, when host apps communicate flags). The 9 apps with “0” or “false” are reported to
with the SDK’s servers, they transmit flags alongside be installed on over 19M devices in the U.S.
the persistent identifiers to indicate that tracking and We also observed 318 children’s apps transmitting
behavioral advertising should be disabled for that par- data to Kochava, which is an “attribution provider.” At-
ticular user (or ideally, these options may result in apps tribution providers measure the success of ad campaigns
not sending certain identifiers altogether). Our testing that promote other apps by tracking whether users ulti-
environment is able to detect the presence of these op- mately install an advertised app. It is not clear how this
tions in outgoing traffic. Of course, to detect a partic- process is compliant with COPPA, given that it involves
ular SDK’s client-side options, we first need to know tracking user behavior (going well beyond the mere serv-
the format in which these flags appear in traffic to the ing of contextual ads), and it is unclear how it is nec-
server (e.g., as keys within JSON objects, HTTP GET essary under the “internal operations” exemptions we
variables, etc.). This involves reading SDK documenta- listed in Section 2. Nonetheless, Kochava offers an opt-
tion to understand each SDK’s available configuration out flag so that app developers can limit the tracking
options, but once known, we can then search our entire of their app’s users (app_limit_tracking=true/false).
results database for the presence of that SDK’s flags We observed 43 children’s apps transmit this flag with
across any number of apps. a value of “false,” whereas the remaining 275 did not
For example, the Facebook API, a service providing transmit the flag at all. We did, however, observe two
social media integration along with targeted advertise- instances of apps limiting user tracking with this flag
ments and audience insights, includes a flag in ad re- when looking beyond our corpus of children’s apps.
quests indicating if the host application is a children’s
app [29]: The HTTP request to Facebook’s servers in-
cludes the parameter “...&COPPA=true&...” 4.3.3 Server-Side COPPA Options
Unfortunately, few developers appear to use these
configuration options. In the case of the Facebook API, Some SDKs require app developers to use server-side
this flag is not consistently set to “true” across our cor- options to indicate that children are among their apps’
pus of children’s apps, even among apps by the same users: the developer visits a website—such as an online
developer: Libii’s “Princess Libby & Vampire Princess configuration dashboard—and selects an option to indi-
Bella” (v1.2, 1M installs) sends “COPPA=true,” while the cate that COPPA-prohibited behaviors should be dis-
time
phase 1 phase 2 phase 3 CDF of the fraction of destations contacted before using the app
(i) before start (ii) before usage (iii) after usage
1.0
30 seconds 10 minutes
0.8
phone app is app is app is used for app is stopped
boots installed started the first time log data is collected
0.6
fraction of apps
Fig. 4. Timeline for Monkey runs. (i) The time when the app is
installed but before it is started. (ii) The time after the app is
started, but before the Monkey starts interacting with the app.
0.4
(iii) The time when the Monkey is interacting with the app.
vertising and long-term tracking. All in all, we observed All app

Apps with 10 or more dests
0.2
2,281 children’s apps transmit the AAID alongside an- Apps with 50 or more dests
other more persistent identifier to the same destination.

This represents approximately 39% of our corpus that
0.0
does not appear to follow Google’s terms of service.
0.0 0.2 0.4 0.6 0.8 1.0
fraction of destinations contacted
4.4 Timing of Data Exfiltration

Fig. 5. Distribution of apps as measured by the fraction of do-
mains that they first contact during the time after the app is
During initial testing, we observed that many apps started, but before any user interaction has occurred. We charac-
transmitted PII immediately upon launch—before any terize all apps, as well as the subset of apps that contact at least
user interaction whatsoever. Because this happens im- 10 destinations and 50 destinations.
mediately, there is no opportunity for verifiable parental Additionally, we examined how children’s apps con-
consent (or rather, any type of consent). Transmitting nected to remote services during phase 2. Figure 5 illus-
PII without interaction also eases concerns that the trates the distribution of apps measured by the fraction
automated Monkey testing is missing important code of remote domains they contact just by starting the app
paths that lead to transmissions. (out of all the domains they contact). The Y-axis rep-
To quantify the degree to which this is happening, resents the space of all apps, and the X-axis represents
we measured the prevalance of apps connecting to desti- the space of domains. As many of our corpus apps have
nations prior to any user input. Figure 4 illustrates how multiple versions, we use results from the most-recent
we divide outgoing transmissions into one of three non- version for each app.
overlapping phases: phase 1 begins after installing the We found that 5,296 children’s apps (i.e., over 90%
app, phase 2 begins after starting the app, and phase of our corpus) contact remote destinations. Of those,
3 begins after interacting with the app. Our system in- 2,858 contact at least 10 different destinations, and 114
tentionally provides a 30-second delay before providing that contact at least 50. Figure 5 tells us that nearly half
input events, and so we use the first 25 seconds as a safe of the apps contact half their destinations in phase 2.
bound to categorize transmissions in phase 2. Phase 3 That is, these apps do so on their own prior to providing
begins afterwards and lasts about ten minutes. notice or obtaining consent.
As expected, we found no PII transmissions occur-
ing in phase 1. We therefore categorize the remaining
transmissions as either never occuring in phase 2 or oc- 4.5 Safe Harbor
curing in phase 2. That is, an app may send the location
repeatedly while running, but we consider this trans- The COPPA rules specify a “Safe Harbor” program that
mission to occur in phase 2 provided we observe at least allows companies to submit the children’s apps and web-
one transmission prior to any interaction and therefore sites they develop for review by a designated organiza-
without any opportunity for parental consent. Out of tion. This organization then evaluates the app or web-
the apps that send PII, only 13% can be said to never site for COPPA compliance. Under the program, any
send PII in phase 2, the rest had some version that sent company that receives approval under the Safe Harbor
PII before any consent was possible. program is less directly subject to FTC enforcement ac-
tions. The goal of the program is to allow companies to Name (n) Loc./Contact Identifiers non-TLS
implement self-regulatory guidelines that provide “the
Integrity (1) - - -
same or greater protections for children,” as compared
CARU (66) 1 (1.5%) 38 (57.6%) 25 (37.9%)
to what is required under COPPA [82]. Operators under ESRB (43) 1 (2.3%) 27 (62.8%) 12 (27.9%)
a Safe Harbor program are subjected to more lenient en- iKeepSafe (4) 1 (25.0%) 2 (50.0%) -
forcement procedures, prior to any formal enforcement kidSAFE (42) 4 (9.5%) 29 (69.0%) 6 (14.3%)
from the FTC. As of March 2018, the FTC has desig- PRIVO (57) 7 (12.3%) 44 (77.2%) 23 (40.4%)
TRUSTe (24) 10 (41.7%) 16 (66.7%) 11 (45.8%)
nated seven companies as Safe Harbor providers [81]:
Table 4. List of COPPA Safe Harbor organizations and the num-
– Integrity (Aristotle International, Inc.) ber of certified apps from each that we were able to analyze. The
– Children’s Advertising Review Unit (CARU) other columns enumerate the number of apps transmitting lo-
cation or contact information (phone number or email address),
– Entertainment Software Rating Board (ESRB)
persistent identifiers, and not using TLS.
– iKeepSafe
– kidSAFE COPPA compliance. It is also likely that the remaining
– Privacy Vaults Online, Inc. (d/b/a PRIVO) 13 companies only developed child-directed websites or
– TRUSTe iOS apps, and not apps for the Android platform; sev-
eral other companies’ privacy policies stated that their
We examined whether apps certified by these seven TRUSTe seals only apply to their websites, whereas we
organizations exhibit better behavior with regards to also found several TRUSTe-certified companies that de-
the collection and sharing of personal information than veloped iOS games with no Android counterparts.
our full set of children’s apps. Table 4 lists the number of certified apps that we
Identifying certified apps is not straightforward: found, along with their respective certifying organiza-
with the exception of kidSAFE [74] and CARU [18], tions. Overall, given that the Safe Harbor program aims
none of these organizations list the apps or develop- to create privacy practices that go above and beyond
ers that they have certified (some organizations cer- COPPA’s minimum requirements, we were surprised
tify a developer’s practices, and therefore all apps by that the privacy practices of these apps—in aggregate—
that developer are implicitly certified, whereas oth- were quite similar to the practices of the other apps in
ers certify apps individually). As a result, we per- our DFF dataset, which we presented earlier. For in-
formed several web searches to find companies that stance, 156 apps (65.8% of 237) transmitted persistent
had either listed the certifying organizations in their identifiers, including 151 (63.7% of 237) that transmit-
privacy policies, displayed their seals online, or via ted non-AAID identifiers that may be in violation of
searches for the verification URLs. For instance, de- Google’s policies. Of these, 77 (49.4% of 150) did so
velopers certified by ESRB post a seal on their web- without using TLS (i.e., unencrypted). That is to sug-
sites that leads to a verification URL of the form, gest, these apps are arguably not taking “reasonable”
http://www.esrb.org/confirm/*.aspx. By searching precautions to secure personal information [22], which
Google and Archive.org for URLs of this form (e.g., itself may be a potential COPPA violation.
on Google, site:http://www.esrb.org/confirm/), we The Safe Harbor apps also used several forbidden
were able to identify 43 apps certified by ESRB. Using third-party SDKs—SDKs whose terms of service pro-
these techniques, we ultimately found 237 free children’s hibit their inclusion in children’s apps—that we de-
apps for Android across the 7 Safe Harbor organizations. scribed in Section 4.3.1. Notably, 78 apps (32.9% of 237)
Our sample size of 237 may seem small, especially transmitted identifiers to at least one of the forbidden
when considering the number certified by each organi- advertising and analytics providers:
zation individually. However, all available evidence sug-
gests that few apps are certified by these services. For
instance, TRUSTe’s CEO disclosed in April 2017 that – MoPub (31 apps) – Inneractive (6 apps)
they have only certified 20 companies [8]. The 24 apps – Crashlytics (29 apps) – Amplitude (2 apps)
that we were able to associate with TRUSTe certifica- – Tapjoy (26 apps) – Heyzap (2 apps)
tion represent 7 of those companies. This is likely repre- – ironSource (19 apps) – Appboy (1 app)
sentative, as this corresponds to 35% of all the compa- – Branch (9 apps)
nies that TRUSTe has claimed to have ever certified for
In terms of transmitting personal information with- Network monitoring is another dynamic analysis
out consent, there is little (or no) difference between the technique, which measures how mobile apps interact
certified apps and the DFF corpus. For instance, eight with remote services. This is valuable, as 99% of PII
apps (3.4% of 237 vs. 3.1% of 5,855 in the full corpus) leaks occur via Internet traffic [52]. Previous work has
transmit GPS coordinates, 4 transmit email addresses already identified the main stakeholders in the collec-
(1.7% of 237 vs. 1.8% of 5,855 in the full corpus), how- tion of PII [66] and has characterized prevalent patterns
ever none transmitted phone numbers. We also observed and concerns [68, 69, 77, 86].
15 apps (6.3% of 237 vs. 3.0% of 5,855) gathering the While dynamic analysis provides empirical observa-
MAC address or SSID of the Wi-Fi hotspot, which could tions of PII leaks occurring under actual use, it requires
be used to surreptitiously track location. that the app is actually executed. To help automate
Overall, these observations corresponded to 24 this process, researchers have developed tools to simu-
unique apps (10.1% of 237; double the rate of the DFF late user actions [15, 38, 42, 50, 55, 68]. The Android
corpus) transmitting PII (i.e., location data or contact Monkey that we use in this work is one such system.
information) without consent. While some (or all) of The research presented in this paper builds on our
these might be exempted under COPPA for various rea- prior privacy-monitoring tools [67, 70, 89], providing us
sons that are not apparent to us, we believe it is impor- with an automated, scalable, and holistic view of how
tant to note that the privacy behaviors of the certified apps access and share sensitive data.
apps are not appreciably better than those of children’s
apps that have not been certified under Safe Harbor pro-
grams (and may be worse). We have listed the details 5.2 Children’s Applications
of some of these potential violations in Appendix B.
Previous efforts have studied COPPA and children’s
apps from various perspectives. Several researchers have
analyzed a range of threats to minors in online social
5 Related Work media platforms [56, 85], websites [10, 14], and smart
toys [58, 90, 91], as well as the appropriateness of in-
In this section, we summarize relevant prior work on
app ads targeting children [17]. Previous work also ex-
performing privacy analyses on mobile apps and on
amined risks posed by third-party components bundled
identifying potential COPPA violations.
in children’s apps, with a focus on targeted advertise-
ments [11, 53]. Other research has focused on methods
aiding developers to make their apps more child-friendly
5.1 Privacy Analysis of Mobile Apps
in terms of content and privacy [45, 51].
COPPA requires developers of children’s apps to of-
Prior work has studied how mobile apps access personal
fer privacy policies that clearly explain their data us-
data using one of two techniques: static and dynamic
age and sharing practices. Parsing and properly un-
analysis. Static analysis evaluates software without ac-
derstanding privacy policies, however, is widely con-
tually executing it, instead inspecting the app’s binary
sidered a hard problem due to policies’ complex legal
or source code. Call graph analysis is the most common
language [43, 57, 63, 64, 71]. Recent work applied ma-
technique used in static analysis for analyzing the use
chine learning and static analysis to show that only 36%
of sensitive resources [3, 7, 49, 93]. Static analysis tech-
of apps tested meet COPPA’s privacy policy require-
niques, however, do not produce observations of privacy
ments [92]. We compliment this work by focusing on
violations. Instead, they only suggest that a violation is
actual app behaviors that are likely to violate COPPA,
possible provided that the code actually executes.
rather than on the apps’ stated privacy policies.
Dynamic analysis is performed at runtime, leverag-
ing instrumented code to track sensitive data in mem-
ory or to intercept system calls that expose sensitive
information. Taint analysis is a popular dynamic analy- 6 Discussion
sis technique [28, 33]. However, it can be inefficient and
prone to control flow attacks [9, 75]. Higher-level code We present the first large-scale dynamic analysis of chil-
instrumentation is a better alternative due to readily dren’s apps. Our main objective was to deploy an auto-
available system info [25, 88] and is transparent to apps. mated system to analyze—at scale—how these apps are
complying with COPPA. We identified several concern- we tested engage in this practice. Google could do a
ing violations and trends: clear violations when apps more active vetting process by using its existing app
share location or contact information without consent auditing tools to detect these types of policy violations
(4.8%), sharing of personal information without apply- and to take proper actions—whether internally or re-
ing reasonable security measures (40.0%), potential non- porting them to relevant authorities.
compliance by sharing persistent identifiers with third Third-party services could also take measures to
parties for prohibited purposes (18.8%), and ignorance prevent COPPA violations. SDKs that prohibit inclu-
or disregard for contractual obligations aimed at pro- sion in child-directed apps receive app names amongst
tecting children’s privacy (39.0%). Overall, roughly 57% the data flowing to their servers. This implies that these
of the 5,855 child-directed apps that we analyzed are SDK providers have actual data that can reasonably
potentially violating COPPA. suggest whether their SDKs are being used in child-
directed apps. In fact, many of these companies are in
the business of collecting app intelligence and therefore
6.1 Preventing Potential Violations have access to data such as app categories and keywords,
which can be used to infer whether a given app is in-
To help parents understand the privacy implications of deed designed for children. Using the data they already
the apps used by their children, we have made our re- have, these SDKs could simply deny service to known
sults available online (https://www.appcensus.mobi/). children’s apps or even automatically adjust their data
Beyond parents, however, each stakeholder (i.e., app collection to be in compliance with COPPA.
developers, distribution channels, third-party libraries, App developers and SDKs currently have a finan-
and regulators) in this ecosystem could take actions to cial incentive to ignore potential violations: limiting
prevent the potential violations that we identified. data collection or the uses for collected data results in
For its part, Google already has taken steps to en- decreased revenues (i.e., behavioral advertising yields
force COPPA compliance: the Designed for Families higher returns than contextual advertising). Despite
program presents developers of children’s apps with in- these financial incentives, we suspect that many privacy
formation on COPPA and requires that they certify violations are unintentional and caused by misunder-
that they are in compliance. However, as our results standings of third-party SDKs. Due to technologies like
show, there appears to not be any (or only limited) en- ad mediation, many of the third parties receiving user
forcement. Google already performs static and dynamic data are selected dynamically at runtime. For this rea-
analysis on apps submitted to the Play Store [54], so it son, we suspect that most app developers cannot iden-
should not be hard for them to augment this analysis tify all the third parties who may receive user data from
to detect non-compliant entities. their apps, and are even less likely to understand each
For instance, despite InMobi being sanctioned over SDK’s possible COPPA configuration options. Nonethe-
its deceptive collection of location data [23], we observed less, app developers are still liable for the behaviors of
two children’s apps still using a version of the InMobi SDKs they embed in their apps. Thus, app developers
SDK that continued this practice (“Angry Bunny Race: could benefit from our tools by allowing them to test
Jungle Road” by Tiny Lab Productions and “Candy’s the privacy behaviors of their apps prior to release.
Airport” by Libii). Similarly, several third-party SDKs Similarly, our tools could benefit regulators in in-
prohibit being used in children’s apps. However, use of vestigating the market for noncompliance, by making it
these libraries is rampant (18.8% of 5,855). One of these easier for them to detect violations and bring enforce-
SDKs, Crashlytics, is even owned by Google. Given ment actions. If these enforcement actions are brought
Google’s infrastructure and internal data on DFF par- publicly, it may motivate other app developers to pay
ticipation, it would likely be trivial for them to detect more attention to the privacy behaviors of their apps.
the use of known non-compliant or prohibited libraries While the FTC’s Safe Harbor program was cre-
and notify the app developers or take actions. ated to help developers get their apps certified for com-
Similar analysis could be used to enforce Google’s pliance, few apps are actually certified. Moreover, we
own policies. Google prohibits apps from transmit- showed that potential violations are prevalent among
ting the privacy-preserving Android Advertising ID certified apps. Based on our data, it is not clear that
(AAID) alongside other persistent identifiers [40]. Yet, industry self-regulation has resulted in higher privacy
as we showed, sending non-AAID identifiers is rampant standards; some of our data suggest the opposite. Thus,
among Android apps: roughly 39% of the children’s apps industry self-regulation appears to be ineffective.
6.2 Limitations and Future Work responsive or trigger the use of a sensitive resource. An-
other possibility is to augment the Monkey with crowd-
In this paper, we do not mean to show definitive legal sourced input from remote human users.
liability, nor do we offer legal advice: we draw atten- Similarly, while we contend that our approach is
tion to potential COPPA rule violations, as detected by much more accurate in detecting violations than static
our methods, designed from our understanding of the analysis approaches, we believe that these approaches
law and constrained by technical limitations. COPPA are complementary. In fact, our discovery that Star-
includes language that outlines exemptions to some of tApp was using a Vigenère-style encryption of location
its requirements, and so our system is unable to account and router MAC address data was due to manual static
for the full range of possibilities that those exemptions analysis, which helped to uncover hidden sensitive flows
may cover. Establishing legal liability requires nuanced from our stored execution logs.
case-by-case analysis of individual products and prac- Our analysis is based on COPPA’s requirements,
tices, which is beyond the scope of this work. but there are other relevant privacy regulations govern-
Regarding the ethics of this research, corporations ing mobile apps that our system could support, such as
are not people, and so IRB approval was not sought. The California’s Online Privacy Protection Act (CalOPPA)
Electronic Communications Privacy Act does not ap- and the European Union’s General Data Protection
ply,9 because our tools do not analyze or observe human Regulation (GDPR) and ePrivacy directives. Our frame-
communications. As to the Computer Fraud and Abuse work can be easily extended to other regulations.
Act (CFAA),10 our tools merely execute apps as a user Finally, our layered architecture is easily extensible
would and make no attempt to access restricted content. to analyze a much larger quantity of apps. We are in the
As to terms of service issues, randomizing program in- process of migrating the system to a parallelized virtual
puts (i.e., the “Monkey”) for research is common prac- setup, enabling us to run hundreds of simultaneous An-
tice [50], and courts have routinely held that breaches droid instances. This will also enable us to perform lon-
of terms of service are not CFAA violations [26, 27, 80]. gitudinal analyses to examine mobile privacy trends.
Finally, we believe this research is exempt from the Digi-
tal Millennium Copyright Act,11 because it is legitimate
security research in the public interest, devices and soft- 6.3 Conclusion
ware were lawfully acquired, and no laws were violated.
We note that the Monkey does not exhaustively ex- Our work stands apart from prior research due to
ecute all code paths in apps. While it does find a num- our system’s ability to uncover potential privacy issues
ber of potential privacy violations, many more may ex- prevalent in large numbers of children’s apps. Given the
ist. Moreover, some apps have complex UI elements that number of children’s apps and a complex third-party
require precise sequences of inputs to activate. These ecosystem, analysis at scale is important to properly
include sliders, timed events, parental gates, and login understand the privacy landscape. Although we cannot
screens. Given the Monkey’s lack of awareness of what know the true number of children’s apps in the Play
is on the screen, it is unlikely to progress past such el- Store, we believe that our results are representative,
ements. Additionally, our current method of inspecting given that the apps that we examined represent the
TLS-encrypted traffic cannot decrypt traffic from apps most popular free ones.
that implement certificate pinning; however, this has We believe that this work illustrates the utility of
only a minor impact on our results, as only 9 services our automated app analysis testbed which, with further
(e.g., Yandex, AppoDeal, and TabTale) support some development, will have impact on multiple stakehold-
form of pinning that could evade our traffic analysis. ers. End-users can examine our results to understand
As such, our results should be taken as a lower the privacy behaviors of the apps they use (or plan to
bound of privacy-relevant events. One opportunity for use). Developers can use our testing infrastructure to
future work is using static analysis to refine the Monkey, assess how well their apps comply with their privacy
better directing it to the areas of the screen likely to be policies and regulatory requirements, prior to releasing
those apps to the public. Finally, regulators can use it
to detect deceptive and suspicious activities in the mar-
9 18 U.S.C. §2510 et seq. ketplace as part of investigations.
10 18 U.S.C. §1030.
11 17 U.S.C. §1201.
“Won’t Somebody Think of the Children?”Examining COPPA Compliance at Scale 79
[15] P. Carter, C. Mulliner, M. Lindorfer, W. Robertson, and

Acknowledgments E. Kirda. CuriousDroid: Automated User Interface Interac-
tion for Android Application Analysis Sandboxes. In Proc. of
This research was supported by NSF grants CNS- FC, 2016.
1318680 and CNS-1564329, the Data Transparency Lab, [16] L. Cavallaro, P. Saxena, and R. Sekar. On the Limits of In-
DHS contract FA8750-16-C-0140, and the Center for formation Flow Techniques for Malware Analysis and Con-
tainment. In Proc. of DIMVA, pages 143–163. Springer-
Long-Term Cybersecurity (CLTC) at U.C. Berkeley. We
Verlag, 2008.
would like to thank Jianan Amber Lu and Ehimare [17] Y. Chen, S. Zhu, H. Xu, and Y. Zhou. Children’s Exposure
Okoyomon for their assistance, Joe Calandrino for feed- to Mobile In-App Advertising: An Analysis of Content Ap-
back, as well as Refjohürs Lykkewe. propriateness. In Proc. IEEE SocialCom, 2013.
[18] Children’s Advertising Review Unit. Supporters. http:
//www.caru.org/support/supporters.aspx. Accessed:
September 29, 2017.
References [19] Class Twist, Inc. Privacy policy. https://www.classdojo.
com/privacy/, September 14 2017. Accessed: September 29,
[1] H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Ac- 2017.
quisti, J. Gluck, L. Cranor, and Y. Agarwal. Your Loca- [20] U.S. Federal Trade Commission. FTC Testifies on Geolo-
tion has been Shared 5,398 Times! A Field Study on Mobile cation Privacy. https://www.ftc.gov/news-events/press-
App Privacy Nudging. Technical Report CMU-ISR-14-116, releases/2014/06/ftc-testifies-geolocation-privacy. Accessed:
Carnegie Mellon University, 2014. September 29, 2017.
[2] D. Amalfitano, A. R. Fasolino, and P. Tramontana. A GUI [21] U.S. Federal Trade Commission. FTC Warns Children’s App
Crawling-Based Technique for Android Mobile Application Maker BabyBus About Potential COPPA Violations, 2014.
Testing. In Proc. of IEEE ICSTW, 2011. [22] U.S. Federal Trade Commission. Complying with COPPA:
[3] D. Amalfitano, A. R. Fasolino, P. Tramontana, B. D. Ta, Frequently Asked Questionss, 2015.
and A. M. Memon. MobiGUITAR: Automated Model-Based [23] U.S. Federal Trade Commission. Mobile Advertising Network
Testing of Mobile Apps. IEEE Software, 2015. InMobi Settles FTC Charges It Tracked Hundreds of Millions
[4] Amplitude, Inc. Privacy policy. https://amplitude.com/ of Consumers’ Locations Without Permission, 2016.
privacy, February 12 2017. Accessed: September 29, 2017. [24] U.S. Federal Trade Commission. Two App Developers Set-
[5] Appboy, Inc. Terms of Service. https://www.appboy.com/ tle FTC Charges They Violated Children’s Online Privacy
legal/, September 1 2017. Accessed: September 29, 2017. Protection Act. https://www.ftc.gov/news-events/press-
[6] Appnext Ltd. Terms & conditions – publishers. https: releases/2015/12/two-app-developers-settle-ftc-charges-
//www.appnext.com/terms-conditions/, October 1 2017. they-violated-childrens, 2016. Accessed: September 26,
Accessed: September 29, 2017. 2017.
[7] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: [25] M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich.
Analyzing Android Permission Specification. In Proc. of Crêpe: A system for Enforcing Fine-grained Context-related
ACM CCS, 2012. Policies on Android. IEEE Transactions on Information
[8] C. Babel. Protecting kids’ privacy – an ever-evolving effort. Forensics and Security, 2012.
http://www.trustarc.com/blog/2017/04/06/protecting- [26] Electronic Frontier Foundation. United States v. David
kids-privacy-ever-evolving-effort/, April 6 2017. Accessed: Nosal. https://www.eff.org/cases/u-s-v-nosal, 2015.
September 29, 2017. [27] Electronic Privacy Information Center (EPIC). hiQ Labs,
[9] G. S. Babil, O. Mehani, R. Boreli, and M. A. Kaafar. On Inc. v. LinkedIn Corp. https://epic.org/amicus/cfaa/
the Effectiveness of Dynamic Taint Analysis for Protecting linkedin/, 2017.
Against Private Information leaks on Android-based Devices. [28] W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. Mc-
In Proc. of SECRYPT, 2013. Daniel, and A. N. Sheth. TaintDroid: An Information-flow
[10] F. Bélanger, R. E. Crossler, J. S. Hiller, J. Park, and M. S. Tracking System for Realtime Privacy Monitoring on Smart-
Hsiao. Pocket: A tool for protecting children’s privacy on- phones. In Proc. of USENIX OSDI, 2010.
line. Decision Support Systems, 2013. [29] Facebook. Coppa an - facebook audience net. https://
[11] R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, developers.facebook.com/docs/audience-network/coppa.
S. Nath, R. Wang, and D. Wetherall. Brahmastra: Driving Accessed: November 30, 2017.
Apps to Test the Security of Third-Party Components. In [30] FamilyTime. App privacy policy. https://familytime.io/
USENIX Security Symposium, 2014. legal/app-privacy-policy.html, March 28 2015. Accessed:
[12] Branch Metrics, Inc. Terms & policies. https://branch.io/ September 29, 2017.
policies/, May 16 2017. Accessed: September 29, 2017. [31] Finny Inc. Privacy policy. https://www.myfinny.com/
[13] Buongiorno UK Limited. Privacy. http://www.kidzinmind. privacypolicy, March 7 2016. Accessed: September 29, 2017.
com/uk/privacy. Accessed: September 29, 2017. [32] Fuel Powered, Inc. Terms of service. https://www.
[14] X. Cai and X. Zhao. Online Advertising on Popular Chil- fuelpowered.com/tos, March 23 2017. Accessed: September
dren’s Websites: Structural Features and Privacy Issues. 29, 2017.
Computers in Human Behavior, 2013. [33] C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androi-
dLeaks: Automatically Detecting Potential Privacy Leaks in
“Won’t Somebody Think of the Children?”Examining COPPA Compliance at Scale 80
Android Applications on a Large Scale. In Proc. of TRUST. of IEEE PST, 2014.

Springer-Verlag, 2012. [52] M. Lindorfer, M. Neugschwandtner, L. Weichselbaum,
[34] Google, Inc. Coppa compliance and child-directed apps | Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis -
families and coppa - developer policy center. https://play. 1,000,000 Apps Later: A View on Current Android Malware
google.com/about/families/coppa-compliance/. Accessed: Behaviors. In Proc. of IEEE BADGERS Workshop, 2014.
November 26, 2017. [53] M. Liu, H. Wang, Y. Guo, and J. Hong. Identifying and
[35] Google, Inc. Distribution of android versions. http: Analyzing the Privacy of Apps for Kids. In Proc. of ACM
//developer.android.com/about/dashboards/index.html. Ac- HotMobile, 2016.
cessed: March 21, 2018. [54] H. Lockheimer. Android and security. http://googlemobile.
[36] Google, Inc. Program requirements | families and coppa - blogspot.com/2012/02/android-and-security.html, February
developer policy center. https://play.google.com/about/ 2 2012.
families/designed-for-families/program-requirements/. Ac- [55] A. Machiry, R. Tahiliani, and M. Naik. Dynodroid: An In-
cessed: September 26, 2017. put Generation System for Android Apps. In Proc. of the
[37] Google, Inc. The Google Maps Geolocation API. https: Joint Meeting on Foundations of Software Engineering
//developers.google.com/maps/documentation/geolocation/ (ESEC/FSE), 2013.
intro. Accessed: September 29, 2017. [56] M. Madden, A. Lenhart, S. Cortesi, U. Gasser, M. Duggan,
[38] Google, Inc. UI/Application Exerciser Monkey. https:// A. Smith, and M. Beaton. Teens, Social Media, and Privacy.
developer.android.com/tools/help/monkey.html. Pew Research Center, 21:2–86, 2013.
[39] Google, Inc. Crashlytics agreement. https://try.crashlytics. [57] A.K. Massey, J. Eisenstein, A.I. Antón, and P.P. Swire. Au-
com/terms/terms-of-service.pdf, January 27 2017. Ac- tomated Text Mining for Requirements Analysis of Policy
cessed: September 29, 2017. Documents. In Proc. of IEEE Requirements Engineering
[40] Google, Inc. Usage of android advertising id. https:// Conference (RE), 2013.
play.google.com/about/monetization-ads/ads/ad-id/, 2017. [58] E. McReynolds, S. Hubbard, T. Lau, A. Saraf, M. Cakmak,
Accessed: November 30, 2017. and F. Roesner. Toys That Listen: A Study of Parents,
[41] M. I. Gordon, D. Kim, J. Perkins, Gilhamy, N. Nguyenz, and Children, and Internet-Connected Toys. In Proc. of ACM
M. Rinard. Information-Flow Analysis of Android Applica- CHI, 2017.
tions in DroidSafe. In Proc. of NDSS Symposium, 2015. [59] Miniclip SA. Miniclip privacy policy. https://www.miniclip.
[42] S. Hao, B. Liu, S. Nath, W. G.J. Halfond, and R. Govindan. com/games/page/en/privacy-policy/, October 29 2014.
PUMA: Programmable UI-automation for Large-scale Dy- Accessed: September 29, 2017.
namic Analysis of Mobile Apps. In Proc. of ACM MobiSys, [60] MoPub Inc. Mopub privacy policy. https://www.mopub.
2014. com/legal/privacy/, July 19 2017. Accessed: November 30,
[43] H. Harkous, K. Fawaz, K. G Shin, and K. Aberer. PriBots: 2017.
Conversational Privacy with Chatbots. In Proc. of USENIX [61] MoPub Inc. Mopub terms of service. https://www.mopub.
SOUPS, 2016. com/legal/tos/, August 22 2017. Accessed: September 29,
[44] Heyzap, Inc. Heyzap sdk. https://www.heyzap.com/legal/ 2017.
heyzap_sdk, April 24 2014. Accessed: September 29, 2017. [62] NFL Enterprises LLC. Nfl.com privacy policy. http:
[45] B. Hu, B. Liu, N. Z. Gong, D. Kong, and H. Jin. Protecting //www.nfl.com/help/privacy, September 15 2017. Accessed:
your Children from Inappropriate Content in Mobile Apps: September 29, 2017.
An Automatic Maturity Rating Framework. In Proc. of ACM [63] A. Oltramari, D. Piraviperumal, F. Schaub, S. Wilson,
CIKM, 2015. S. Cherivirala, T.B. Norton, N.C. Russell, P. Story, J. Rei-
[46] Inneractive Ltd. Inneractive general terms. http://inner- denberg, and N. Sadeh. PrivOnto: A Semantic Frame-
active.com/terms-of-use/, September 24 2017. Accessed: work for the Analysis of Privacy Policies. Semantic Web,
September 29, 2017. (Preprint), 2016.
[47] ironSource Ltd. Privacy policy. https://www.supersonic. [64] I. Pollach. What’s wrong with online privacy policies? Com-
com/privacy-policy/, July 14 2016. Accessed: September 29, mun. ACM, 50(9):103–108, September 2007.
2017. [65] A. Razaghpanah, A. Niaki, N. Vallina-Rodriguez, S. Sun-
[48] J. Kim, Y. Yoon, K. Yi, and J. Shin. ScanDal: Static An- daresan, J. Amann, and P. Gill. Studying TLS Usage in An-
alyzer for Detecting Privacy Leaks in Android Applications. droid Apps. In Proc. of ACM CoNEXT, 2017.
IEEE MoST, 2012. [66] A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez,
[49] I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps,
Don’t kill my ads! Balancing Privacy in an Ad-Supported Trackers, Privacy, and Regulators: A Global Study of the
Mobile Application Market. In Proc. of ACM HotMobile, Mobile Tracking Ecosystem. In Proc. of NDSS Symposium,
2012. 2018.
[50] C. M. Liang, N. D. Lane, N. Brouwers, L. Zhang, B. F. [67] A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan,
Karlsson, H. Liu, Y. Liu, J. Tang, X. Shan, R. Chandra, and C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack:
F. Zhao. Caiipa: Automated Large-scale Mobile App Testing In Situ Mobile Traffic Analysis in User Space. arXiv preprint
Through Contextual Fuzzing. In Proc. of ACM MobiCom, arXiv:1510.01419, 2015.
New York, NY, USA, 2014. [68] J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes,
[51] I. Liccardi, M. Bulger, H. Abelson, D. J. Weitzner, and and N. Vallina-Rodriguez. Bug Fixes, Improvements,... and
W. Mackay. Can Apps Play by the COPPA Rules? In Proc. Privacy Leaks. In In. Proc. of NDSS Symposium, 2018.
[69] J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes. [85] E. van der Walt and J. Eloff. Protecting Minors on Social
ReCon: Revealing and Controlling Privacy Leaks in Mobile Media Platforms-A Big Data Science Experiment. Technis-
Network Traffic. In In Proc. ACM MobiSys, 2016. che Berichte des Hasso-Plattner-Instituts für Softwaresys-
[70] I. Reyes, P. Wijesekera, A. Razaghpanah, J. Reardon, temtechnik an der Universität Potsdam, page 15, 2015.
N. Vallina-Rodriguez, S. Egelman, and S. Kreibich. “Is Our [86] M. Van Kleek, I. Liccardi, R. Binns, J. Zhao, D.J. Weitzner,
Children’s Apps Learning?” Automatically Detecting COPPA and N. Shadbolt. Better the Devil you Know: Exposing the
Violations. In IEEE ConPro, 2017. Data Sharing Practices of Smartphone Apps. In Proc. of
[71] N. Sadeh, A. Acquisti, T. D Breaux, L. Cranor, A. M. Mc- ACM CHI, 2017.
Donald, J. R. Reidenberg, N. A. Smith, F. Liu, N. C. Rus- [87] WiGLE. Wigle: Wirless network mapping. https://wigle.
sell, F. Schaub, et al. The Usable Privacy Policy Project. net/. Accessed: September 29, 2017.
Technical report, Technical Report, CMU-ISR-13-119, [88] P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wag-
Carnegie Mellon University, 2013. ner, and K. Beznosov. Android Permissions Remystified: A
[72] Samet Privacy, LLC. Official membership page. https: Field Study on Contextual Integrity. In Proc. of USENIX Se-
//www.kidsafeseal.com/certifiedproducts/kidzinmind_app. curity, 2015.
html. Accessed: September 29, 2017. [89] P. Wijesekera, A. Baokar, L. Tsai, J. Reardon, S. Egelman,
[73] Samet Privacy, LLC. Official membership page. https: D. Wagner, and K. Beznosov. The Feasability of Dynami-
//www.kidsafeseal.com/certifiedproducts/familytime_app. cally Granted Permissions:
html. Accessed: September 29, 2017. Aligning Mobile Privacy with User Preferences. In Proc. of
[74] Samet Privacy, LLC. Member list. https://www.kidsafeseal. IEEE Symposium on Security and Privacy (SP), Oakland
com/certifiedproducts.html, 2011. Accessed: November 30, ’17, 2017.
2017. [90] B. Yankson, F. Iqbal, and P.C.K. Hung. Privacy preservation
[75] E.J. Schwartz, T. Avgerinos, and D. Brumley. All You Ever framework for smart connected toys. In Computing in Smart
Wanted to Know About Dynamic Taint Analysis and For- Toys, pages 149–164. Springer, 2017.
ward Symbolic Execution (but Might Have Been Afraid to [91] S. Yong, D. Lindskog, R. Ruhl, and P. Zavarsky. Risk Miti-
Ask). In Proc. of the IEEE Symposium on Security and Pri- gation Strategies for Mobile Wi-Fi Robot Toys from Online
vacy (SP), Oakland ’10, 2010. Pedophiles. In Proc. of IEEE SocialCom, pages 1220–1223.
[76] Sirsi Corporation. Legal & privacy terms. http://www. IEEE, 2011.
sirsidynix.com/privacy, April 23 2004. Accessed: September [92] S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu,
29, 2017. F. Schaub, S. Wilson, N. Sadeh, S. M. Bellovin, and J. Rei-
[77] Y. Song and U. Hengartner. PrivacyGuard: A VPN-based denberg. Automated Analysis of Privacy Requirements for
Platform to Detect Information Leakage on Android De- Mobile Apps. In Proc. of NDSS Symposium, 2017.
vices. In Proc. of ACM SPSM, 2015. [93] S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu,
[78] Tapjoy, Inc. Publishers terms of service. https://home. F. Schaub, S. Wilson, N. Sadeh, S.M. Bellovin, and J.R.
tapjoy.com/legal/publishers-terms-service/, February 16 Reidenberg. Automated Analysis of Privacy Requirements
2016. Accessed: September 29, 2017. for Mobile Apps. In Proc. of NDSS Symposium, 2017.
[79] Upsight. COPPA. https://help.upsight.com/api-sdk-
reference/integration-checklist/#coppa, 2017. Accessed:
November 30, 2017.
[80] U.S. Court of Appeals, Ninth Circuit. Oracle USA, Inc. v.
Rimini Street, Inc. https://www.eff.org/document/oracle-v- A SDK Terms of Use
rimini-ninth-circuit-opinion. Accessed: March 24, 2018.
[81] U.S. Federal Trade Commission. Coppa safe harbor pro-
Crashlytics: Developer further agrees it will not inte-
gram. https://www.ftc.gov/safe-harbor-program. Accessed:
September 28, 2017. grate the Software into any Application or Beta Applica-
[82] U.S. Federal Trade Commission. FTC Approves Modifica- tion (i) with end users who Developer has actual knowl-
tions to TRUSTe’s COPPA Safe Harbor Program. https: edge are under the age of 13, or (ii) that may be deemed
//www.ftc.gov/news-events/press-releases/2017/07/ftc- to be a “Web site or online service directed to children”
approves-modifications-trustes-coppa-safe-harbor-program.
as defined under the Children’s Online Privacy Protec-
Accessed: September 28, 2017.
[83] U.S. Federal Trade Commission. Mobile apps for
tion Act of 1998 (“COPPA”) and the regulations pro-
kids: Disclosures still not making the grade. https: mulgated thereunder. [39]
//www.ftc.gov/sites/default/files/documents/reports/ MoPub: Supply Partners who sign up using this website
mobile-apps-kids-disclosures-still-not-making-grade/ may not provide MoPub with data from end users under
121210mobilekidsappreport.pdf, December 2012. age 13. Supply Partners must not register for MoPub’s
[84] U.S. Federal Trade Commission. Children’s online privacy
services using this website if any of their apps are either:
protection rule: A six-step compliance plan for your business.
https://www.ftc.gov/tips-advice/business-center/guidance/ (1) directed to children under age 13 (even if children
childrens-online-privacy-protection-rule-six-step-compliance, are not the app’s primary audience), or (2) collect in-
June 2017. Accessed: November 30, 2017.
formation from children that Supply Partners know are such request originated from a child under the age of 13
under age 13. [61] or 16 (as applicable) and will not transmit any “Per-
Tapjoy: Publisher represents, warrants, and covenants sonal Information” (as defined under COPPA) or per-
that (i) its Application(s) are not and shall not during sonal data as defined under the applicable EU Directive
the Term be directed to users under 13 years of age; about or relating to an individual under the age of 13 or
(ii) Publisher does not as of the date Publisher creates 16 (as applicable) to Inneractive. [46]
a Publisher Account, and will not during the Term, col-
lect, use, or disclose personal information from any end
user known to Publisher to be a child under 13. [78]
Branch: Except as expressly permitted under these
B Safe Harbor Violations
Terms, you will not, and will not permit anyone else
– Finny (com.app.psvbalance, v4.1): Certi-
to:...(g) use the Services in connection with any Apps
fied by PRIVO [31]. Location data is sent to
or websites that are directed to children under 13. [12]
dev.appboy.com, which is a third party not dis-
Supersonic / ironSource: The Services are not di-
closed in Finny’s privacy policy.
rected to children under the age of 13 and children under
– KidzInMind (com.buongiorno.kim, v6.2.1e):
the age of 13 should not use any portion of the Services.
Certified by kidSAFE [72]. Email address is sent to
ironSource also does not knowingly collect or maintain
client-api.newton.pm. The privacy policy states
personal information collected online from children un-
that they “do not knowingly collect or solicit infor-
der the age of 13, to the extent prohibited by the Chil-
mation from children and minors” [13], despite the
dren’s Online Privacy Protection Act. Nor do we know-
fact that they are collecting PII without verifiable
ingly create profile segments of children under 13 years
parental consent from a child-directed app.
of age. [47]
Heyzap: You must not include functionality in your – ClassDojo (com.classdojo.android, v4.6.3):
application and/or website that requests or collects per- Certified by iKeepSafe [19]. Location data is sent to
sonal identification information from users who You api.amplitude.com, whose privacy policy prevents
know or have reason to know may be under the age of it from being used in child-directed apps [4].
13. [44] – Rail Rush (com.miniclip.railrush, v1.9.12):
Amplitude: Amplitude.com and the Services are not Certified by CARU [18]. Location data is sent
intended for anyone under the age of 13. Amplitude does to ads.aerserv.com, analytics.mopub.com, and
not knowingly collect information from anyone under ads.mopub.com, the latter of which is sent over port
the age of 13. No one under the age of 13 may access 80 (unencrypted). MoPub’s terms of service pro-
or use the Services to provide Amplitude with personally hibits its inclusion in child-directed apps [61]. Email
identifiable information. [4] address is transmitted to api.fuelpowered.com,
Appboy: You shall not knowingly collect Personal In- which does not “knowingly collect personal data
formation of children under the age of 13. If the Cus- from children under the age of 13” [32]. The game’s
tomer Application is developed, marketed, advertised or privacy policy says that it does “not disclose per-
directed to children under 13, or if the Customer Appli- sonal data of users under 13 years of age to any
cation collects Personal Information of children under third parties” [59].
13, You represent that it has parental consent to collect – NFL Draft (com.nfl.mobile.draft, v5.29.36):
such Personal Information of children under 13. [5] Certified by TRUSTe [62]. The privacy policy states
Appnext: Company represents and warrants that its that “the TRUSTe program covers only informa-
Property...does not contain any Objectionable Content, tion that is collected through our Services that
and is not directed to or primarily appeals to children link to this Privacy Policy” (the app links to
under the age of 13... [6] this privacy policy, suggesting it is covered by the
Inneractive: the App and its Content:...is not an on- TRUSTe program) [62]. Location data is sent to
line service directed to children (“Child-Directed”) un- placebubble.gimbal.com. The privacy policy fur-
der the age of 13 or 16 as determined by the applicable ther states that this information may be used for
data protection law ( e.g.,. EU Directive 2016/679; Chil- “geographically relevant advertising” [62], which is
dren Online Privacy Protection Act – “COPPA”), and likely a prohibited practice.
to the extent that the App is Child-Directed, you will – NFL Emojis (com.swyft.nfl, v1.1): Certi-
notify Inneractive in writing with each Ad request that fied by TRUSTe [62]. Email address is sent to
control.kochava.com, which is not a third party

named in the privacy policy [62].
– FamilyTime Parental Controls & Time
Management App (io.familytime.dashboard,
v1.3.3.142): Certified by kidSAFE [73]. Email ad-
dress is sent to admin.appnext.com, an advertising
SDK, whose terms of service state that an app using
it “is not directed to or primarily appeals to chil-
dren under the age of 13” and that the app “shall
not provide to Appnext any data regarding children
under the age of 13” [6]. Appnext is not listed in the
FamilyTime privacy policy [30].
– BookMyne (sirsidynix.bookmyne, v4.1.1):
Certified by TRUSTe [76]. Location data is sent
to bookmyne.bc.sirsidynix.net, which is not dis-
closed in their privacy policy [76].

COPPA Compliance at Scale

Uploaded by

Copyright:

Available Formats

COPPA Compliance at Scale

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COPPA Compliance at Scale

Uploaded by

Copyright:

Available Formats

Proceedings on Privacy Enhancing Technologies ; 2018 (3):63–83

3 16 C.F.R. §312.2. 5 78 Fed. Reg. 3977.

3.4 Post Processing PII Description

AAID Android Advertising ID

As an alternative to querying a phone’s GPS hardware, 4.1.3 Contact Information

4.2 Insecure Transmissions Service Name App Count Total Terms

doing so correctly (e.g., proper validation) [65]. Given

vertising and long-term tracking. All in all, we observed All app

other more persistent identifier to the same destination.

fraction of destinations contacted

4.4 Timing of Data Exfiltration

[15] P. Carter, C. Mulliner, M. Lindorfer, W. Robertson, and

Android Applications on a Large Scale. In Proc. of TRUST. of IEEE PST, 2014.

control.kochava.com, which is not a third party

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.