- A great majority of mobile apps intended for kids offer no privacy information, feds say
- There is a lack of enforcement on developers having to disclose the information their apps collect
- Always review the permissions an app requests before your kid downloads and installs
Is that app you just downloaded surreptitiously gathering data to push targeted ads to your 6-year-old? Quite possibly.
According to a new Federal Trade Commission report, the vast majority of the thousands of mobile apps intended for children offer no privacy information, which makes it hard for parents to make informed decisions about which apps are safe to let their kids use.
In July, FTC staff searched Apple's and Google's app marketplaces for the term "kids" and found nearly 12,000 apps. They then randomly selected 200 kids' apps from each store and examined the information provided in the store about each app. They also visited developers' web pages for the apps.
According to the FTC, in most cases "staff was unable to determine from the promotion pages whether the apps collected any data at all -- let alone the type of data collected, the purpose of the collection, and who collected or obtained access to the data."
Specifically, the promotion pages for Apple apps contained almost no relevant language regarding app data collection or sharing. In the Android market, only three of the app pages examined offered even minimal information beyond the general "permission" statements Google requires. And even those only mentioned that the app provided information to an ad network -- without identifying which information was being collected, by whom, how it was to be used and whether it's shared with other parties.
This is an issue not just for smartphone apps, but for tablets as well. According to new Nielsen Company research, 70% of adults who own tablets and who also have children under 12 report that their kids use their tablet. Of these, 77% said their kids play games downloaded to the tablet, and 57% report that their kids use educational tablet apps. Also, tablets help keep kids quiet and content: 55% of tablet-owning parents report that their tablet keeps kids entertained while traveling, and 41% let their kids entertain themselves on the tablet in restaurants.
Don't Apple and Google require developers to disclose that information about their apps? Apparently, not really.
According to the FTC: "Although the app store developer agreements require developers to disclose the information their apps collect, the app stores do not appear to enforce these requirements. This lack of enforcement provides little incentive to app developers to provide such disclosures and leaves parents without the information they need."
What types of mobile privacy incursions most concern FTC as far as kids are concerned?
First, there's the ability to make purchases within an app. "For example, a storybook application may come with a single story, but then allow the app user to purchase additional stories without having to leave the app."
Connecting with social media also can be an issue, especially with games that allow kids to share their scores on Facebook or other social networks. (Yes, you're supposed to be at least 13 years old to have a Facebook account, but last year a study found that more than half of kids age 10-14 had a Facebook account by age 12.)
Some mobile apps can also access geolocation or contact information stored on a phone.
But the most likely privacy issues for app-using kids involve advertising. FTC identified a few main concerns: "First, parents may want to limit the data collected by advertisers and ad networks about their children. Second, even if the advertising is not based on any information collected by the user, parents may want to limit their children's exposure to ads."
One of the most common permissions that mobile apps request is the ability to connect to the Internet. There are many legitimate reasons for apps -- even an app for kids -- to do this. However, this can also be the conduit for sharing information back to app developers, ad networks, or even criminals who plant trojan-infected apps in app markets.
Also, the FTC notes that "ads running inside an app may incorporate various capabilities allowing the user to do things like directly call phone numbers or visit websites appearing in the ad." These options can even incur extra charges on your phone bill.
In general, mobile advertising has been getting more aggressive. One of the most annoying recent trends is the push ad -- which mainly affects Android phones. Some apps include advertising from mobile ad networks that can actually make ads appear in your phone's notification bar, place ad-enabled search icons on your home screen, or even modify settings in your mobile browser. It can be difficult to tell which apps are causing these problems. Lookout Mobile Security recently debuted a Push Ad Detector to help Android users figure out which apps might be the culprit.
FTC staff did not download or test these apps. Nor did they view the app information via a mobile device; this research was all conducted on desktop computers. The information available through the mobile interface to an app marketplace can be different from what you'd see on a computer.
In general, it's a good idea to always review the permissions an app requests before you download and install it. For instance, should a "cute kitties" mobile game really need access to your phone's contact list or location data?
The FTC notes that both Apple and Google offer some controls that allow parents to restrict which apps can be downloaded onto their kids' mobile devices. These are based on app content ratings, which probably would not catch most privacy issues related to mobile advertising.
Furthermore, the Apple iOS mobile operating systems lets parents password-protect access to specific apps and mobile websites (such as the mobile Safari Web browser or YouTube) -- or even the App Store itself, as well as the camera, location sharing and in-app purchase mechanisms.
Android doesn't have built-in parental controls, but several Android apps offer various types of parental controls.
If Apple and Google (and other app markets, such as those for Amazon's Kindle Fire tablet and the Barnes & Noble Nook Color) don't start requiring more privacy information from app developers and making it easier for parents to find and understand, it's possible the FTC might start cracking down on app developers.
In September 2011, the FTC settled its first legal action against a mobile app developer in enforcement of the Children's Online Privacy Protection Act. According to the consent decree, the developer (W3 Innovations, which also has done business under the name "Broken Thumbs Apps") was ordered to start publishing information about the kinds of data collected via their apps and how that data is shared, to get parental consent before collecting any new data, and to delete all the data they had collected so far -- plus pay a $50,000 fine.
The opinions expressed in this post are solely those of Amy Gahran.