IMDEA Networks Institute Publications Repository

"Is Our Children's Apps Learning?" Automatically Detecting COPPA Violations

Reyes, Irwin and Wiesekera, Primal and Razaghpanah, Abbas and Reardon, Joel and Vallina-Rodriguez, Narseo and Egelman, Serge and Kreibich, Christian (2017) "Is Our Children's Apps Learning?" Automatically Detecting COPPA Violations. In: Workshop on Technology and Consumer Protection (ConPro 2017), in conjunction with the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017) , 25 May 2017, San Jose, CA, USA.

[img] PDF ("Is Our Children's Apps Learning?'' Automatically Detecting COPPA Violations ) - Published Version
Download (891Kb)


In recent years, a market of games and learning apps for children has flourished in the mobile world. Many of these often ``free'' mobile apps have access to a variety of sensitive personal information about the user, which app developers can monetize via advertising or other means. In the United States, the Children's Online Privacy Protection Act (COPPA) protects children's privacy, requiring parental consent to the use of personal information and prohibiting behavioral advertising and online tracking. In this work, we present our ongoing effort to develop a method to automatically evaluate mobile apps' COPPA compliance. Our method combines dynamic execution analysis (to track sensitive resource access at runtime) with traffic monitoring (to reveal private information leaving the device and recording with whom it gets shared, even if encrypted). We complement empirical technical observations with legal analysis of the apps' corresponding privacy policies. As a proof of concept, we scraped the Google Play store for apps distributed in categories specifically targeting users under than 13 years of age, which subjects these products to COPPA's regulations. We automated app execution on an instrumented version of the Android OS, recording the apps' access to and transmission of sensitive information. To contextualize third parties (e.g., advertising networks) with whom the apps share information, we leveraged a crowdsourced dataset collected by the Lumen Privacy Tool (formerly Haystack), an Android-based device-local traffic inspection platform. Our effort seeks to illuminate apps' compliance with COPPA and catalog the organizations that collect sensitive user information. In our preliminary results, we find several likely COPPA violations, including omission of prior consent and active sharing of persistent identifiers with third-party services for tracking and profiling of children. These results demonstrate our testbed's capability to detect different types of possible violations in the market for children's apps.

Item Type: Conference or Workshop Papers (Paper)
Uncontrolled Keywords: Privacy, mobile apps, tracking.
Depositing User: Narseo Vallina
Date Deposited: 24 Mar 2017 13:34
Last Modified: 27 Apr 2017 13:27

Actions (login required)

View Item View Item