Consumer Privacy and Security Issues #13

Submission Number:
Irwin Reyes
International Computer Science Institute
Initiative Name:
Consumer Privacy and Security Issues
"Is Our Children's Apps Learning?" Automatically Detecting COPPA Violations Primal Wijesekera, Abbas Razaghpanah, Joel Reardon, Irwin Reyes, Narseo Vallina-Rodriguez, Serge Egelman, Christian Kreibich In recent years, a market of games and learning apps for children has flourished in the mobile world. Many of these often "free" mobile apps have access to a variety of sensitive personal information about the user, which the app author can leverage to increase revenue via advertising or other means. In the United States, the Children's Online Privacy Protection Act (COPPA) protects children's privacy, requiring parental consent to the use of personal information and prohibiting behavioral advertising and online tracking. In this work, we present our ongoing effort to develop a method to automatically evaluate mobile apps' COPPA compliance. Our method combines dynamic execution analysis (to track sensitive resource access at runtime) with traffic monitoring (to reveal private information leaving the device and recording with whom it gets shared, even if encrypted). We complement our empirical technical observations with legal analysis of the apps' corresponding privacy policies. As a proof of concept, we scrape the Google Play store for apps that declare their target group to be less than 13 years of age, which subjects them to COPPA's regulations. We automate app execution on an instrumented version of the Android OS, recording the apps' access to and trans- mission of sensitive information. To contextualize third par- ties (e.g., advertising networks) with whom the apps share information, we leverage a crowdsourced dataset collected by Haystack, our Android-based device-local traffic inspection platform. Our effort illuminates apps' compliance with COPPA and catalogs the organizations that collect sensitive user information. We find several likely COPPA violations in our preliminary corpus, including omission of prior con- sent and active sharing of persistent identifiers with third-party services for tracking and profiling of children. (Submitted to the Workshop on Data and Algorithmic Transparency 2016, currently under review)