Even tech-savvy adults have trouble protecting their personal information from apps and websites that want to collect it. Imagine how tough it is for a child.
That's why there's a federal law preventing apps from gathering personal information from children under the age of 13 without the consent of a parent. But laws only work when they're enforced, and this one seems to be largely ignored.
A test of 100 mobile apps for kids found that 72 of them violated this law.
“Suppose the app collects information showing that there is a child on Preston Road in Plano, Texas, downloading the app. A trafficker could potentially get the user's email ID and geographic location and try to kidnap the child. It's really, really scary.” That worst-case scenario comes from Kanad Basu, lead study author and assistant professor of electrical and computer engineering at the University of Texas at Dallas.
A tool that can detect traces that remain on a phone after the information theft has occurred.
Even people and organizations with no criminal or commercial interest in the information are subject to data breaches that compromise security. Microsoft itself has had problems protecting its user information. Once a child's personal information gets out into cyberspace, there's no telling where it might end up.
Google and YouTube have settled an allegation by the FTC and the New York Attorney General that they violated child privacy by illegally collecting information, paying a $170 million penalty in the process.
To help prevent this, the team of researchers, from the Georgia Institute of Technology, Intel Corporation and New York University, as well as UT Dallas, developed a tool that can detect traces that remain on a phone after the information theft has occurred. Using an Android smartphone, they found their tool to be 99 percent accurate at detecting whether an app violates child privacy laws.
Violators need to temporarily store the information they've obtained somewhere on the phone. Doing so leaves footprints that can be detected later on, even when the information is no longer there. Researchers developed a tool that finds these footprints by looking in a location called the phone's hardware performance counter. This is an integral part of the phone, highly difficult for outsiders to tamper with, so apps that have commandeered kids' personal information are not able to hide the telltale signs that they've done so.
“When you download an app, it can access a lot of information on your cellphone,” Basu said. “You have to keep in mind that all this info can be collected by these apps and sent to third parties. What do they do with it? They can pretty much do anything. We should be careful about this.”
For Basu, that means downloading apps only when you need to. For people whose lifestyle simply won't allow this approach, they might think of it as the ultimate in good habits and be wary of downloading just for the sake of downloading, always asking themselves how likely they are to use a prospective app.
Once a child's personal information gets out into cyberspace, there's no telling where it might end up.
It's not only the apps that you and your kids download that you need to watch out for. Yes, the Federal Trade Commission (FTC) has fined TikTok (formerly musical.ly) over five million dollars for violating child privacy laws, and they're not the only app that has drawn a fine. But Google and YouTube also settled an allegation by the FTC and the New York Attorney General that they violated child privacy by illegally collecting information, paying a $170 million penalty in the process. So you need to beware of websites and services as well.
If you don't protect your personal information — and your kids' information — no one else will. You may not be able to spot an app that is gathering information surreptitiously, but there are plenty of others that ask you upfront for your personal information — location, birth date, income and even your health. You need to pay attention when they ask and decide whether you really want to share this information with corporate strangers. If the app insists that it needs the info, maybe you'd be better off without it.
The researchers are refining their tool, which they plan to make available for download at no cost. It's called COPPTCHA, which stands for COPPA Tracking by Checking Hardware-Level Activity. There's no word yet on when it will be available.
An article on the study appears in IEEE Transactions on Information Forensics and Security. The IEEE is the Institute of Electrical and Electronics Engineers professional association.