TOPICS > Science

How to Protect Against the Dangers of Mobile Apps That Gather Kids’ Data

December 11, 2012 at 12:00 AM EST
Investigations are underway to see if companies that make apps are violating the privacy rights of kids by collecting personal data and sharing it with advertisers. Ray Suarez talks to Jessica Rich of the Federal Trade Commission and the Association for Competitive Technology's Morgan Reed on how to ensure privacy for children.
LISTEN SEE PODCASTS

TRANSCRIPT

RAY SUAREZ: Finally tonight: new worries over the mobile apps kids are using, and what the apps disclose about their users.

It seems like everyone has them, the ubiquitous applications, apps, for short, on smartphones and tablets, including everything from instructive or educational materials to games.

Children of all ages, armed with these devices, are using apps and raising concerns over privacy.

The Federal Trade Commission is now investigating whether companies that make apps are violating the privacy rights of children by collecting personal data from mobile devices and sharing it with advertisers and databanks. These types of apps can detail a child’s physical location or phone numbers of their friends, along with other information.

Yesterday, the FTC issued a new report documenting those concerns. It found, among 400 apps designed for kids, most failed to inform parents about the types of data that could be gathered and who would access it.

Mark Frauenfelder is the co-editor of the collaborative Web blog Boing Boing and a father who uses and closely watches apps for kids. We talked via laptop.

MARK FRAUENFELDER, Boing Boing: Your phone as a unique I.D., and so that I.D. could be passed to third-party ad networks that are advertising on other apps. So they can kind of follow you from app to app and build a file on the kinds of things that you’re doing. It can also collect your phone number.

And one thing that I think is — causes a lot of concern is that it can also track your geolocation data, if you give it permission to do so. So it knows where you are when you’re using the app.

So that kind of information certainly can be abused, if not by the app developer, by someone getting into the database who shouldn’t be getting into the database and having — getting access to it.

RAY SUAREZ: A recent study by the PewResearchCenter shows parents are increasingly concerned as well; 81 percent of parents of online teens say they’re concerned about how much information advertisers can find out about their child’s online behavior; 46 percent said they were very concerned.

Companies such as Google object to the FTC’s characterization of online stores as digital danger zones with inadequate oversight.

In a written statement sent to the NewsHour, a Google spokesman said: “From the beginning, Android has had an industry-leading permission system which informs consumers what data an app can access and requires user approval before installation. Additionally, we offer parental controls and best practices for developers to follow.”

In the weeks ahead, the FTC Is expected to announce major changes to a 1998 law, the Children’s Online Privacy Protection Act that would impose tougher online safeguards for children under 13.

More now about these concerns and the industry’s approach to them.

Jessica Rich is with the Federal Trade Commission. She’s the associate director of its Division of Financial Practices.

And Morgan Reed is executive director of the Association for Competitive Technology, an advocacy group for app developers.

And, Jessica Rich, it’s your agency that came out with the report. What exactly is the problem? There’s a lot of hinting that something is wrong, but not a lot of pointing to direct harm or actual malfeasance.

JESSICA RICH, Federal Trade Commission: The survey we did showed that apps were transmitting information from the devices to ad networks and other third parties.

And they also contained interactive features in them like access to social networks, so that a kid could get on a social network and interact with third parties without disclosing these features to parents.

So, we think parents ought to be able to know what data is collected and how it’s used before they download an app for their children and also what kind of interactive features their children will be exposed to when they use an app. And that’s really the simple message.

RAY SUAREZ: Long before we came this far, the COPPA, the COPPA, tried to codify a government approach to oversight on this. Did you find anybody in violation of that law?

JESSICA RICH: We didn’t go the distance of evaluating whether there were law violations. That often involves contacting the companies. What we tried to do with this survey is look at a broad swathe of industry, 400 — 400 apps — to see what the trends were among those apps.

And so we made findings based on the survey, but we didn’t make determinations whether there was a law violation.

RAY SUAREZ: Morgan Reed, are the companies that develop these applications collecting information about the people who use them?

MORGAN REED, Association for Competitive Technology: Well, the vast majority of the mobile apps aren’t — mobile apps for kids in particular are not actually collecting information on kids and keeping it and storing it.

Oftentimes, this is actually one of the biggest problems we have, is the kind of information we may be collecting. You heard in the earlier segment the talk about the unique identifier.

We may be using an identifier — and, in fact, no longer a unique identifier, an app-specific identifier — to make sure that we know what the child likes about an app, so that we can improve it, or if a child has reached a certain feature level, maybe it’s a math app, have they completed a section?

I may need to know that, so that I can show them the next set of problems. So there’s a problem that we face. And I agree with Jessica. We have an education problem, that my developer community needs to do more to be transparent and clear with parents about what they’re collecting and why.

RAY SUAREZ: Well, right now, at the point of entry, when you first — I know people use the terrible word interface, but when you first encounter an application, is there sufficient protection at the front end so that everybody is clear on what’s going on, what the rules are?

MORGAN REED: Well, actually, there’s kind of two parts to that question.

The first part is, is that, is there that instantaneous knowledge? OK, am I going to tell you everything that’s happening? We’re actually working with the FTC and NTIA on a project to try to give some level of short notification to parents that they will actually get ahold of.

The problem is, for most people, anything that they have to read and digest, they will just bypass.

So, what we have found is actually, it needs to be kind of a one-two step, one, more transparency on the front end, but two, and what we’re seeing right now is an addition of tools or other capabilities on the device level that allow parents to turn on or off features on a just-in-time basis, rather than kind of permit everything to happen because you pass through an initial screen.

We see that being kind of a leapfrog over this privacy policy overnotification problem that we can run into.

RAY SUAREZ: Now, I’m not proud to admit, but I have blown through those advisories and agreements and just clicked agree, because I needed to get something done.

How do you protect children when even the adults who are supposed to sit and read that agate type don’t take the time to do it?

JESSICA RICH: Well, I think that surveys and even reports of parent behavior show that parents are really concerned about their children.

And they may be willing to look at disclosures on behalf of their children in a way they wouldn’t be willing to look for disclosures on behalf of themselves.

What we’re asking for is something very simple. We don’t want long privacy policies. We want some basic information about what is collected, how it’s used, and whether there’s interactive features. We encourage developers and trade associations like Morgan to develop icons, so that it would be easier for parents to make comparisons, and those icons can be tested with real consumers to see if they work.

But we’re asking for something really basic, which is that parents be able to find out what their children are exposed to when they download an app.

RAY SUAREZ: This is a part of our commerce that hates rules.

MORGAN REED: That’s right.

RAY SUAREZ: I think it’s fair to say that. Right?

MORGAN REED: That’s fair to say. That’s fair to say.

RAY SUAREZ: Can you make rules that leave everybody protected and happy at the end of the process, create some uniformity, so that you don’t get in trouble…

MORGAN REED: Right.

RAY SUAREZ: … and parents are — feel — feel that they know what they’re getting into?

MORGAN REED: I think we also have to understand the battle between protected and informed.

One of the things that is amazing is, protection can obviously lead to things where you say, well, you cannot do this thing. There are enormous educational applications that are being developed right now.

In fact, several states are mandating or changing their rules and piloting tablet computers in the classroom. So, there are all of these educational opportunities.

And some of them may need to have — may need to have some information. For example, an app like Star Walk, which is a really amazing application, as a parent, when a child looks up at the sky at night and says, “Dad, what is that?” well, I have got an app on my device right now called Star Walk that allows me to hold up my screen to the sky, and it superimposes the stars exactly where I am at the time I’m at.

And I can say, “Well, honey, that’s this galaxy. Oh, and, by the way,” pinch it open, “Hey, that’s a gas — that’s a gas giant.”

“What does that mean?”

And, yet, to do that, I needed to know location. I needed to know what kind of device I was on. And so I needed to collect some information before I could actually show an amazing tool that allows parents to just grab ahold of an opportunity to engage with their kids that doesn’t exist.

So, while I agree with protection, I think it also has to be transparent. If the parent knows, hey, I’m going to use your location because I want to be able to show the night sky, well, that’s what we all want to achieve, so they make an informed choice.

RAY SUAREZ: We’re very close to the end of our time.

Can this be done voluntarily by the industry, rather than with a rule-making from the FTC?

JESSICA RICH: We’re not proposing a rule-making right now.

Obviously, we do have the Children’s Online Privacy Protection Act. But, as to this particular initiative, this is bully pulpit. We’re asking the industry to do better. We’re asking the industry to improve disclosures for parents.

RAY SUAREZ: Jessica Rich, Morgan Reed, thank you both.

MORGAN REED: Thank you.

JESSICA RICH: Thanks.