“Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations

Title“Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations
Publication TypeConference Paper
Year of Publication2017
AuthorsWijesekera P, Razaghpanah A, Reardon J, Reyes I, Vallina-Rodriguez N, Egelman S, Kreibich C
Published inProceedings of the Workshop on Technology and Consumer Protection (ConPro ’17)

In recent years, a market of games and learning apps for children has flourished in the mobile world. Many of these often “free” mobile apps have access to a variety of sensi­tive personal information about the user, which the app au­thor can leverage to increase revenue via advertising or other means. In the United States, the Children’s Online Privacy Protection Act (COPPA) protects children’s privacy, requir­ing parental consent to the use of personal information and prohibiting behavioral advertising and online tracking. In this work, we present our ongoing effort to develop a method to automatically evaluate mobile apps’ COPPA com­pliance. Our method combines dynamic execution analysis (to track sensitive resource access at runtime) with traffic monitoring (to reveal private information leaving the device and recording with whom it gets shared, even if encrypted). We complement our empirical technical observations with legal analysis of the apps’ corresponding privacy policies. As a proof of concept, we scrape the Google Play store for apps that declare their target group to be less than 13 years of age, which subjects them to COPPA’s regulations. We automate app execution on an instrumented version of the Android OS, recording the apps’ access to and trans­mission of sensitive information. To contextualize third par­ties (e.g., advertising networks) with whom the apps share information, we leverage a crowdsourced dataset collected by Haystack, our Android-based device-local traffic inspec­tion platform. Our effort illuminates apps’ compliance with COPPA and catalogs the organizations that collect sensitive user information. We find several likely COPPA violations in our preliminary corpus, including omission of prior con­sent and active sharing of persistent identifiers with third-party services for tracking and profiling of children.


This research was supported by the United States Department of Homeland Security’s Science and Technology Directorate under contract FA8750-16-C-0140, the Center for Long-Term Cybersecurity (CLTC) at UC Berkeley, the National Science Foundation under grants CNS-1318680 and CNS-1564329, the European Union under the H2020 TYPES (653449) project, and Data Transparency Lab Grant 2016 program. The content of this document does not necessarily reflect the position or the policy of the U.S. Government, European Union, or any other sponsor, and no official endorsement should be inferred.

ICSI Research Group

Usable Security and Privacy