91 “child friendly” Android apps accused of exploitation

Kids? So tough to monetize!
That’s what the CEO of one mobile game maker – Tiny Lab Productions’s Jonas Abromaitis – has lamented:

There is a low buying power of our players who are mainly under 13 years old. It’s hard to convince them to spend their money on additional game items or levels as most of them have to ask their parents for the purchase.

Tiny Lab, however, has its ways. At least according to what the attorney general for the US state of New Mexico alleges.
Last week, Attorney General Hector Balderas filed a lawsuit charging Tiny Lab, as well as Twitter’s and Google’s advertising platforms, with surreptitiously grabbing kids’ information so as to profile them and target them for “commercial exploitation.”
According to Balderas, Tiny Lab is the maker of 91 games clearly targeted at kids or toddlers, with names like Fun Kid Racing, Candy Land Racing, Baby Toilet Race: Cleanup Fun, GummyBear and Friends Speed Racings.
On Wednesday, he put out a full list of game titles in an announcement about the lawsuit.
It’s illegal to track children online. They’re protected by the Children’s Online Privacy Protection Act (COPPA), which prohibits improper tracking of under-13s, including for advertising purposes. Unless they collect explicit, verifiable permission from parents, children’s sites and apps aren’t supposed to collect personal details such as names, email addresses, geolocation data and tracking codes – such as cookies – for use in targeted ads.
Google got in trouble for monetizing kids a few months ago: in April, a group of 23 child advocacy, consumer and privacy groups filed a complaint asking the Federal Trade Commission (FTC) to make YouTube stop illegally making “substantial profits” from children’s personal data.
Researchers at the International Computer Science Institute published an analysis of 5,855 Android apps that claimed to comply with the Google Play Store’s Designed for Families (DFF) program. When it comes to privacy and secretive surveillance, that DFF program turns out to be a hot mess.
The researchers found that 40% of the apps were transmitting personal information “without applying reasonable security measures” (SSL/TLS encryption), while another 18.8% were sharing data with third parties that could be used to identify children and their devices for profiling.
More than half of the apps, including those from Tiny Lab, were found to be sharing details with outside companies in ways that may have violated the law.
Out of the 91 gaming apps listed in New Mexico’s lawsuit last week, all but five of them are now or have been participants in the DFF program, Balderas says.

Can we trust Google’s family friendly app store?

Google introduced DFF in 2015, informing Android developers that any apps that were “primarily child-directed” had to participate in the program and that developers must confirm that their apps complied with child-protection rules. Google said the intent was to help parents find “suitable, trusted, high-quality apps and games” for their children.
In spite of being part of DFF, Tiny Lab’s apps aren’t behaving themselves around kids, Balderas told the New York Times:

These sophisticated tech companies are not policing themselves. The children of this country ultimately pay the price.

Tiny Lab’s Abromaitis told the Times that his company’s apps are directed not specifically at children under 13, but rather at a broader category called “mixed audiences.” That’s an important difference: by labelling an intended audience as “mixed,” apps can get away from COPPA’s requirement that gaming apps need parental consent to track users under 13.
5% of the apps tested by the International Computer Science Institute were collecting children’s location or contact information – without their parents’ permission.
New Mexico AG Balderas says that the risk isn’t just that kids could be stalked, but that collecting this type of sensitive personal data puts it at risk of being exposed in a breach:

These apps can track where children live, play, and go to school with incredible precision. These multi-million-dollar tech companies partnering with app developers are taking advantage of …children, and the unacceptable risk of data breach and access from third parties who seek to exploit and harm our children will not be tolerated in New Mexico.

A Google spokesman told the Times that developers are responsible for declaring whether their apps are primarily for children, and that apps in the store’s family section “must comply with more stringent policies.”
A Twitter spokesman told the Times that the company’s ad platform, MoPub, doesn’t allow its services to be used to collect information from children’s apps for targeted advertising and that it suspended the maker of Fun Kid Racing in September of 2017 for violating its policies.