The Children’s Online Privacy Protection Act (COPPA), passed in 1998, governs the sort of data that can be collected from children under the age of 13. That’s why kids have to age themselves prematurely to create accounts on some social media networks. It’s a law kids under the age of 13 subvert every day, but it’s in place to protect kids from online services and restricts information collected by apps and online services that cater to children.
Unfortunately, there are a lot of app developers ignoring this law. A recently-published research paper shows a host of violations and questionable practices that smartphone/tablet app developers are engaged in. Serge Egelman, one of the paper’s co-authors, notes that thousands of apps are violating this law every day. In just one example, an advertising SDK (software development kit) made by ironSource is harvesting personal data from 466 child-directed apps.
It’s not as though this is a simple oversight. In an earlier blog post detailing COPPA violations, Egelman points out Android developers must take a series of affirmative steps to market apps directed at children. There’s a long list of stipulations that must be met before Google will allow apps to become part of its Designed For Families program.
The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services. ironSource also does not knowingly collect or maintain personal information collected online from children under the age of 13, to the extent prohibited by the Children’s Online Privacy Protection Act.
This would appear to indicate children under the age of 13 should not see ads served by ironSource. The easiest way to do that would be not to use the targeted ad SDK, as Egelman points out. But the research shows the opposite occurs repeatedly, with developers adding ironSource’s ad software to their apps before shoving into the “Family” section of the Play Store.
This research paper — and the attendant blog posts — weren’t published until this year. Shortly after publication, ironSource apparently chose to express its irritation with being named and shamed as an accomplice in COPPA violations. But the story is stranger than it first appears. IronSource apparently obtained a leaked copy of the report prior to its official publication. The angry letter it sent Egelman’s research partner, Irwin Reyes, claims their report is “inaccurate and misleading.” But if it is, it’s only because ironSource performed a legalese switcheroo after receiving the leaked paper.
The letter involves ironSource blundering far across the line between clever and stupid.
Ms. Litay, who claims to be a lawyer, claims that our paper is incorrect because it cites a clause that was removed after the paper was written! This requires significant mental gymnastics (or a significant amount of chutzpah and the misguided belief that the recipients of her letter do not know that the web is archival).
Looking at just our dataset for all the apps transmitting personal information to ironSource, several developers’ names include words like “child,” “baby,” or “kids.”
Behind all of this is a company displeased its questionable and possibly illegal business practices have become the subject of an unflattering research paper. The letter [PDF] ends with a veiled lawsuit threat, claiming the researchers fully-substantiated claims “may result in substantial financial damage” to ironSource.
“The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services.”
But that’s not how they were written before the paper was published — and before ironSource obtained a copy. Before then, the terms of service stated children under 13 should not use “this portion” of the services, referring to ironSource’s targeted ad SDK. If the SDK was bundled with apps targeting kids, information was harvested by the SDK in violation of federal law.
As to the thinly-veiled legal threat closing out ironSource’s ridiculous C&D, Egelman says, “Bring it on.”
Rather than let the research paper filter its way into the collection consciousness with possibly minimal reputational damage, ironSource has chosen to draw more attention to it by attempting to silence its authors. Now, it looks like a company that threatens critics when not violating federal privacy laws. Retconning its privacy policies before calling researchers liars is just prime stupidity. The internet is forever. So is ironSource’s self-inflicted damage.