The U.S. Federal Trade Commission on Monday made the unexpected announcement that it was launching “multiple nonpublic investigations” into companies that make mobile apps designed for or marketed at children, to ascertain if any had broken federal children’s privacy laws.
The FTC declined to specify exactly which companies and apps developers were being targeted in the investigations, let alone a timeline, but warned that if any apps were found to have broken the law, “we would bring a law enforcement action…sue them,” or file a complaint and enter into a settlement, said Jessica Rich, the associate director of the FTC’s division of financial practices, in a teleconference with reporters on Monday morning.
The agency said that it found most apps for children shared potentially sensitive user information — everything from phone numbers to location — with the apps’ developers, advertisers and other third parties.
The FTC on Monday also urged app developers to immediately “follow the three key principles” that the agency outlined in a March 2012 privacy report, which include building apps with “privacy by design,” or considering privacy implications and features at every stage of app development, “simplified choice” for app users as to what information of theirs can be shared, and “greater transparency” about an app’s information sharing and privacy policies and options.
The new investigations into app companies were prompted by the results of the FTC’s second annual survey of apps for kids, the results of which were also released Monday.
In the survey, the FTC examined 400 of the most popular applications listed on the Apple App Store and Google Play store (formerly the Android Market) under the search “kids” (200 from each store), and found that “most apps failed to provide basic information about what data would be collected from kids, how it would be used, and with whom it would be shared.”
Specifically, the FTC found that of the 400 apps reviewed, 235, or nearly 60 percent, “transmitted device ID to the developer or, more commonly, an advertising network, analytics company, or other third party,” while another 14 apps transmitted geolocation information and/or the device’a phone number.
Here’s a graph illustrating those findings:
Meanwhile, only 20 percent of the apps reviewed, or 81 apps, had any privacy information whatsoever. Here’s an illustration of the FTC’s findings on privacy policies compared to all apps that shared any information:
The FTC also declined to name which specific apps were at fault, “in part because we think this is a systematic problem,” Rich said.
“There’s been lots of activity [by companies], but we haven’t seen improvements in mobile app transparency,” Rich said during the FTC’s Monday press conference. “We’re hopeful that these [survey results] yield improvements soon…It’s important for kids’ privacy that there be better disclosures and more accurate disclosures about whats happening with kids data.”
To be clear, Rich said that the investigations weren’t alone indications that companies had broken any laws. But the FTC is specifically concerned that app makers could be in violation of the Children’s Online Privacy Protection Act (COPPA) rule, a 1998 law the FTC seeks to update to take account for the numerous changes in the online and in consumer digital device market that have taken place since it was first enacted.
The FTC’s updates to COPPA are expected before the end of the year, but tech companies large and small, including Google, Twitter, Facebook and others, have voiced opposition to the proposed changes, calling them technically unfeasible. Some of the proposed changes include requiring websites with large youth audiences treat their entire userbases as though they were children under purposes of the law, while others would enforce stricter rules on the data collected by “plug-ins,” the digital trackers used frequently by social media and advertisers, such as Facebook “Likes” and Google “+1” buttons.
Following the FTC’s announcement on Monday, the Association for Competitive Technology, an organization that claims to represent upwards of 5,000 app developers, issued a statement acknowledging deficiencies in privacy policies across the app industry but stating that the FTC ignored strides made by Apple.
“This report reminds us how important it is for the industry to focus attention on educating developers on privacy best practices,” ACT executive director Morgan Reed wrote in the statement emailed to reporters, later adding:
“One area of progress that the FTC missed, however, is on unique device identifiers like Apple’s UDID. Apple and the other platforms are moving developers away from using device-specific identifiers that can be unified across apps and services, and are introducing alternatives to limit tracking that are app-specific for sharing with advertisers and other 3rd parties.”
Indeed, Apple has over the past year moved away from allowing apps to access the Unique Device Identification (UDID) standard, a number that was previously printed on most Apple products, including iPhones and iPads, and could be used with other information to create user profiles and potentially be used by hackers to access and control devices. That fear was partially realized when one developer’s collection of user UDIDs were hacked in September.
Apple’s deprecation of UDID was officially announced in 2011, but the company upped its enforcement in March 2012, refusing to admit some apps into its App Store for accessing the number. The change also led to new work-arounds by advertising companies and their software providers.
Despite these actions, many mobile advertising companies continue to rely on the UDID, as GigaOm reported Monday.