won’t somebody think of the children? examining coppa...

“Won’t Somebody Think of the Children?”Examining COPPA Compliance at Scale

Irwin Reyes, Primal Wijesekera, Joel Reardon, AmitElazari Bar On, Abbas Razaghpanah, Narseo

Vallina-Rodriguez, and Serge Egelman

1

usinternet

lots of

lots and

name

device id

location

microphone

SSID

router MACrandom IPs

analytics

analytics

ads

ads

ads

someterriblegame

and your PII

(information)

( personally )

(identifying )

you

...

realbadgame

gameawful ad company

and your PII

(information)

( personally )

(identifying )

youand your PII

(information)

( personally )

(identifying )

you

...

realbadgame


and your PII

(information)

( personally )

(identifying )

youand your PII

(information)

( personally )

(identifying )

you

...

realbadgame


and behaviouralinformation

and your PII

(information)

( personally )

(identifying )

youand your PII

(information)

( personally )

(identifying )

you

...

realbadgame


behavioural datadossier of

and an ever growing

Behavioural Advertising is Illegal

10

Behavioural Advertising is Illegalin US for Children under 13

11

And if you ever seen“you must be 13 or older”

in the terms of service this is why.

12

COPPA

the Children’s Online Privacy Protection Act

from 1998

updated in 2013

has teeth, 40k fines per violation

has been used, cases of millions in fines to companies

13

COPPA

protects those under 13 frombehavioural advertising and trackingcollecting audio / videocollecting personal identifiers

allowed with verified parental consentinternal operations / improvement exemptiontake reasonable precautions to safeguard data

must make privacy policy availablemust list all 3rd party recipients of data

14

Personal Identifiers

first and last name

address including street name and name of a city or town

online contact information

a screen or user name that functions as online contact information

a telephone number

a social security number

a persistent identifier that can be used to recognize a user overtime and across different websites or online services

a photograph, video, or audio file, where such file contains achilds image or voice;

geolocation information sufficient to identify street name andname of a city or town

15

So, are mobile apps complying with COPPA?

16

We built a tool to help us measure compliance.

17

Two approaches: static analysis and dynamic analysis

18

Static Analysis

you look at the source code

you look at libraries that are included

you look at what the code can do

you form a lower bound of what it might do.

19

Dynamic Analysis

you run the app on a phone

you record what it does

you form a lower bound of what it actually does.

20

We did (mostly) dynamic analysis.

24

This also means that our resultsare for actual behaviour.

25

of

apps

pile

of

apps

pile

run app

of

apps

pile

run app

reports

of

pile

of

apps

pile

run app

reports

of

pile

... ?

profit!

Collecting apps was easy.

30

We collected 5855 apps from thedesigned for families program.

32

1889 different developers.

33

4.5 billion installations.

34

130 with princess in the title.

35

But who wants to spend all day playing gameslike Pregnant Princess Baby Birth

and Princess Ballerina Star?

36

Undergrads!

37

But it was slow and tedious work, so we also used anautomated exerciser monkey

38

Running apps

two undergrads hired toplay games for about 10minutes

automated exercisermonkey simulates aimlessclicks and swipes

40

Instrumented Android

log access to sensitiveresources

record app that isaccessing

disabled interest-basedadvertising (opt-out)

monitors network flows toremote servers

MITMs HTTPS payloads

attributes flows toparticular apps

41

Does using HTTP instead of HTTPS constitute“taking reasonable precautions”?

48

Analysis Tools

we wrote bespoke tools for analysis

permute PII into many formats

extract packets from the log emitted by the app

apply different decodings

search for PII in the payload

59

Persistent identifiers we look for

android advertising ID

android ID

Google services framework ID

hardware ID

IMEI

SIM ID

phone MAC address

60

Other personal information we look for

e-mail address

phone number

latitude / longitude

OS / build information

router MAC address

router SSID

61

Observation 1: Violations from 3rd party libraries

these libraries are bundled with app

these are provided by the ads and analytics companies

62

MoPub: Supply Partners who sign up using this websitemay not provide MoPub with data from end users underage 13. Supply Partners must not register for MoPubs

services using this website if any of their apps are either:(1) directed to children under age 13 (even if children

are not the apps primary audience), or (2) collectinformation from children that Supply Partners know are

under age 13.

63

Tapjoy: Publisher represents, warrants, and covenantsthat (i) its Application(s) are not and shall not during the

Term be directed to users under 13 years of age; (ii)Publisher does not as of the date Publisher creates a

Publisher Account, and will not during the Term, collect,use, or disclose personal information from any end user

known to Publisher to be a child under 13.

64

Heyzap: You must not include functionality in yourapplication and/or website that requests or collects

personal identification information from users who Youknow or have reason to know may be under the age of 13.

65

These libraries don’t offer a COPPA-safe mode. Just usingthem is a violation. While app developers can’t control

the code in SDK, they are (probably) liable for it.

66

Service Name App Count Total Installs

Crashlytics 300 556MSupersonic 466 481MTapjoy 101 386MMoPub 148 296MInneractive 180 239MHeyzap 263 150MAppnext 46 55MAmplitude 17 52MBranch 19 42MAppboy 1 10K

67

Observation 2: Even when a 3rd-party library does have aCOPPA mode, it’s often not used.

76

apps contacting facebook with

77


coppa=true 75

78


coppa=false 342

coppa=true 75

79


both 27

coppa=false 342

coppa=true 75

80


neither 836

both 27

coppa=false 342

coppa=true 75

81


best case: 27% are failing

neither 836

both 27

coppa=false 342

coppa=true 75

82


worst case: 94% are failing

neither 836

both 27

coppa=false 342

coppa=true 75

83

Does it work?

85

children’s apps5,855

86


used unity (2,909)

87


sent coppaCompliant flag (1,068)

used unity (2,909)

88


coppaCompliant=true (479)

coppaCompliant=false (589)


used unity (2,909)

89


of unity apps

83.5%

coppaCompliant=true (479)

coppaCompliant=false (589)


used unity (2,909)

90

Observation 3: Where are your children?

COPPA was amended in 2013 partially for geolocation apps

no exemptions: requires verified parental consent

COPPA suggests a letter in the mail

91

Location Access

706 declared a location permissionthis allows them or bundled libraries to access location

our instrumentation noticed 235 (4%) call API functions for GPScumulatively 172 million installs

184 further send location over the network

93

Location Access

most popular destination for location was MoPub85 apps

MoPub’s terms clearly state:it cannot be used for children’s appsit performs behavioural advertising

94

Also we have been narrowing the gap between ‘access’location and ‘sent’ location using static analysis.

95

"locations":"TCsxMiMiMyhfKTInOjYmK0E8Ii..."


L+12#"3(_)2’:6&+A


−122.27143907388712,37.8692660985882

L+12#"3(_)2’:6&+A


XORL+12#"3(_)2’:6&+A

Other developers simply use AES (on top of TLS)

101

Observation 4: Why are so many appssending MAC addresses?

103

Media Access Control (MAC)

number attached to all network cards, routers, etc.

looks like a2:2a:a8:d2:c6:bd

uniquely identifies hardware

104

MAC address is an ersatz location.There’s no valid reason to share it.

111

Sending MAC Addresses

101 apps shared Wi-Fi MAC addresses

61 to greedygame.com

60 to startappservice.com

30 to kochava.com

112

Yousician’s “Guitar Tuner Free”

10–50 million installs

router MAC address to control.kochava.com

113

Where’s My Water


created by Disney

sends router SSID to Kochava

115

Surely you Quest

1–5 Million installscreated by Cartoon Network

owned by Time Warner

sends MAC address to Kochava

121

Observation 5: Are Safe Harbor Apps Safer?

122

Safe Harbor

COPPA specifies a safe harbor program that allows companies tosubmit their apps to review by a safe harbor company

ESRB, kidSafe, TRUSTe, others

If approved, company is insulated from FTC enforcement

123

Do you think that industry self-regulation works?

124

Safe Harbor Apps

we found 237 apps in our corpus certifiedbasically makes no difference:

66% (safe harbor subset) send persistent identifiers versus 73% (fullset)

49% (safe) without using encryption versus 40% (full)

3.4% (safe) versus 3.1% (full) send location1.7% (safe) versus 1.8% (full) send e-mail address

one major difference:33% (safe) versus 19% (full) send persistent identifiers to forbiddenservices

125

BookMyne

certified by TRUSTesends location data to bookmyne.bc.sirsidynix.net

not disclosed in privacy policy

126

FamilyTime Parental Controls & Time Management App

certified by kidSAFEe-mail send to admin.appnext.comadvertising SDK“shall not provide to Appnext any data regarding children under the ageof 13”

Appnext is not listed in the privacy policy

127

NFL Emojis

certified by TRUSTe

e-mail sent to Kochava

not mentioned in privacy policy

128

Rail Rush

certified by CARU

states in privacy policy that it does “not disclose personal data ofusers under 13 years of age to any third parties”


129

Rail Rush

location data is sent to ads.aerserv.com, analytics.mopub.com,ads.mopub.com (unencrypted)

e-mail sent to api.fuelpowered.com, who does not “knowinglycollect personal data from children under the age of 13”

android ID to data.flurry.com and api.fuelpowered.com

advertising ID to mpx.mopub.com, analytics.liftoff.io, and more.

130

Observation 6: One Identifier to Rule them All

133

The goal was to replace a slew of other identifiers beingused for advertising with one specifically for that purpose.

137

Advertising Identifier

Google’s standards not followed

opt-out is just a suggestion

identifiers can be linked when sent together

147

Observation 7: Why are you even sending IMEIs?

148

International Mobile Equipment Identity (IMEI)

a mobile phone serial number

used when connecting to cellular networks

used to blacklist stolen phones

a serious persistent identifier

149

It’s also trivial for apps to get:

151

It’s also trivial for apps to get:566 (about 10%) of apps send it.

152

One developer, TinyLabProductions, sent the IMEI in29832 different packets in 82 (of 83) of their games.

153

Unencrypted 99% of the time.

154

Lower bound of 55 million installs.

155

Another 122 (of 229) apps from a family of developerssend the hash of IMEI to androidha.vascogames.com

(also unencrypted).

156

Not only is an IMEI hash a persistent identifier,it’s reversible!

157

IMEIs

15 digits:first two either 00 or 35next six indicates phone production

nearly all ours are 362707

next six are randomlast is a checksum

takes 13 seconds to hash all IMEIs in production runresulting file is 50 MiB

158

Only the phone company should be getting IMEIs.Not four out of sixteen of Mattel’s games.

159

Observation 8: What else you got installed?

160

Observation 9: Are free libre open source apps better?

165

F-Droid curates a set of open-source apps.

166

We downloaded all F-Droid apps andran them like the DFF ones.

167

DFF (5,855)

F−Droid (1,230)

DFF (5,855)

F−Droid (1,230)

sent packets

5,344

284

DFF (5,855)

F−Droid (1,230)

30

sent PII

sent packets

4,329 5,344

284

DFF (5,855)

F−Droid (1,230)

sent advertising ID

30

sent PII

sent packets0

4,3293,454 5,344

284

Remember that F-Droid apps are not children’s game.

172

Concluding Remarks: Where do we go from here?

175

We’re missing transparency.

176

We’re missing transparency.Transparency is the new privacy.

177

Attorney General Balderas: “I’m trying to get lawmakersat the federal level to wake up.”

186

Developers need better tools for warning about misusingAPIs, not using TLS, etc.

187

Maybe linting or annotation developer supportfor dealing with PII?

188

Android should be a better actor in this ecosystem.

189

There is a reason why getting the advertising IDis still possible in opt-out mode.

190

Something we can all do:use, support, and contribute tofree libre open source software.

191

won’t somebody think of the children? examining coppa...

Documents