Can tracking hardware-level activity protect children’s online privacy?
Image credit: Predrag Novakovic | Dreamstime
Researchers have developed a tool that can determine whether a mobile game or app complies with a US federal law aimed at protecting children’s privacy online.
The tool, created by a researcher at the University of Texas at Dallas, comes after a study at the university which found that 72 out of 100 mobile apps for children violated the federal Children’s Online Privacy Protection Act (COPPA).
Dr Kanad Basu, assistant professor of electrical and computer engineering, along with colleagues elsewhere, developed and tested their ‘COPPA Tracking by Checking Hardware-Level Activity’ (COPPTCHA) tool, which was found to have 99 per cent accuracy.
The researchers said they are continuing to improve on the technology, which they intend to make available to download for free.
According to Basu, games and other apps that violate COPPA pose privacy risks that could make it possible for someone to determine a child’s identity and location. He added this risk is heightened as more people are accessing apps from home, rather than public places, due to the Covid-19 pandemic.
Basu explained: “Suppose the app collects information showing that there is a child on Preston Road in Plano, Texas, downloading the app. A trafficker could potentially get the user’s email ID and geographic location and try to kidnap the child. It’s really, really scary.”
Apps can access personal, identifiable information. This includes names, email address and location, and unique identifiers for devices such as an international mobile equipment identity (IMEI) and media access control (MAC) addresses.
“When you download an app, it can access a lot of information on your cellphone,” Basu said. “You have to keep in mind that all this info can be collected by these apps and sent to third parties. What do they do with it? They can pretty much do anything. We should be careful about this.”
The researchers’ technique accesses a device’s special-purpose register, a type of temporary data storage location within a microprocessor that monitors various aspects of the microprocessor’s function. Whenever an app transmits data, the activity leaves footprints that can be detected by the special-purpose register.
Under COPPA, websites and online services directed at children must obtain parental consent before collecting personal information from anyone younger than 13. However, as Basu’s research found, many popular apps do not comply.
According to the research, many popular games designed specifically for young children revealed users’ Android IDs, Android advertising IDs and device descriptions.
Basu recommends that parents use caution when downloading or allowing children to download apps. He also advised keeping downloads to a minimum.
“If your kid asks you to download a popular game app, you’re likely to download it,” Basu said. “A problem with our society is that many people are not aware of – or don’t care about – the threats in terms of privacy.”
In May, a coalition of 20 advocacy groups accused TikTok of violating US child privacy laws and breaching a settlement agreed in February 2019 with the Federal Trade Commission (FTC).
Back in January, the UK’s data regulator published standards that would force tech companies to prioritise children’s privacy online.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.