How Kid Apps Are Data Magnets
While 7-year-old Eros ViDemantay played with a kid's app on his father's phone, tracing an elephant, behind the scenes a startup company backed by Google Inc. GOOG +0.24% was collecting information from the device—including its email address and a list of other apps installed on his phone.
Explore the Findings of the Journal's Tests
"My jaw dropped," says Lee ViDemantay, Eros's father and a fifth-grade teacher at the Los Angeles Unified School District. "Why do they need to know all that?" The app, called "How to Draw—Easy Lessons," also sent two of the phone's main ID numbers.
A Wall Street Journal examination of 40 popular and free child-friendly apps on Google's Android and Apple Inc.'s AAPL -0.07% iOS systems found that nearly half transmitted to other companies a device ID number, a primary tool for tracking users from app to app. Some 70% passed along information about how the app was used, in some cases including the buttons clicked and in what order.
Some three years after the Journal first tested data collection and sharing in smartphone apps—and discovered the majority of apps tested sending details to third parties without users' awareness—the makers of widely used software continue to gather and profit from people's personal information.
Data transmissions related to child-friendly apps will be subject to greater government scrutiny after July 1, when the Federal Trade Commission's new rules on children's online privacy take effect. The rules, which were adopted in December and outline how the FTC enforces the Children's Online Privacy Protection Act, or Coppa, expand the types of information considered "personal" and, hence, protected.
These rules could upend the business of some kid-friendly apps that rely on data-driven advertising to bring in money.
Among other things, the new rules will govern collection of location data and certain types of phone ID numbers. The FTC isn't banning collection of this information altogether. But app developers—and all online services—won't be able to use it in as many ways as before without receiving explicit parental consent.
The Journal's latest tests in February and March observed two Android apps, including "How to Draw," incorporating code from Pocket Change, the Google-backed company, and sending the company data without notifying users of these transmissions.
While many of the apps tested sent device IDs to third-party companies, apps with Pocket Change's code sent considerably more information including the device's registered email address, list of other apps installed on the device, and information about the user's phone carrier.
Pocket Change is a company that provides a virtual "currency" that users can accrue by achieving various goals (such as reaching new game levels) and can redeem for music downloads, gift certificates and physical goods. Pocket Change makes money by charging companies for their products to appear in its rewards store.
On its website, Pocket Change says it is on 500 apps, and that 50 million people have earned the virtual currency. The San Francisco company uses the data it collects to identify people claiming the rewards, as well as to help advertisers tailor offers to specific users, says Ari Mir, Pocket Change's CEO.
Pocket Change says it doesn't target children. After the Journal's tests, Pocket Change said it updated its system to collect data only after a person agrees to sign up for the service, rather than automatically. The company said it had already planned to change its system before being contacted by the Journal.
A Google official declined to comment on its investment in Pocket Change.
Alfiya Valiullina, a spokeswoman for the Siberian company that makes "How to Draw," ArtelPlus, said ArtelPlus wasn't aware of how much data Pocket Change was collecting. An app-update published on May 24 removed Pocket Change's code as well as access to the user's email address.
The FTC regulations govern apps and online services "directed to children" under 13, but the FTC doesn't strictly define what that means. The commission says it takes into consideration factors including "subject matter, visual content, use of animated characters" as well as the "presence of child celebrities."
The FTC declined to comment on the Journal's findings.
The Journal tested 20 popular free, child-friendly applications each from Apple's App Store and Google's Play market. The apps were drawn from the two most kid-friendly categories on each platform: For Apple, these two were "Education" and the "Kids" subcategory of "Games." For Android it was "Casual" and "Education." Child-friendly apps that may also appeal to adults were included in the tests, but those clearly geared only toward teenagers or older users weren't.
Apple and Google declined to comment on the coming Coppa changes and the Journal's findings.
The majority of apps—28 of 40—sent data to other companies that provide analytics services that track the ways people use particular apps. The data can range from simple details—for example, when a user opens or closes an app—to complex behavioral patterns. Developers use this information to decide how to improve their games, for example, or what in-game products they might be able to sell to users.
Analytics and advertising company Flurry received data from the most apps in the Journal tests, 23 of the 40. Flurry's website says the company gathers "insight from 2.8 billion app sessions per day."
Flurry didn't respond to requests for further information. Flurry's terms of service prohibit child-targeted apps from using its products.
Intellijoy, the developer of "Kids ABC Letters Lite" and four other Android apps the Journal tested, used Flurry in each. The company will be removing Flurry from its apps before the July 1 deadline and "forgoing analytics altogether until we find and select a Coppa-compliant replacement," CEO Alex Turetsky said in an email.
The tests highlighted another issue for makers of children's apps: Under what circumstances they will be allowed to collect "device identifiers" and send them to other companies. Advertising and analytics firms typically use the numbers to track people as they hop from app to app, or as they use an app multiple times. Eighteen of the apps sent device IDs to other companies.
The new Coppa rules count "persistent identifiers" as "personal information" protected under the act. Developers will be allowed to collect the IDs for "activities necessary to [maintain] or analyze the functioning" of the app. But to use the identifiers for behavioral advertising or for targeting individual children, they must obtain "verifiable parental consent."
Unique, persistent identifiers—the type that are impossible or very difficult to change, and which can be used to track people over time and across services—are controversial in the app world. Apple has been phasing out developers' access to its primary device ID, called a UDID, in favor of other, resettable identifiers. On May 1, Apple's App Store stopped accepting apps that access UDIDs. The Android equivalent, called the Android ID, is largely, though not completely persistent: It changes when users "factory reset" their devices, which also deletes all apps and stored data.
Android requires apps to tell users, before installing software, what types of information the apps can gather. Google declined to comment on Android's permission system.
Apple declined to comment on the iOS permission system.
In Apple's iOS operating system, apps don't request any particular permissions before being downloaded. Instead, Apple segregates user data into three categories: data, such as certain phone identifiers, available to all apps; data available upon in-app request, such as geolocation; and data off-limits to all apps, such as email addresses. Apps that want emails have to ask people to type them in.
Some app developers and ad companies worry that the new FTC rules mean they won't be able to learn as much about users and therefore sell ads that are "targeted" at specific types of people based on what can be known about their interests and activities. Targeted ads generally command higher prices. The majority of apps tested, 25, used other companies to provide ad services. Many free apps rely on such advertising for their revenue.
The FTC permits ads in children's apps but says they can't be based on any information the advertising service gathers about individual children, unless a parent explicitly allows it. But random ads present their own problem. While Eros was playing with "How to Draw" on his dad's phone, for example, he saw an ad for an online dating site that asked viewers to "Flirt" with "Girls," "Guys" or "Both."
At the time of testing, Pocket Change didn't protect user accounts with passwords, instead tying account information to a device identifier. Such identifiers would be difficult for most people to guess, but they could be obtained by malicious applications. Coppa requires online services to store children's data securely.
After the Journal contacted Pocket Change, the company began protecting account information with a password. The company said it had already planned to change its system when before being contacted by the Journal.
The developer of the other app that included Pocket Change code, "Jewels," said his game, which involves players lining up matching jewels, isn't tailored to children. The developer, Finland-based Mika Halttunen, said he hadn't been aware of all the data Pocket Change was receiving and decided not to add the service to his recently released sequel, "Jewels 2."
Write to Jeremy Singer-Vine at Jeremy.singer-vine@wsj.com and Anton Troianovski at anton.troianovski@wsj.com
A version of this article appeared June 28, 2013, on page B1 in the U.S. edition of The Wall Street Journal, with the headline: Apps for Kids Are Data Magnets; FTC Rules to Kick In.
Apps for Kids Are Data Magnets; FTC Rules to Kick In - WSJ.com
