Researchers from EPFL and Spain’s IMDEA Software Institute and IMDEA Networks Institute , have found that many parental control applications collect and share data without consent, and fail to comply with regulatory requirements.
Parental control applications available on Android through the Google Play Store are used by parents to monitor and limit their children’s online activities and even physical location; for example, to examine a child’s web browsing history, to block or limit their access to certain websites or features, or through surveilling the location of their mobile devices to know where their children are.
By definition, these apps are highly intrusive as they require privileged access to system resources and sensitive data to do their jobs. This access may reduce the dangers associated with kids’ online activities but this new research has found that the apps raise important privacy concerns, so far overlooked by regulators and organizations that provide recommendations to the public on their use.
The Study
The researchers, including Carmela Troncoso, head of the Security and Privacy Engineering Lab ( SPRING ) at EPFL’s School of Computer and Communication Sciences (IC), conducted the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view, studying 46 different apps from 43 developers. Combined, these apps have been installed more than 20-million times in the Google Play Store.
Using a combination of static and dynamic analysis they found that almost 70% of the apps share private data without user consent and close to 75% contain data-driven third-party libraries for secondary purposes including social networks, online advertising, and analytics. 80% of the apps that share data with third parties do not name them in their privacy policy, lacking not only transparency but compliance with regulatory requirements.
Troncoso says she was surprised at the extent that these surveillant libraries infiltrate parental control apps given ongoing concerns around data privacy, and as current legislation (such as Europe’s GDPR) protects children’s data from being accessed without clear parental consent.
"With some of the apps you can’t look at anything on your phone without information being sent to the backend server. If you have changed to Signal because WhatsApp has decided to give your data to Facebook, maybe you don’t want to have an app on your child’s device that gives all their data, every single link that they click on, to them and even to third parties."
Policy Implications
The researchers hope that the findings open a debate on the privacy risks introduced by these apps particularly around whether the apps’ potential to protect children justifies the risks regarding the sharing of their data. They also hope that regulators will look beyond the price, capabilities or usability of these apps and ensure that they are also benchmarked in terms of security and privacy analysis to help parents make the best choices.
"If apps are going to be allowed to monitor children, they should probably have much tighter checks than currently exist. The question is by whom, and how, and this is difficult, however, we need to have safeguards and what our study shows is that the landscape is more like the wild west right now," concluded Troncoso.
** The researchers Álvaro Feal (IMDEA Networks Institute), Paolo Calciati (IMDEA Software Institute), Narseo Vallina-Rodríguez (IMDEA Networks Institute), Carmela Troncoso (Spring Lab EPFL), and Alessandra Gorla (IMDEA Software Institute) have won the "Prize for the research and Personal Data Protection Emilio Aced" given by the Spanish data protection agency (AEPD), for the paper "Angel or Devil? A Privacy Study of Mobile Parental Control Apps."