Error message

  • Warning: Illegal string offset 'tokenized' in addtocal_field_get_value() (line 362 of /var/www/drupal/sites/all/modules/addtocal/addtocal.module).
  • Warning: Illegal string offset 'tokenized' in addtocal_field_get_value() (line 400 of /var/www/drupal/sites/all/modules/addtocal/addtocal.module).
  • Warning: Illegal string offset 'tokenized' in addtocal_field_get_value() (line 362 of /var/www/drupal/sites/all/modules/addtocal/addtocal.module).
  • Warning: Illegal string offset 'tokenized' in addtocal_field_get_value() (line 400 of /var/www/drupal/sites/all/modules/addtocal/addtocal.module).
Home > Events > 2018 > Won't Somebody Think of the Children?" Examining COPPA Compliance at Scale
Won't Somebody Think of the Children?" Examining COPPA Compliance at Scale
17 July 2018 - 1:00pm to 2:00pm
Add to Calendar
Speaker(s): 
Researcher, Usable Security and Privacy Group, International Computer Science Institute (ICSI), University of California at Berkeley, USA
Location: 

MR-1S1 [Torres] & MR-1S3 [Quevedo], IMDEA Networks Institute, Avda. del Mar Mediterráneo 22, 28918 Leganés – Madrid

Organization: 
NETCOM Research Group (Telematics Engineering Department, UC3M); IMDEA Networks Institute

We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps' compliance with the Children's Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based on our automated analysis of 5,855 of the most popular free children's apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of third-party SDKs. While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we observed that 19% of children's apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the

3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID.

Link to PDF of the publication.

About Irwin Reyes

Irwin is a researcher in the Usable Security and Privacy Group at the International Computer Science Institute (ICSI) affiliated with the University of California at Berkeley. He earned Bachelor's and Master's degrees from the University of Virginia in 2009 and 2011, respectively.

Irwin has held positions developing ballistic missile defense systems at the Johns Hopkins University Applied Physics Laboratory and applying usable security concepts to commercial products at Dell. His research interests include measuring the privacy risks of everyday consumer products, user perceptions of security issues, and the online advertising ecosystem.

Personal website

This event will be conducted in English