Article Text

Download PDFPDF

Letter
Mobile apps and children’s privacy: a traffic analysis of data sharing practices among children’s mobile iOS apps
  1. Jessica Pimienta1,
  2. Jacco Brandt2,
  3. Timme Bethe2,
  4. Ralph Holz2,
  5. Andrea Continella2,
  6. Lindsay Jibb1,3,
  7. Quinn Grundy1
  1. 1 Lawrence S. Bloomberg Faculty of Nursing, University of Toronto, Toronto, Ontario, Canada
  2. 2 Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, Netherlands
  3. 3 Child Health Evaluative Sciences, Hospital for Sick Children, Toronto, Ontario, Canada
  1. Correspondence to Dr Quinn Grundy, University of Toronto, Toronto M5T 1P8, Ontario, Canada; quinn.grundy{at}utoronto.ca

Statistics from Altmetric.com

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

Despite policy recognition of children’s vulnerability online, children’s apps (or parental apps involving children’s data) may share user data with third parties, which may be used to create detailed, long-term profiles of children, generating privacy risks.1 2 These risks have attracted policy attention from the Federal Trade Commission; Apple Inc. subsequently stipulated that apps developed for children may not send personally identifiable or device information to third parties and should not include third-party trackers or advertising.

We conducted a cross-sectional study of top user-rated mobile apps labelled for children under 12 years available in the Apple App store in Australia, Canada, the UK and the USA as of July 2022 (https://kids-apps.healthprivacy.info). We aimed to (1) Characterise their data sharing practices through analysing their network traffic; (2) Identify the third parties who received the information transmitted from these apps. Building off previously reported methods,3 we created a parent/child dummy profile and measured network traffic analysis during simulated app use to identify transmission of 21 prespecified types of user data and its network destinations. For identified data recipients, we examined their websites to categorise data recipients’ main activities.

We purposively sampled 25 of 6264 apps identified by an App Store crawling program because they were highly rated by users (84% or 21/25 rated >4.4/5.0), had a privacy policy (96%, 24/25) and represented a variety of store categories including Productivity, Lifestyle, Utilities and Social Networking (32%, 8/25), Education (28%, 7/25), Entertainment (20%, 5/25), and Games (20%, 5/25), and Medical, Health and Fitness (12%, 3/25).

All sampled apps (100%, 25/25) shared user data with varying degrees of sensitivity outside the app (table 1). Almost half of the apps (44%, 11/25) transmitted at least one piece of data to third parties considered to be personal information under the European Union’s General Data Protection Rules.

Table 1

Proportion of apps sharing user data and type of destination (n=25)

Included apps transmitted user data to 165 unique hosts (median 10, IQR 5–17). Forty hosts (24%, 40/165) were associated with the app’s developer or its parent company. One hundred and thirty-eight hosts (84%, 138/165) were third parties including those providing infrastructure-related services (19%, 31/165), such as cloud services, and analysis services (65%, 108/165), such as advertising or analytics for commercial purposes (table 2). Amazon.com, Inc., Apple Inc. and Google LLC accounted for over a third of the unique hosts (58/165, 35%) in our traffic analysis and received data from all apps in the study as either a first party or third party (table 2). Despite Apple Inc.’s guidelines, 18 apps (72%) transmitted data to analysis-related third parties not associated with Apple Inc.

Table 2

Categorisation of all third parties (n=108) and third parties excluding Apple Inc./Google LLC/Amazon.com, Inc. (n=79) performing analysis-related services

Children’s data are commonly shared with third parties, suggesting there are privacy risks in using children’s apps.4 Thus, an industry self-regulatory approach to addressing children’s privacy risks in apps may be limited. The implications of data sharing may manifest across aspects of childhood including those related to education, entertainment and health, and extend into adulthood. Privacy regulation should require transparency and accountability of data sharing practices from developers and third parties and promote user control over data sharing.

Ethics statements

Patient consent for publication

Ethics approval

Not applicable.

Acknowledgments

The authors thank ip2location.com for support in providing an academic license to their geo-IP database.

References

Footnotes

  • Contributors QG and LJ acquired funding, designed the study, supervised, and participated in data collection and content analysis. JP participated in data collection and content analysis. JB conducted the traffic analysis. TB conducted the traffic analysis. AC and RH designed the study, supervised the traffic analysis. JP and QG act as guarantors.

  • Funding Government of Canada’s New Frontiers in Research Fund (NFRF) (NFRFE-2019-00806).

  • Competing interests None declared.

  • Provenance and peer review Not commissioned; externally peer reviewed.