The kids are online, but their data is not all right.
The majority of school utility apps used by kids and parents are pervasively sharing student data with third parties through advertising and analytics software development kits (SDKs), including those provided for free by Google and Facebook.
On average, school apps have more than 10 third-party SDKs integrated, according to a study released on Tuesday by the Me2B Alliance, a nonprofit organization focused on creating standards for respectful technology.
These apps, which are developed by school districts as a central hub for school-related info, like lunch menus, sporting activities and event calendars, typically have mixed audiences of parents and kids, many of whom are under the age of 13. The apps are utility apps, rather than apps to facilitate remote learning.
Me2B audited a random sample of 73 apps from 38 schools across 14 US states covering at least 500,000 people, including educators, students and their families.
Most school districts, like the Chamberlain School District in South Dakota or the Lauderdale County School District in Mississippi, rely on outside vendors to create apps for them, and those vendors seem to integrate SDKs at will, either unaware of the privacy risks – or, perhaps, simply not passing that information along to their clients.
By the same token, it might even be a surprise to the advertising SDKs themselves that they're ingesting data from school apps, said Zach Edwards, founder of analytics firm Victory Medium, who helped conduct the research on behalf of Me2B.
An “F” in privacy
Regardless of their purpose, SDKs generally don’t discriminate their data sharing based on someone’s age. They simply share app data with the SDK mothership, and that’s that.
“But if a mobile app is used by both young kids and their parents, no SDKs within those apps should be sending data to any advertising products, period,” Edwards said,
Not only should the SDKs installed within apps used by kids be “extremely limited,” he said, “these app makers should be able to easily document exactly what service each SDK is providing and there should be safeguards within that SDK to prevent the ingestion of kids’ data.”
This privacy-aware approach is not the norm today.
Although the App Store now includes so-called privacy nutrition labels that detail what types of data an app collects (this information is self-reported), neither Apple’s App Store or Google Play share information about which third parties receive data once it’s collected.
The digital divide
Me2B’s analysis found that the data being sent to third parties often includes unique mobile ad IDs, such as those provided by Apple and Google.
Public school apps are more likely to share student data with third parties than private school apps. Sixty-seven percent of the public schools in the sample did so, compared with 57% of private schools.
That disparity has a lot to do with the fact that Android devices are less expensive than Apple devices, making them a common choice for budget-strapped school districts. Android devices more freely share data with third parties.
Eighteen-percent of public school apps included what the report classified as “very high-risk third parties,” defined as those that not only collect data but then further share it with hundreds or possibly thousands of unknown parties.
None of the private school apps in the study had integrations with any of the high-risk third parties that cropped up across the sample.
Now that Apple’s AppTrackingTransparency framework has been released, privacy protections on Apple will presumably get tighter while the same protections won’t be afforded to Android users, thereby deepening the digital divide.
“The fact that 67% of the public schools in our sample were sending data to advertising and analytics tech is deeply concerning – on both a taxpayer level as well as a humanity level,” said Lisa LeVasseur, acting executive director of the Me2B Alliance. These apps didn’t label the third parties with which they shared data.
“Students, teachers and parents have no way to know which companies have the students’ data, which makes it impossible to ask those entities to delete the data, said LeVasseur, who has been involved with telecom industry standards development since the ‘90s when she was a software engineer at Motorola.
SD (not) oKay
Where, you might wonder, does the Children’s Online Privacy Protection Act (COPPA) come into play?
COPPA exists in order to regulate the collection of data from children under 13. But the law, which took effect in 2000, hasn’t been updated since 2013 and is rarely enforced, although the Federal Trade Commission has signaled a desire to do more in the way of COPPA enforcement.
But there is a different – and quite recent – precedent that should have SDK companies very worried.
In April, after being hit with multiple class-action lawsuits for placing tracking SDKs in popular children’s gaming apps, Disney, Viacom and 10 ad tech companies, including MoPub, agreed to delete the improperly ingested data as part of their settlements.
Rather than COPPA, the FTC relied on California state law to adjudicate the cases.
That outcome should put anyone that provides an SDK on notice.
Over the past decade, SDK companies have aggressively pushed developers to integrate their offerings, which helped them boost their footprint and make bank.
But considering the potential new legal exposure for non-compliant data ingestion, it would be prudent for the dominant SDK providers to request that developers with their SDKs installed actually remove them if there are any specific consent or notice problems to do with sensitive categories of apps, Edwards said.
“SDK companies need to ask themselves: will it be cheaper to ask a gaming or school utility app provider to remove their SDK from the app right now,” he said, “or, should that SDK company keep ingesting data from a non-compliant source and potentially be forced to comply with a painful deletion and deletion-auditing requirement from a future court order?”