Lawsuit renews focus on privacy policies for mobile apps

Researchers have warned that many popular free mobile apps aimed at children are potentially violating a U.S. law designed to protect the privacy of young users.

Some brushed off the findings, but a federal lawsuit filed Tuesday by New Mexico's top prosecutor is renewing focus on the public's growing concerns about whether information on online interests, browsing and buying habits are slipping into the hands of data brokers without their consent.

And there's not much parents can do, experts say.

There's no easy way even for a fairly savvy user to figure out whether an app is collecting personal data, said Serge Egelman, a member of the research team based at the International Computer Science Institute at the University of California, Berkeley.

It took Egelman and his team modifying operating systems and creating special tools to analyze network traffic to examine how thousands of apps access sensitive data.

"It's not reasonable to expect the average end user to develop those tools just to figure out whether an app is safe for their kids to use — or for themselves to use," Egelman said.

The other problem lies with the current privacy framework that revolves around a notice and consent model. Experts say these policies are often ambiguous and written by lawyers whose goal is to protect the companies rather than users.

New Mexico Attorney General Hector Balderas is taking aim in the lawsuit at Google, Twitter, their online ad businesses and mobile app maker Tiny Lab Productions, saying they're violating state and federal laws aimed at protecting the privacy of children by collecting information through the apps without consent.

Balderas is concerned about the potential for exploitation, saying the apps can accurately track where children live, go to school and play.

He's urging parents to pay closer attention to the apps their children use.

Whether other states follow suit or new legislation is proposed, experts see New Mexico's lawsuit as an important step in the debate.

Josh Golin, executive director of the Boston-based advocacy group Campaign for a Commercial Free Childhood, said the Berkeley researchers exposed "just how flagrantly and widespread" violations of the federal Children's Online Privacy Protection Act are. He said the research should have prompted the Federal Trade Commission to investigate.

"If the states start stepping in where the FTC has failed, that's definitely a good sign," Golin said.

Parents looking to avoid data-sapping apps shouldn't have to do anything, Golin said, because the law already calls for parents to be prompted for consent, otherwise nothing should be collected.

The research showed that wasn't always happening.

The researchers have established a database where parents and others can look up apps to see what information they collect and who they share it with. Another grant recently awarded by the National Science Foundation will ensure the project continues.

Tiny Lab Productions said Thursday it's considering what changes could be made as Google this week removed the company's apps from its Google Play Store. One option is not asking users for a birth date and treating everyone as if they were under 13 and covered by the law, said CEO Jonas Abromaitis.

He said the company takes privacy seriously and he hopes "this incident is all but a misunderstanding and it will be resolved with a satisfactory outcome for all related parties."

Tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules recently adopted by the European Union.

Last year, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

Christine Elgersma, senior editor of parent education at the nonprofit Common Sense Media, said "free apps are free for a reason," and what this usually means is that "in a way, we are the product."

Critics have said the tracking of users stems from a drive to boost revenue through targeted advertising and it's through ads that apps can make money.

For parents, Elgersma suggests paying for quality apps, so they're not paying with their child's personal data. She also said not all app developers are aware of all the laws and regulations and that some don't have privacy policies as they don't think it's necessary.

Corynne McSherry, legal director for the Electronic Frontier Foundation, said there's no doubt parents are concerned about privacy for their children but that the web of apps, services and advertisers on the web is challenging.

"We live in a world now where you can't really afford not to educate your children about smart technology practices," she said. "It's not just what you can do to intervene to protect them, but we need to be educating them about what's OK and what's dangerous online because that's our new reality."


AP technology writers Matt O'Brien in Boston, and Barbara Ortutay in New York contributed to this report.