The world goes mobile – but not in a good way

 

December was a busy month at the Federal Trade Commission (FTC) in Washington DC.

But first let’s wind back to February, 2012, and a report the FTC published based on research carried out in 2011. Mobile Apps for Kids: Current Privacy Disclosures are Disappointing in its way was a world first. A ground breaking study taking a large scale look at what was happening in the Apps space.

Worrying stories

Prior to its publication there had been several individual accounts of things going wrong in respect of people’s data being ripped off or being inappropriately handled by different mobile Apps. Some of these were kids’ Apps but the comfortable assumption was that these would be isolated cases caused by the odd rogue developer that somehow managed to slip through the net the platform owners had provided. The mainstream, the majority would be fine. I guess the title tells us how wrong those assumptions were.

A tale of two platforms

The FTC looked at two platforms. The biggies. It noted that Apple and Android first opened up for App business in 2008. Smartphone users could then choose from 552 Apple Apps and 50 Android ones.

Things have moved on a bit since then. At the time they did their counting for the February report the numbers stood at 500,000 and 380,000 respectively. They had been downloaded 28 billion times. Are these numbers and growth rates making you feel dizzy? They should. That’s the future coming knocking at your door.

Methodology

When searching the App Stores using the word “kids” FTC staff identified 8,000 Apple and 3,600 Android Apps. They then took the first 480 from each list, giving a total of 960 altogether. From these, 200 Apple Apps and 200 Android Apps were randomly selected. Various aspects of them were examined and documented. Hundreds of different developers had been engaged in their production. “Only a handful” of developers had been responsible for more than 10 of the total.

The report contains a wealth of information about the different kinds of apps that are directed at kids. However, for these purposes I want to pick up on the major criticism which the FTC made.

Not good

The survey findings regarding data collection and sharing were of greatest concern to FTC staff. Indeed, across the wide range of “kids” apps examined in the survey, staff found very little information about the data collection or sharing practices of these apps. Apple’s and Google’s mobile operating systems and app stores provide limited notice to users regarding app capabilities, and leave the bulk of disclosure to individual app developers. In most instances, staff was unable to determine from the information on the app store page or the developer’s landing page whether an app collected any data, let alone the type of data collected, the purpose for such collection, and who collected or obtained access to such data.

And from the conclusion

The mobile apps marketplace is a constantly evolving new media that offers parents many new options for entertaining and educating their children. Staff’s survey shows, however, that parents generally cannot determine, before downloading an app, whether the app poses risks related to the collection, use, and sharing of their children’s personal information. Although the two major U.S. mobile app stores provide some information and controls governing apps, all members of the mobile app ecosystem – the app stores, the developers, and the third parties providing services within the apps – must do more to ensure that parents have access to clear, concise and timely information about the apps they download for their children. Parents should be able to learn, before downloading an app for their children, what data will be collected, how the data will be used, and who will obtain access to the data. Armed with such information, parents can make knowledgeable decisions about the apps they choose for their children, and embrace these technologies with more confidence. Staff is committed to working with all stakeholders on these issues, and also plans to continue its vigorous enforcement of the COPPA statute and Rule. Staff hopes that this report will spur greater transparency and meaningful disclosure about the data collection practices in apps for children. (emphasis added by me)

So what happened?

Scroll forward to the next FTC report. Published on 10th December, 2012. It is called Mobile Apps for Kids: Disclosures Still Not Making the Grade. Though a slender volume it was nevertheless a blockbuster. If the title doesn’t rather obviously give away the answer, had the industry heeded their earlier plea? Read on.

More phenomenal growth

In terms of the number of Apps available Google had caught up with Apple. In September 2012 there were over 700,000 Apples Apps, a 40% increase since December 2011. For the Android there were also 700,000 but this represented an 80% increase from the beginning of 2012. I’m guessing but by now Android is likely to be ahead.

The FTC staff appear to have used an identical methodology this time around. So what was the verdict?

The results of the survey are disappointing. Industry appears to have made little or no progress in improving its disclosures since the first kids’ app survey was conducted, and the new survey confirms that undisclosed sharing is occurring on a frequent basis. Staff did find a handful of app developers that were providing users with simple and short disclosures. However, such instances were far from the norm, and most apps failed to provide basic information about what data would be collected from kids, how it would be used, and with whom it would be shared. It is clear that more needs to be done in order to provide parents with greater transparency in the mobile app marketplace. (emphasis added by me)

Two observations and one comment

Observation: what a pity there is no agency in the UK that has the wherewithal to mount a similar study on a similar scale. In the UK the Office of the Information Commission, the Advertising Standards Authority and PhonePay Plus are each likely to have some sort of stake but I am not hearing any news about anyone fighting to take the lead. At EU level, which is almost certainly where this ought to be tackled, the picture is much more bleak.

Observation: the FTC is a powerful and well-resourced body whose civil servants and advisers have a great deal of relevant knowledge and expertise. Yet major US companies and hundreds of firms within the developer community nonetheless still felt they could ignore the FTC’s clearly expressed views and implied promise of further action. What does that tell us about these same enterprises’ likely attitude towards self-regulation in jurisdictions with a less well developed infrastructure?

Comment: the FTC had obviously seen that the world was going mobile so the two reports referred to above can be seen as them staking out their position, firing a warning shot about what was to come next.

And what was to come next, nine days later in fact, was the long-awaited final report on the review of COPPA, the 1998 law which, inter alia, established the “Rule of 13”. That will be the subject of my next but one blog. It will be here very soon.

About John Carr

John Carr is a member of the Executive Board of the UK Council on Child Internet Safety, the British Government's principal advisory body for online safety and security for children and young people. In the summer of 2013 he was appointed as an adviser to Bangkok-based ECPAT International. Amongst other things John is or has been a Senior Expert Adviser to the United Nations, ITU, the European Union, a member of the Executive Board of the European NGO Alliance for Child Safety Online, Secretary of the UK's Children's Charities' Coalition on Internet Safety. John has advised many of the world's largest internet companies on online child safety. In June, 2012, John was appointed a Visiting Senior Fellow at the London School of Economics and Political Science. More: http://johncarrcv.blogspot.com
This entry was posted in Advertising, Age verification, Consent, Default settings, E-commerce, Internet governance, Location, Privacy, Regulation, Self-regulation and tagged . Bookmark the permalink.