2018
DOI: 10.1515/popets-2018-0021
|View full text |Cite
|
Sign up to set email alerts
|

“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale

Abstract: We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of thirdparty SDKs. While many of these SDKs offer… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
4
1

Citation Types

2
63
0

Year Published

2018
2018
2022
2022

Publication Types

Select...
7
2

Relationship

1
8

Authors

Journals

citations
Cited by 139 publications
(65 citation statements)
references
References 34 publications
(32 reference statements)
2
63
0
Order By: Relevance
“…By doing so, it provides a glimpse into how IoT toy developers' practices can fail to match their own privacy promises or adhere to federal regulations. These results corroborate the findings of Reyes et al [18] that many Android applications targeted toward children are potentially in violation of COPPA.…”
Section: Related Worksupporting
confidence: 91%
“…By doing so, it provides a glimpse into how IoT toy developers' practices can fail to match their own privacy promises or adhere to federal regulations. These results corroborate the findings of Reyes et al [18] that many Android applications targeted toward children are potentially in violation of COPPA.…”
Section: Related Worksupporting
confidence: 91%
“…More recent studies include detection of PII leakage to third parties in mobile apps [11][12][13], in enterprise network traffic [14], PII leakage in contact forms [15], and data leakage due to browser extensions [16]. In our paper we discover PII exfiltration by tracking scripts that misuse login managers (Section 4), social APIs (Section 5) and session replay scripts (Section 6).…”
Section: Background and Related Workmentioning
confidence: 95%
“…Starov et al apply differential testing, that is, varying the PII entered into the system and detecting the resulting changes in information flows [15]. Brookman et al [17], Starov et al [16], Ren et al [21] and Reyes et al [13] test combinations of encodings and/or hashes, which is most similar to the approach we take in Section 3.4.…”
Section: Background and Related Workmentioning
confidence: 99%
“…A large body of prior work has focused on detecting leakage of user data on the client-side (e.g., mobile apps, web browsers) to online trackers and advertisers [37, 38, 44, 46, 47, 49, 60-63, 69, 72]. First, some prior work has focused on detecting data leakage in mobile apps through network traffic analysis [60][61][62][63]69]. For example, Ren et al [61] showed that more than 50% of the 100 most popular mobile apps leak personally identifiable information (PII).…”
Section: Related Workmentioning
confidence: 99%