With the coronavirus pandemic pushing schools online out of public health concerns, parents and teachers are turning to digital alternatives like apps to bridge the virtual gap. While kids can learn via these apps, hundreds of advertisers are learning about them, too.
Researchers from the International Digital Accountability Council looked at 496 education apps across 22 countries, finding privacy issues with many of these services. Several apps were providing location data to third-party advertisers, and also collected device identifiers that can't be reset unless you buy a new phone.
While the majority of apps examined in the report met privacy standards, the scale of data collection discovered raised alarms about the nature of education apps.
Researchers found that 79 out of 123 apps manually tested were sharing user data with third parties. That data going to advertisers could include your name, email address, location data and device ID. The study also found that more than 140 third-party companies were getting data from ed tech apps, the majority of which went to Facebook, followed by Google.
Security researchers often find privacy issues with apps, many of which harvest data from devices even when you don't give consent.
Even if you do give permission, the data is often shared with multiple third parties that use the data in their own ways. You may allow your weather app to get your location for accurate forecasts, but that app's data partners can use it for advertising or law enforcement purposes.
App creators often also use software development kits, or SDKs, as shortcuts rather than making their software from scratch, which can also lead to data-stealing schemes.
Security researchers will analyze network traffic and examine code on apps to figure out where the data is going, but the average person shouldn't be expected to learn this skill to protect their privacy.
These privacy concerns are common across apps, but it's a bigger issue among education apps since the majority of people using them are children. Education apps with millions of downloads are sharing location data on kids without their knowledge, the report found.
"When you have a population of users that is so heavily focused on younger people, that raises sensitivity that developers should be aware of and the platforms should be vigilant about," IDAC president Quentin Palfrey said.
Learning about you
The researchers manually tested 78 Android apps and 45 iOS apps, some of which overlapped, for a combined 98 unique apps. They also automatically tested 421 Android apps in their research.
The manual tests are more thorough, and look at how personal data is collected, who it's sent to, and what kind of information is being taken.
One app, Shaw Academy, was collecting location data and personal identifiers and sending it to third-party marketing firm WebEngage. In June, Shaw Academy boasted that its online educational platform saw a nearly eightfold increase since COVID-19 lockdowns began in March, with the majority of its new users aged between 25 and 34.
"This location data is collected anonymously, unless the user provides consent. The user may withdraw consent to Shaw Academy and our partners' collection, use, transmission, processing and maintenance of location and account data at any time by not using the location-based features and turning off the Location Services settings (as applicable) on the users device and computer," White said in an email.
WebEngage, which specializes in targeted advertising on Facebook, email and push notifications, boasts that it tracks 400 million people per month. The company didn't respond to a request for comment.
Even when apps aren't collecting your location data specifically, if they're collecting data related to your Wi-Fi like your router details, that serves as a de facto location marker.
Router data is often tied to locations -- unless you're actively moving your router around -- which means that advertisers are aware when you're on a home Wi-Fi network or one in a coffee shop.
Many of the apps also collected device identifiers along with advertising IDs, which goes against Google's developers policy. Your phone has multiple identifiers, but developers are generally not allowed to collect persistent identifiers.
You can reset your Android and Apple advertising IDs, but you can't reset your device ID unless you get a new phone. Google's policies don't allow developers to collect both the advertising ID and the device ID, because data brokers can just link new advertising IDs with the permanent device IDs, essentially making the effort useless.
The manual tests found nine apps that were collecting and sharing this data with third-party advertisers, each of which were installed on at least 10 million devices. The researchers found that Duolingo, a popular language learning app, was sharing Android IDs and advertising IDs with Facebook.
Duolingo didn't respond to a request for comment.
On average, the education apps examined shared data with at least three third-party companies. Facebook had the widest pool, getting user data from 128 apps, followed by advertising company Unity, which got data from 72 education apps.
An unnamed app, which had more than 1 billion installations, didn't know it was sharing data with the mobile analytics firm Amplitude until the researchers brought it up to the company, the report stated.
"Our investigation did not reveal any misconduct by these third parties, but the scale and opacity of the data-collection is noteworthy and presents some risks to the health of the ed tech ecosystem," the report said.
The study also found that 46% of apps it tested used a "potentially concerning" SDK. It collects data in the background, and people wouldn't ever know unless they had the same tools and capabilities as security researchers.
"Our concern is how little users know and can control about what happens once data is collected through a relationship between the app and the SDK," Palfrey said. "If you don't know about it, you can't control it, and you can't say no to it."
Because these apps are circumventing permissions requests and the trackers are often hidden from public view, it's hard to give advice to parents and teachers who have privacy concerns. The fix relies on regulators and platforms like Google and Apple to kick off misbehaving apps, the watchdog group said.
"A lot of what we saw are the kinds of things that can be best remedied by good developer practices, good platform oversight or greater regulatory scrutiny," Palfrey said. "As opposed to the kinds of things that parents or teachers on their own are able to remedy."