According to a new research report published by the nonprofit Me2B Alliance, around 60 percent of school apps are sending student data to a wide range of high-risk third parties without getting the permission of either the students or their parents.
The study audited 73 apps from 38 different schools spread over 14 U.S. states. It involved almost half a million people, including students, their teachers, and family members. The organization warned that school apps must not include third-party data channels and that an “unacceptable amount” of school data was being shared with third parties through these apps, specifically with analytics and advertising platforms.
“The findings from our research show the pervasiveness of data sharing with high-risk entities and the amount of people whose data could be compromised due to schools’ lack of resources… The study aims to bring these concerns to light to ensure the right funding support and protections are in place to safeguard our most vulnerable citizens – our children,” Lisa LeVasseur, executive director of Me2B Alliance, said on the organization’s website.
The study found that around 18 percent of the apps had links to very high risk third parties, meaning that such parties probably re-shared the data with hundreds of thousands of entities. 67 percent of public school apps were found to be sending data to third parties, which is 10 percent higher than private school apps.
Each app had, on average, 10 third-party data channels. Android apps were more likely to share children’s private data as compared to iOS apps. In addition, Android apps are more likely to be sending that data to third parties that are classified as high or very high risk.
SDKs and ad software
The apps analyzed in the study used 56 unique software development kits (SDK), most of which belonged to tech firms like Google, Facebook, Twitter, Amazon, Apple, Square, and Adobe. Around 48.6 percent of all SDKs in the apps were owned by Google, with Facebook following in the second place with 14.4 percent. 100 percent of all Android apps that included SDKs were found to be sending data to Google.
“The Apple and Google app stores must update (or create, in the case of Google) privacy labels to include a list of all the SDKs that are installed in every app, including the name of the SDK owner/parent company. That way parents and students can make informed decisions about where they want to send their data… Google must revisit its Family Ads Program to ensure adequate protections and practices are in place. Additionally, it must perform independent validation of the self-provided assessments,” the report said in its recommendation.
The report comes as several companies, including Viacom and Disney, recently agreed to remove certain ad software from their apps targeted at children. These companies, which also included 10 advertising firms, were accused of violating the privacy of millions of children worldwide and faced three class-action suits in this regard.
According to the lawsuits, the accused companies installed tracking software in children’s gaming apps without parental consent. The software enabled tracking children over multiple devices and apps, encouraging them to make in-app purchases. Though the companies arrived at a settlement, they refused to admit having done anything wrong.
The issue of safeguarding kids from tech companies is also a hot topic in the UK at present, with TikTok facing legal challenges on how it uses children’s data. The company is facing a legal challenge on behalf of every child using TikTok since May 25, 2018. The claim is being filed by Anne Longfield, former children’s commissioner for England. It alleges that TikTok obtains personal information without proper warning and without letting parents know what is being done with such data.
If the claim ends up being a success, every affected child could potentially get thousands of pounds in compensation. “TikTok is a hugely popular social media platform that has helped children keep in touch with their friends during an incredibly difficult year. However, behind the fun songs, dance challenges and lip-sync trends lies something far more sinister… [The firm is] a data collection service that is thinly veiled as a social network [which has] deliberately and successfully deceived parents,” Longfield told BBC.