Serious Privacy Concerns
In the course of the pandemic, we’ve seen schools shift to digital tools and mobile apps at an unprecedented rate. Schools have had to face several challenges with this, including online classroom hijacking, malware-ridden school laptops, and general privacy and security concerns. Many of the apps used for educational purposes gather personal information during account creation and while using the app. But apparently, most apps also send student data to third parties in some way, shape or form. This is what a new study by the Me2B Alliance (Me2BA) revealed. The Me2B Alliance is a not-for-profit organization that engages individuals (the Me’s) and technology businesses (the B’s) in the process of testing online products’ behavior. Their goal is to “foster the respectful treatment of people by technology”. Members include software engineers, policy analysts, experts, and business and philanthropic leaders.
Creating More Awareness
For this study, Me2BA’s Product Testing Team audited a random sample of 73 apps from 38 schools in 14 states across the US. Thus, covering over half a million people using educational apps. 85% of the schools in the study have students younger than 13. The audit methodology mainly consisted of examining the data flow from the apps to external third-party vendors by analyzing their software development kits (SDKs). Most apps come packaged with SDKs. SDKs almost always start running behind the scenes as soon as a user opens a mobile app. Me2BA’s main intention is to increase awareness and show stakeholders what’s happening “under the hood”. They say that school administrators and decision-makers often have to rely on the expertise of software suppliers. Furthermore, creators of educational apps are sometimes unaware of the downstream behavior of some of their technology partners.
High-Risk Behavior
The researchers studied both the number and the type of SDKs included in the mobile apps. In particular, they categorized the SDKs based on their potential for abuse or exploitation of user’s personal information. As such, all advertising SDKs in educational apps are considered high-risk. Analytics SDKs are also seen as high-risk because they often fingerprint individuals. The study found that most, if not all, of the apps collect personally identifying information such as name, age, and other information. Moreover, nearly all were designed to access people’s calendars, contacts, location, USB storage devices as well as network data, such as IP addresses. Several also seek access to the device’s camera, microphone, device ID and call information.
Most Apps Share Data
When users grant the app permission to access sensitive information, the same information is accessible by SDKs. This doesn’t mean they do access the information, but they can. So, there is a possibility that a large amount of information is shared. And Me2DA’s researchers revealed that this happens on a large scale. Here are some of Me2BA’s key findings:
On average, there were more than 10 third-party data channels per app (some from the same developer or owner, so this number is not equivalent to the number of third parties) 60% of school apps (44 out of 73) were sending student data to a variety of third parties, including advertising platforms like Google and Facebook Public-school apps are more likely to send student data to third parties than private-school apps (67% public vs. 57% private school apps) 18% of public-school apps sent data to very high-risk third parties, that further share data with potentially hundreds or thousands of networked entities Promising fact: 29 apps didn’t include SDKs
iOs versus Android
Android apps appear to be more reckless with third-party data sharing. Of the 44 apps that were sharing data with third parties, no less than 73% were Android apps. A whopping 91% of them send data to high-risk third parties, compared to 26% of iOs apps. And 20% of Android apps send data to very high-risk third parties, while only 2.6% of iOS apps do. All of the Android apps sent data to Google. Androids are notorious for data sharing, and this has been a finding in previous studies as well. There are a few reasons why this might be the case. Worldwide, there’s a wider adoption of Android devices (72% vs 28%). However, in the US, the iOS operating system is dominant. Apple’s new App Tracking Transparency rules now obliges developers to ask users for permission before sharing any of their data. However, this only counts for apps updated since December 2020, while most educational apps are relatively young and have not yet been updated. Androids, on the other hand, rely more on external SDKs to facilitate app development.
Me2BA’s Conclusion
Me2BA’s Product Testing Team finds that the amount of data school apps share with third parties, and particularly advertisers and analytics platforms, is unacceptable. In fact, the team is of the opinion that school apps should not include third-party data channels at all. Moreover, apps don’t give users enough information about which third parties are getting their data. Both app stores (Apple and Google Play) must make this clearer. “The findings from our research show the pervasiveness of data sharing with high-risk entities and the amount of people whose data could be compromised due to schools’ lack of resources,” said Lisa LeVasseur, executive director of Me2B Alliance. “The study aims to bring these concerns to light to ensure the right funding support and protections are in place to safeguard our most vulnerable citizens – our children.”