Apps sending location, secretly.

One of the things we noticed when doing our large-scale study of children’s games was that way more apps were accessing location data than were seen actually sending it. In some ways this makes sense—COPPA quite explicitly forbids sending location data without verifiable parental consent, something that our testing framework did not provide. Nevertheless, since… Continue reading


We get letters

In late February of this year, we received word that an advertising company, ironSource, had obtained a leaked draft of our paper on COPPA violations in Android apps. In that version of the paper, we mentioned them (and their subsidiary, Supersonic) exactly once: in a table of advertising SDKs whose terms of service prohibit their… Continue reading



CVS Responds: Fake News!

As a followup to my previous post, I both emailed CVS and tweeted at them to give them an opportunity to comment on their app’s location-sharing practices: I noticed that your mobile app appears to be sharing my location data with around 40 different third parties. Can you please explain this? Is this a bug?… Continue reading