Imagem de ilustração do projeto, com o fundo verde-água intercalado por blocos da cor azul claro, com os textos escritos em branco "dados pessoais de crianças! pra quê?", centralizado à esquerda, e "Especial Apps para Crianças InternetLab", centralizado à direita.

SPECIAL | Children’s personal data! For what?

News Privacy and Surveillance 10.18.2017 by Francisco Brito Cruz, Jacqueline Abreu and Maria Luciano

Most apps children have on smartphones or tablets have been downloaded for free. But then how do these companies survive? Well, even though you do not pay for them with money, that does not mean that you are not paying for these apps. In exchange for the apps, you offer data that can be economically explored and your attention to the advertisements within the app.

Project's illustration image, with a aqua green background interspersed with light blue blocks, with the texts written in white "dados pessoais de crianças! pra quê?", centered on the left, and "Especial Apps para Crianças InternetLab", centered on the right.

If this is the case, it is important that all these factors are well explained: what data the app collects and processes, for what purpose they are used, with whom they are shared, how they are protected against malicious third-parties, if there are and what kind of advertising is shown in the app. The basis for this demand is simple: in order to be clear about where we entering, the minimal expectation is transparency about what the apps are doing.

So this is the topic we will examine in the third post of the series Children’s Apps SPECIAL.

Our Findings

1. All apps inform, to some extent, which data is collected and what they do with it, but the format and the quality of the information are quite varied.

In this topic, the privacy policies that negatively got our attention were the ones of the Brazilian developer ZeroUm, responsible for the super popular apps Galinha Pintadinha: Músicas e Jogos para CriançasPatati Patatá and Os Pequerruchos, which only says that the apps collect “your information”, without giving more clues about what this means; and the one of the Once upon a tower app, that does not inform the purpose of the data collection and limits itself to saying that it does not process sensitive data, thus it does not even discuss what it does to other data.

Screen print with the texts, on a white background: "Pomelo Games Privacy Policy - Pomelo Games is comitted to protecting the privacy of our players. This privacy policy describes how Pomelo Games uses and protects any information that you give us when you play any of our games", "Sentive Information - Sensitive information is defined in the US Privacy Act (1974) to include information or opinion about such thins as an individual's racial or ethinic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a professional body, criminal records or helth information" and "Pomelo Games will not attempt to obtain nor record any sentive information".
The app Once upon a tower promises to “not try to obtain or register any sensitive information”, but further on the privacy policy, it affirms that “nonpersonal data” is collected by third-parties

Among the others, the majority of the consulted apps specify to some extent the data they collect [1]. Some separate between “personal data”, “sensitive data”, “nonpersonal data”, “aggregated data”, all terms of the art that have any juridical implication. Other companies opt to directly inform which data is this: the ones people inform, the ones that are automatically generated while using the app, the ones which are obtained from the device (such as unique identification and geolocation), etc.

Screen print with the text, on a white background: "What kind of Information is Collected? There are two types of data that may be collected. The first one is called personal data. This is personally identifiable information that identifies a user as an individual. Toca Boca may collect personal data that parents voluntarily provide on the website. The second type is non personal data which doesn't directly identify an individual or which may have been personal information but has had the personally identifiable information removed. Toca Boca may collect non personal information about the use of the website and apps to help us improve our services".
The app Toca Kitchen Monsters informs about collected information, separating them between personal data and nonpersonal data

Along with this information, we have clarifications about what is made with the data: eleven [2] of them catalogue in detail the several uses that involve the collected data, such as developing new services, showing advertising, protecting the developer and the users, investigate and prevent potentially illegal activities or that violate the terms of use, solve problems related to the use of the app, and send responses to the users’ demands.

Screen print with the text, on a white background: "Política de privacidade da Nintendo. Última atualização: 09/2017. A Nintendo compreende a importância de sua privacidade, portanto leia atentamente nossa política de privacidade. Nossa política se destina a auxiliá-lo a conhecer os tipos de informações que coletamos, como as utilizamos e compartilhamos e como as protegemos. Esta Política de privacidade se aplica a todos os serviços Nintendo diretamente citados ou relacionados a esta política, mas não se aplica aos serviços Nintendo abrangidos por políticas de privacidade específicas que não incluem esta política." e "Tipos de informações que coletamos: 1- Informações que você nos fornece: Quando você registra e utiliza nossos serviços, coletamos as informações que você nos fornece. Essas informações podem ser seu nome, endereço de e-mail ,número de telefone, data de nascimento, país de residência, idioma, gênero e fuso horário; 2- Informações que coletamos quando você utiliza nossos serviços: Também coletamos e processamos informações sobre sua utilização dos nossos serviços. Essas informações podem ser sobre seu dispositivo, localização, interação com nossos serviços e outros usuários Nintendo, seu conteúdo e suas compras; 3- Informações sobre seu dispositivo: Quando você utilizar nossos serviços, poderemos coletar informações específicas sobre seu dispositivo ou relacionadas a ele, como o modelo de produto, número de ́série, sistema operacional, configurações, desempenho de dispositivo, provedor de acesso à Internet, endereço IP e outros identificadores únicos; 4- Informações sobre sua localização: Com sua autorização, poderemos coletar e processar informações sobre sua localização exata. Quando tivermos informações sobre sua localização, elas serão utilizadas para adequar nossos serviços a você e outros usuários, auxiliando-o a estabelecer relações amigáveis com outros usuários Nintendo ou avisando aos seus amigos que você está nas proximidades."
Super Mario Run’s privacy policy: specification about collected information

2. Few apps address issues about the data security in detail

Cases of cybernetic attacks, theft, and leaking of data have become more and more frequent: WannaCryEquifax and Petya are only some of the examples. These attacks stirred the debate about the security policies adopted by companies that hold our data. What measures do they use to prevent that our data, and of our children, do not fall into the wrong hands?

Six apps (Snack vs. BlockPlayKids: Aprender BrincandoPouSlither.ioMeu Talking TomJogos Boutique Princesa Tailor) simply do not deal with security measures in their privacy policies. Of the other apps, only 3 (Football StrikeO Show da Luna! Jogos e Vídeos and Toca Kitchen Monsters) described the measures they adopt. Furthermore, 7 apps (Super Mario RunPerguntadosToca Kitchen MonstersDuolingoO Show da Luna! Jogos e VídeosSweet Baby Girl Doll House – Play, Care & Bed Time and Creche Sweet Baby Girl 4) admit that, despite adopting security measures, no security structure is “impenetrable”.

3. Most apps get silent about the possibility of deleting data

Out of the 20 selected apps, 9 do not deal with the deleting of user data (Snack vs. BlockOnce upon a towerGalinha Pintadinha: Músicas e Jogos para criançasPatati PatatáOs PequerruchosPou8 Ball PoolO Show da Luna! Jogos e Vídeos, and Jogos Boutique Princesa Tailor). According to the Brazilian Internet Civil Rights Framework, the definitive deletion of personal data is an assured right upon the end of the relation between the user and the internet application (art. 7, X). [3].

4. The exploitation of usage data, use of cookies, and data sharing are industry standards, even for children’s apps.

Out of the 20 analyzed apps, 16 affirm to collect usage data [4]. This is information about the way in which the user utilizes the app, such as their usage habits, preferences, and which functionalities are or not used. This information reveals their behavioral patterns, interests, and demands within the app’s functionality.

Most of the times, this information is shared with third-parties. Indeed, most apps we consulted admits to sharing information with advertisers, aggregate data analyzing companies or companies “of the same family”. The only exception is Jogos Boutique Princesa Tailor, that affirms it does not share user data with no one. The privacy policy of the Brazilian developer ZeroUm (dos apps Galinha Pintadinha: Músicas e Jogos para criançasPatati Patatá e Os Pequerruchos) simply gets silent about this issue: it does not say anything about which data, with whom, and for what they are shared. It is worth reminding that this is an important aspect to consider so that users are informed about the possibility of these companies combining data and, together, enable the construction of detailed digital profiles of the users.

Image with text "When many apps share data with the same company, that company can develop a detailed profile of all data associated with a device ID" on the left and "Special Apps for Kids InternetLab" on the right, with the infographic that conects the star and legend icons "device identifier and usage data"; game console and subtitles "device identifier and usage data" and "phone number"; lollipop and captions "device identifier and usage data" and "geolocation"; and a puzzle and caption "device identifier and usage data" with the word "Company X", linked to the phrase "device identifier" and the star icons - usage data; video game console - usage data; video game console - phone number; lollipop - usage data; lollipop - geolocation, puzzle piece - usage data; star - usage data.
The Invisibles: platforms of advertisers receive data from millions of apps and are able to build user profiles for directed advertising [5]
Another tool used for the collection of this type of data are cookies, text files which have as their main function the storing of user preferences. 13 analyzed apps (Super Mario Run, Perguntados, Football Strike, PlayKids: Aprender Brincando, Toca Kitchen Monsters, Pou, Meu Talking Tom, 8 Ball Pool, Duolingo, O Show da Luna! Jogos e VídeosSweet Baby Girl Doll House – Play, Care & Bed Time, Creche Sweet Baby Girl 4 and Jogos Boutique Princesa Tailor) expressly admit to the use of cookies. The privacy policy of the Brazilian developer ZeroUm, who is behind the apps Galinha Pintadinha: Músicas e Jogos para criançasPatati Patatá does not address this subject.

The usage data and information stored in the cookies say a lot about the behavior and the interests of the users. This data can be useful, for instance, for personalizing services and functionalities offered by an app. They are also valuable for directed advertising. When keeping a behavior log through the user’s visited pages, geolocation log, and terms researched on research mechanisms, the advertisers know more about the users’ profile and can customize ads for them, directing their products to potential costumers.

Check out below the privacy policies of all the apps that were part of this research clicking on the respective links:

[1] Super Mario RunPerguntadosFootball StrikePlaykids: Aprender Brincando, Toca Kitchen MonstersSubway SurfersPouslither.ioMeu Talking Tom8 Ball PoolDuolingoO Show da Luna! Jogos e Vídeos Jogos Boutique Princesa Tailor, Once upon a tower, Sweet Baby Girl Doll House – Play, Care & Bed Time e Creche Sweet Baby Girl 4, Snake vs. Block.

[2] Snack vs. BlockSuper Mario RunPerguntadosFootball StrikePlayKids: Aprender Brincando, 6Pouslither.io8 Ball PoolO Show da Luna! Jogos e Vídeos, Sweet Baby Girl Doll House – Play, Care & Bed TimeCreche Sweet Baby Girl 4.

[3] “Art. 7. The access to the internet is essential to the exercise of citizenship, and the following rights are assured to the user: (…) X – the definitive deletion of personal data that they provided to a determined internet application, upon their request, facing the end of the relation between the parties, with the exception of the hypotheses of mandatory storage of logs provisioned in this Law; (…)”.

[4] Snack vs. BlockSuper Mario RunFootball StrikePlayKids: Aprender BrincandoToca Kitchen MonstersSubway SurfersPouMeu Talking Tom8 Ball PoolDuolingoGalinha Pintadinha: Músicas e Jogos para criançasPatati PatatáOs PequerruchosJogos Boutique Princesa Tailor, Sweet Baby Girl Doll House – Play, Care & Bed Time e Creche Sweet Baby Girl 4. Galinha Pintadinha: Músicas e Jogos para criançasPatati Patatá and Os Pequerruchos do not expressly do it, but talk about identifying which of their products can interest the user.

[5] Infographic inspired by the FTC Report. Mobile Apps for Kids: Disclosures Still Not Making The Grade. December 2012, p. 14.

Team responsible for the project: Francisco Brito Cruz (francisco@internetlab.org.br), Jacqueline de Souza Abreu (jacqueline@internetlab.org.br) and Maria Luciano (maria.luciano@internetlab.org.br). With the collaboration of Dennys Antonialli and Pedro Lima.

Translation: Ana Luiza Araujo

compartilhe