IT security How daycare apps can spy on parents and children
Researchers reviewed 42 apps and found privacy and security deficiencies, some of which were quite serious. Some apps even sell their users’ data to third parties.
Daycare apps are designed to make everyday life in daycare centres easier. Parents can use them, for example, to access reports on their children’s development and to communicate with teachers. However, some of these applications have serious security flaws. This is the conclusion reached by researchers from Ruhr-Universität Bochum (RUB), Westfälische Hochschule and the Max Planck Institute for Security and Privacy in Bochum, in collaboration with an industry partner. They analysed 42 daycare apps from Europe and the USA with regard to security and privacy. In some apps, they were able to access private photos of the children; several apps accessed users’ personal data without consent and shared them with third parties.
The team headed by Dr. Matteo Große-Kampmann, who earned his PhD at the Horst Görtz Institute for IT Security at RUB, and Dr. Maximilian Golla from the Max Planck Institute for Security and Privacy will present their findings in July 2022 in Sydney at the “22nd Privacy Enhancing Technologies Symposium”. This event is considered the most important conference in the field of privacy research. Prior to that, the results have been published online.
“According to the European General Data Protection Regulation and the US Children’s Online Privacy Protection Act, children’s data is subject to special protection,” says Maximilian Golla. “Unfortunately, we found that many apps fail to guarantee this protection.”
The analyses were carried out in cooperation with AWARE7 GmbH. The team contacted all app manufacturers before publication and made them aware of the vulnerabilities.
Used by millions
For the study, the researchers analysed Android daycare apps that they located in the Google Play Store and that offer at least the following features: both the development of the children and any special activities can be recorded in the app in the form of notes, photos and videos; the app has a messenger function through which the daycare staff can communicate with the parents; the app supports the daycare management in administrative processes such as billing, creating schedules and organising groups. The most widely used apps “Bloomz” and “brightwheel” have been downloaded more than one million times from the Google Play Store. Taken together, all apps reached about three million downloads.
In some cases, personal data is sold
Of the analysed apps, eight had serious security problems that would, for example, allow attackers to view the children’s private photos. In 40 apps, the researchers found that they monitor parents and educators: they collect the user’s phone number and email address as well as information regarding the device and use of the app, such as the time when a button was clicked. The manufacturers share and sell this and other information to third-party providers. One app developer writes: “... share data with partners for business purposes, such as the average number of diaper changes per day...”. Often, the data is shared with Amazon, Facebook, Google or Microsoft for targeted advertising campaigns.
Inadequate privacy policies
“We also looked at the privacy policies of the providers,” points out Maximilian Golla. “And a terrifying picture emerged. Many of the policies didn’t even mention that they process children’s data, let alone that they collect and sell data, even though they are required to do so by European and US law.”
But that doesn’t necessarily mean that the providers act in bad faith. “Rather, we suspect that it is a matter of technical and organisational problems,” says Matteo Große-Kampmann. According to the researchers, some providers act negligently because the linked privacy policy is not compliant, in part because it doesn’t contain information about data processing in the app or about the services offered and often hasn’t been updated for many years.
The researchers hope that their findings will draw attention to this sensitive issue, given that children’s data are at stake. “It goes without saying that daycare centre managers, daycare providers and parents can’t analyse every single app themselves,” says Matteo Große-Kampmann. “But at the end of the day, they have to take the responsibility for the decision which app to adopt.”
Guidelines and checklists
According to Maximilian Golla, rejecting daycare apps on principle is not a practicable solution, especially because providers without security problems, who comply with data protection regulations do exist. “If there is no official app, parents use messenger services like WhatsApp, which is the worst of all solutions as far as privacy is concerned,” he points out. According to the IT experts, a good idea would be for experts to draw up guidelines and checklists. For example, government agencies could make recommendations and pass them on to the associations that run the daycare centres.