Parental control applications often misbehave posing privacy threats for children and even parents
IMDEA Networks Institute/DICYT The researchers Álvaro Feal (IMDEA Networks Institute), Paolo Calciati (IMDEA Software Institute), Dr. Narseo Vallina-Rodríguez (IMDEA Networks Institute), Dr. Carmela Troncoso (Spring Lab EPFL), and Dr. Alessandra Gorla (IMDEA Software Institute) have won the 'Prize for the research and Personal Data Protection Emilio Aced' given by the Spanish data protection agency (AEPD), for the paper Angel or Devil? A Privacy Study of Mobile Parental Control Apps.
Parental control apps are used by parents to monitor the use that their children make of their mobile phones, and to block access to certain features. These apps are highly intrusive by definition, as they can track the actions and movements of the children’s phone (and thus of the child). Therefore, the use of parental control apps can have implications on the privacy of both children and parents.
Existing recommendations by official bodies (such as SIP4 by the European Commission) do not take privacy into consideration, benchmarking only features such as price, capabilities, or usability. To assess such privacy risks, the team relied on a combination of static and dynamic analysis to study 46 parental control apps.
In their work, the researchers found that almost 75% of the apps contain data-driven third-party libraries for secondary purposes (namely advertisement, social networks, and analytic services) and that 67% of the apps share private data without user consent, including apps recommended by public bodies, such as IS4K (Internet Segura For Kids by INCIBE).
The researchers have presented the first multi-dimensional study of the parental control apps ecosystem from a privacy perspective. With their findings, they open a debate about the privacy risks introduced by these apps. Does the potential of parental control apps for protecting children justify the risks regarding the collection and processing of their data? This is worrisome, as current legislation (such as the GDPR) protects children’s data from being accessed without clear parental consent. So, given the potential risks of this type of software, they recommend parents to rely on non-technical solutions when possible and to have privacy in mind when choosing one of these applications.
They believe that public bodies should take privacy into account when recommending a given parental control app to raise awareness and encourage developers to follow privacy-by-design principles. The researchers from the IMDEA Networks Institute, IMDEA Software Institute and EPFL stress that it is fundamental to complement current benchmarking initiatives with a security and privacy analysis to help parents to choose the best application while taking these aspects into consideration.