The paper "Angel or Devil? A Privacy Study of Mobile Parental Control Apps" has won the Research and Personal Data Protection Emilio Aced Award

The paper "Angel or Devil? A Privacy Study of Mobile Parental Control Apps" has won the Research and Personal Data Protection Emilio Aced Award

January 28, 2021

The researchers Álvaro Feal (IMDEA Networks Institute), Paolo Calciati (IMDEA Software Institute), Narseo Vallina-Rodríguez (IMDEA Networks Institute), Carmela Troncoso (Spring Lab EPFL), and Alessandra Gorla (IMDEA Software Institute) have won the “Emilio Aced Award for the Research and Personal Data Protection” given by the Spanish data protection agency (AEPD), for the paper “Angel or Devil? A Privacy Study of Mobile Parental Control Apps.”

Parental control apps are used by parents to monitor the use that their children make of their mobile phones, and to block access to certain features. These apps are highly intrusive by definition, as they can track the actions and movements of the children’s phone (and thus of the child). Therefore, the use of parental control apps can have implications on the privacy of both children and parents.

The study

Existing recommendations by official bodies (such as SIP4 by the European Commission) do not take privacy into consideration, benchmarking only features such as price, capabilities, or usability. To assess such privacy risks, Álvaro, Paolo, Narseo, Carmela and Alessandra relied on a combination of static and dynamic analysis to study 46 parental control apps.

In their work, the researchers found that almost 75% of the apps contain data-driven third-party libraries for secondary purposes (namely advertisement, social networks, and analytic services) and that 67% of the apps share private data without user consent, including apps recommended by public bodies, such as IS4K (Internet Segura For Kids by INCIBE).

They also found that these apps were not transparent about their data collection practices, as 80% of the apps that share data with third parties do not name them in their privacy policy.

Conclusions

The researchers have presented the first multi-dimensional study of the parental control apps ecosystem from a privacy perspective. With their findings they open a debate about the privacy risks introduced by these apps. Does the potential of parental control apps for protecting children justify the risks regarding the collection and processing of their data? This is worrisome, as current legislation (such as the GDPR) protects children’s data from being accessed without clear parental consent. So, given the potential risks of this type of software, they recommend parents to rely on non-technical solutions when possible and to have privacy in mind when choosing one of these applications.

They believe that public bodies should take privacy into account when recommending a given parental control app to raise awareness and encourage developers to follow privacy-by-design principles. The researchers from the IMDEA Software Institute, IMDEA Networks Institute and Spring Lab EPFL stress that it is fundamental to complement current benchmarking initiatives with a security and privacy analysis to help parents to choose the best application while taking these aspects into consideration.

Joint press release Paper link

Pic