Placeholder while article actions load

Welcome to The Cybersecurity 202! I unfortunately didn’t make it to the RSA cyber conference this year. For everyone who’s there, I hope you’re ending at least one night with some dandan noodles in Chinatown and a walk to see the sea lions at Pier 39 — a close-to-perfect San Francisco evening.

Below: Israel wants the controversial spyware firm NSO removed from a U.S. export ban, and abortion providers are racing to protect their data ahead of a Roe v. Wade decision.

To get around the law, app makers claim their clearly kid-friendly products aren't aimed at kids

Apps clearly designed to entertain children are also gathering their data at an alarming scale — violating the spirit of the law meant to maintain children’s privacy and creating concern about kids’ safety online.

The scale is remarkable. More than two-thirds of the 1,000 most popular iPhone apps directed at children are scooping up kids’ information for advertising purposes — often including their location and other identifying information, The Post’s tech columnist Geoffrey A. Fowler reports this morning.

Advertisement

About 79 percent of Android apps directed at children are doing the same thing. The data was shared exclusively with Geoffrey by the fraud and compliance software company Pixalate.

Privacy perils

The findings demonstrate how children are routinely subjected to the same privacy and cybersecurity perils as adults when they go online — even though they have far less understanding of the dangers.

They also show how app makers routinely exploit a major loophole in the main law meant to protect children online — the 1998 Children’s Online Privacy Protection Act (COPPA).

“[App makers] are placing their profits over the mental health and social well-being of every child in America, because that’s the power they have today,” Sen. Edward J. Markey (D-Mass.), an original sponsor of the child protection bill, told Geoffrey.

Excuses

The loophole exploited by app makers is simple. They just claim that their apps aren’t directed specifically at children. And they ensure they don’t collect any information that might prove otherwise.

Advertisement

Geoffrey turned up some nearly absurd examples.

Pixel Art, a coloring app that has categories for dinosaurs and unicorns, told Geoffrey it was a “general audience” app that wasn’t specifically directed at children. It was collecting users’ location, internet addresses and a code that could identify their phone to others in the ad industry.

An app called The Calculator marketed itself as a way to “make math homework fun” while simultaneously saying it was not targeted at people younger than 16.

Some apps claimed to not be directed at children even though app stores listed them as appropriate for users as young as 4 years old.

Geoffrey described it to me as “the equivalent of convenience store clerks looking the other way when kids try to buy beer.”

Apps and services are regulated from gathering data on kids' online activity. But a loophole in current rules lets them do it anyway. (Video: Jonathan Baran/The Washington Post)

The response

There are a handful of fixes in the works. Most prominently, Markey and Rep. Kathy Castor (D-Fla.) are pushing COPPA updates that would require companies to figure out if kids under 16 are using their apps rather than turning a blind eye — something they call “constructive knowledge” — and hold them accountable for ensuring those kids’ data isn’t being collected.

The first big concern here is privacy. “By the time the average child reaches 13, online advertising firms hold an average of 72 million data points about them, according to one estimate,” Geoffrey reports.

But security concerns are a close second. Those 72 million data points could be hacked and exposed online. Information that’s collected by advertisers and meant to be anonymous can frequently be patched together to identify specific people and highly personal details such as their search histories and interests.

Advertisement

This is just the latest evidence that app makers are playing fast and loose with children’s data — and exploiting loopholes in COPPA.

Just last month Human Rights Watch published a report that found roughly 90 percent of online learning apps that schools adopted during the height of the pandemic were collecting children’s data.

The big COPPA loopholes in that case included disingenuously claiming the apps weren’t meant for children under 13 and having schools consent to gathering children’s data on behalf of parents.

Geoffrey puts a large share of the blame on app stores run by Apple and Google.

Those tech giants do impose child-specific privacy rules for apps but rarely enforce them unless an app says it’s specifically directed at children.

Apple and Google also offer no option for parents to search just for apps that adhere to child privacy rules and won’t collect their kids’ data.

The companies disputed the Pixalate results. Google said the company’s methodology for identifying child-directed apps was “overly broad.” Apple said Pixalate has a conflict of interest because it sells services that help advertisers comply with privacy laws.

“Bottom line: If you’re a parent who wants to make sure your kids’ apps respect their privacy, it takes work,” Geoffrey writes.

The keys

Abortion providers race to protect data ahead of Roe v. Wade decision

People who work at health clinics that perform abortions are limiting their electronic footprints amid fears that prosecutors could use such data in criminal investigations if Roe v. Wade is overturned, NBC News’s Kevin Collier reports.

For example: Some are switching to encrypted messaging apps and phone calls to communicate rather than emails.

The scramble comes after Politico published a draft Supreme Court opinion last month, with a majority of the court’s justices voting to strike down Roe v. Wade. In recent weeks, privacy experts have warned that prosecutors could go after abortion providers by gathering information from data brokers or use metadata from fertility apps to find women seeking abortions. While that’s not impossible, prosecutors are far more likely to probe digital trails like emails and internet search histories for abortion-related crimes, Collier reports.

Advertisement

“I’m not planning anything illegal,” Camelback Family Planning owner Gabrielle Goodrick told Kevin. But it’s hard to say what will be legal after the Supreme Court announces its decision, Goodrick told Collier. “It’s confusing to know what’s going to happen,” she said.

Israel asked U.S. to remove NSO from export blacklist

The effort marks a course reversal after Israeli officials initially decided not to lobby the Biden administration to remove NSO from a blacklist that restricts the company’s ability to receive U.S. technologies, Axios’s Barak Ravid reports. It’s not clear if the Biden administration is considering the request.

Lawyers working for NSO are separately pushing for the company to be removed from the export ban known as the Entity List. “The lawyers sent a request for an appeal to the Department of Commerce and asked for a hearing, which hasn't taken place,” Barak writes. The White House isn’t stepping into the process, a White House official told him.

Advertisement

The Biden administration put NSO on the Entity List in November, saying that foreign governments used the company’s hacking tools to “maliciously target” journalists, activists and government officials. Dozens of phones belonging to activists, journalists and executives were targeted with NSO spyware, an investigation last year by The Washington Post and 16 media partners found.

U.S. authorities got court orders for travel data companies to monitor a notorious Russian hacker

The court orders told travel data companies Sabre and Travelport to provide weekly reports on Russian hacker Aleksei Burkov to prosecutors and/or the U.S. Secret Service starting in late 2015, Forbes’s Thomas Brewster reports.

Burkov was arrested in Israel in December 2015 and extradited to the United States, where he pleaded guilty to hacking charges. In 2020, Burkov was sentenced to nine years in prison but was deported to Russia last year in an apparent extradition.

Advertisement

Sabre and Travelport are giants in the travel data industry, “collecting and storing information about international tourists in a so-called global distribution system,” Brewster writes.

Law enforcement officials used a 233-year-old law to ask for the data. Under the All Writs Act of 1789, they can ask for “non-burdensome” help from third parties, Brewster reports. Critics say use of the law is couched in secrecy, and that the law could be abused without transparency.

It’s not clear if the data the companies were ordered to give U.S. law enforcement led to Burkov’s arrest. A Sabre spokesperson told Brewster that the firm takes “seriously our obligation to protect data of Sabre users and to follow the law.” A Travelport spokesperson told him that the company is “unable to comment regarding the details of this matter.” Neither company would tell Forbes whether it challenged the order or complied without protest.

Securing the ballot

Advertisement

Global cyberspace

Cyber insecurity

Industry report

Daybook

A House Homeland Security Committee panel holds a hearing on cryptocurrency and terrorism today at 9 a.m.

The Senate Judiciary Committee hosts a hearing on threats to election workers Tuesday at 10 a.m.

The House Energy and Commerce Committee holds a hearing on privacy legislation Tuesday at 10:30 a.m.

Carol House, the National Security Council’s director for cybersecurity and secure digital innovation, , the National Security Council’s director for cybersecurity and secure digital innovation, speaks at an Atlantic Council event on cybersecurity challenges with central bank digital currencies Wednesday at 12:30 p.m.

Secure log off

Two options



⚪️ edit/delete message

🔘 blend phone pic.twitter.com/jNXoAp9Qjx — Washington Post TikTok Guy 🫠 (@davejorgenson) June 9, 2022

Thanks for reading. See you tomorrow.

GiftOutline Gift Article