November 23, 2022

How Daycare Apps Can Spy on Parents and Children

Credit: Unsplash/CC0 public domain

Daycare apps are designed to make daily life in nurseries easier. Parents can use them, for example, to access reports on their children’s development and to communicate with teachers. However, some of these applications have serious security flaws. This is the conclusion reached by researchers from the Ruhr-Universität Bochum (RUB), the Westfälische Hochschule and the Max Planck Institute for Security and Privacy Bochum, together with an industrial partner. They analyzed 42 daycare apps from Europe and the United States for security and privacy. In some apps, they were able to access private photos of children; several apps have accessed users’ personal data without their consent and shared it with third parties.

The team led by Dr. Matteo Große-Kampmann, who obtained his doctorate. at the RUB’s Horst Görtz Institute for Computer Security, and Dr. Maximilian Golla from the Max Planck Institute for Security and Privacy will present their findings in July 2022 in Sydney at the “22nd Privacy Enhancing Technologies Symposium”. Before that, the results were published online.

“In accordance with the European General Data Protection Regulation and the US Children’s Online Privacy Protection Act, children’s data is subject to special protection”, says Maximilian Golla. “Unfortunately, we found that many apps do not provide this protection.”

The analyzes were carried out in collaboration with AWARE7 GmbH. The team contacted all app makers prior to release and informed them of the vulnerabilities.

Used by millions

For the study, the researchers analyzed Android daycare apps they found in the Google Play Store that offer at least the following features: Children’s development and any special activities can be recorded in the app as notes, photos and videos; the app has a messaging function through which daycare staff can communicate with parents; the application supports daycare management in administrative processes such as billing, creating schedules and organizing groups. The most used apps “Bloomz” and “brightwheel” have been downloaded over 1 million times from the Google Play Store. Together, all the apps have reached around three million downloads.

In some cases, personal data is sold

Of the apps analyzed, eight had serious security issues that would, for example, allow attackers to see children’s private photos. In 40 apps, the researchers found that they monitored parents and caregivers: they collected the user’s phone number and email address as well as information about the device and the use of the device. application, such as the time a button was clicked. Manufacturers share and sell this and other information to third-party vendors. One app developer writes, “…share data with partners for business purposes, such as average number of diaper changes per day…”. Often the data is shared with Amazon, Facebook, Google or Microsoft for targeted advertising campaigns.

Inadequate privacy policies

“We also looked at the privacy policies of the suppliers”, specifies Maximilian Golla. “And a terrifying picture emerged. Many policies didn’t even mention that they process children’s data, let alone collect and sell data, even though they are required to do so by EU law and American.”

But this does not necessarily mean that suppliers are acting in bad faith. “We rather suspect that these are technical and organizational problems,” says Matteo Große-Kampmann. According to the researchers, some providers act negligently because the linked privacy policy is not compliant, partly because it does not contain information about data processing in the app or about the services offered and n has often not been updated for many years.

The researchers hope their findings will draw attention to this sensitive issue, given that children’s data is at stake. themselves”, says Matteo Große-Kampmann. “But ultimately they have to take responsibility for the decision to adopt the app.”

Guidelines and checklists

According to Maximilian Golla, rejecting daycare apps out of principle is not a practical solution, especially because there are providers without security problems, who comply with data protection rules. “If there is no official app, parents use messaging services like WhatsApp, which is the worst solution when it comes to privacy,” he points out.

According to IT experts, a good idea would be for experts to establish guidelines and checklists. For example, government agencies could make recommendations and pass them on to associations that run child care centres.

What you need to know about surveillance and reproductive rights in a post Roe v Wade world

Provided by Ruhr-Universitaet-Bochum

Quote: How Daycare Apps Can Spy on Parents and Children (July 7, 2022) Retrieved July 7, 2022 from

This document is subject to copyright. Except for fair use for purposes of private study or research, no part may be reproduced without written permission. The content is provided for information only.