Ad Software Dev Doesn't Like Being Called Out For Privacy Violations ; Sends Threatening Letter To Researchers Who Exposed It
from the fixing-it-in-post dept
The Children's Online Privacy Protection Act (COPPA), passed in 1998, governs the sort of data that can be collected from children under the age of 13. That's why kids have to age themselves prematurely to create accounts on some social media networks. It's a law kids under the age of 13 subvert every day, but it's in place to protect kids from online services and restricts information collected by apps and online services that cater to children.
Unfortunately, there are a lot of app developers ignoring this law. A recently-published research paper shows a host of violations and questionable practices that smartphone/tablet app developers are engaged in. Serge Egelman, one of the paper's co-authors, notes that thousands of apps are violating this law every day. In just one example, an advertising SDK (software development kit) made by ironSource is harvesting personal data from 466 child-directed apps.
It's not as though this is a simple oversight. In an earlier blog post detailing COPPA violations, Egelman points out Android developers must take a series of affirmative steps to market apps directed at children. There's a long list of stipulations that must be met before Google will allow apps to become part of its Designed For Families program.
Apps using ironSource's SDK are being marketed to kids, making the presence of a targeted advertising tool not merely questionable, but possibly illegal. As Egelman's blog post notes, it certainly violates ironSource's own terms of service. This is taken from its privacy policy, as archived late last year.
The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services. ironSource also does not knowingly collect or maintain personal information collected online from children under the age of 13, to the extent prohibited by the Children’s Online Privacy Protection Act.
"Services" is explained further in the Privacy Policy.
This Privacy Policy (the “Privacy Policy”) describes how ironSource Ltd. and its subsidiaries (collectively “ironSource” or “we”, “us”, “our”) uses end users [sic] (“you” or “your”) information when you view ads served by platforms and services operated by ironSource Mobile Ltd. on third party websites or mobile apps (the “Services”).
This would appear to indicate children under the age of 13 should not see ads served by ironSource. The easiest way to do that would be not to use the targeted ad SDK, as Egelman points out. But the research shows the opposite occurs repeatedly, with developers adding ironSource's ad software to their apps before shoving into the "Family" section of the Play Store.
This research paper -- and the attendant blog posts -- weren't published until this year. Shortly after publication, ironSource apparently chose to express its irritation with being named and shamed as an accomplice in COPPA violations. But the story is stranger than it first appears. IronSource apparently obtained a leaked copy of the report prior to its official publication. The angry letter it sent Egelman's research partner, Irwin Reyes, claims their report is "inaccurate and misleading." But if it is, it's only because ironSource performed a legalese switcheroo after receiving the leaked paper.
To our surprise, between first receiving a leaked draft of our paper in February and sending this letter in April—presumably while they waited for the paper to appear online, for plausible deniability, so that they would not have to explain how they came into possession of a stolen draft—ironSource updated their privacy policy to remove the clause about children not using their services. The current policy, dated March 4, 2018 (i.e., after they were aware of the paper), now simply says that they have no knowledge of receiving data from children.
The letter involves ironSource blundering far across the line between clever and stupid.
Ms. Litay, who claims to be a lawyer, claims that our paper is incorrect because it cites a clause that was removed after the paper was written! This requires significant mental gymnastics (or a significant amount of chutzpah and the misguided belief that the recipients of her letter do not know that the web is archival).
Even with the hastily-applied patch job, ironSource's COPPA "compliance" deserves scare quotes. ironSource is claiming it has "no knowledge" of personal data being collected from children under the age of 13. But this can't possibly be true, even with its reworded privacy policy.
Looking at just our dataset for all the apps transmitting personal information to ironSource, several developers’ names include words like “child,” “baby,” or “kids.”
Behind all of this is a company displeased its questionable and possibly illegal business practices have become the subject of an unflattering research paper. The letter [PDF] ends with a veiled lawsuit threat, claiming the researchers fully-substantiated claims "may result in substantial financial damage" to ironSource.
Egelman's response [PDF] pulls no punches. It calls out ironSource for its lie about its privacy policy's wording.
IronSource’s privacy policy (or rather, the privacy policy of Supersonic, ironSource’s subsidiary), at the time that we accessed it (September of 2017, as documented in the article and since deleted from ironSource’s website), stated the following:
"The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services."
Your allegations appear to be based upon your interpretation of the term “Services,” which you claim is defined as being those services that ironSource offers to app developers, and presumably not what is collected from end-users. That is, your letter is claiming that these statements mean that you do not allow developers under 13 to sign up on your website to use your SDK, and not that the SDK should only be used in non-child-directed apps. This may be a reasonable interpretation of the privacy policy and terms of service as they are currently written.
But that's not how they were written before the paper was published -- and before ironSource obtained a copy. Before then, the terms of service stated children under 13 should not use "this portion" of the services, referring to ironSource's targeted ad SDK. If the SDK was bundled with apps targeting kids, information was harvested by the SDK in violation of federal law.
As to the thinly-veiled legal threat closing out ironSource's ridiculous C&D, Egelman says, "Bring it on."
As you know, the verbatim quotation in our paper of Supersonic’s privacy policy as it existed at the time the paper was written, and our reasonable interpretation of that privacy policy are protected speech. You can appreciate, I hope, our concern about your implied threat of a commercial defamation lawsuit, and our perspective that any such action would be a Strategic Lawsuit Against Public Participation (SLAPP), prohibited by California’s anti-SLAPP statute (Ca. Code of Civ. Proc., §§425.16 et seq.). Your concern about ironSource’s financial interests and reputation is not likely to be well served by unfounded threats to academic researchers acting in the public interest.
Rather than let the research paper filter its way into the collection consciousness with possibly minimal reputational damage, ironSource has chosen to draw more attention to it by attempting to silence its authors. Now, it looks like a company that threatens critics when not violating federal privacy laws. Retconning its privacy policies before calling researchers liars is just prime stupidity. The internet is forever. So is ironSource's self-inflicted damage.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: advertising, apps, coppa, irwin reyes, privacy, researchers, serge egelman, threats
Companies: ironsource
Reader Comments
Subscribe: RSS
View by: Time | Thread
As if I needed more reasons to hate advertisements, yesterday I was attending class and started reading an article about the subject we were studying. I was suddenly interrupted by a full screen ad in my phone with sound. Had to close the browser to stop the goddamn thing. Of course I installed an ad blocker right after the fact (I hadn't used the browser on that phone before so I hadn't taken some needed steps). Go die in hell ads.
[ link to this | view in chronology ]
Re:
Signed, a happy user of a dozen or so blocking extensions, who also prefers *not* licking the sidewalk.
[ link to this | view in chronology ]
Re:
And as you say that, I have an annoyingly large banner ad at the top of the screen that says "Only 6 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter"
It's enough to make me wish that Kickstarter should offer some kind of refund or exchange mechanism for the people who wanted to make the project they donated to raise enough funds to proceed forward and not fail, but were later turned off when it got turned into a lucrative cash cow that went well beyond its goal but still never stopped annoyingly asking for more money over and over.
Such a refund system would not be hard for Kickstarter to implement. They could for instance use the new money coming in that's over twice the established project goal amount to refund to the people who want to pull out. At 2x the original goal, the project would still be a raving success, but such a policy could help put a damper on the number of Kickstarter operators who start to grow too big for their britches and need to be put on a diet.
Just a thought.
[ link to this | view in chronology ]
Re: Re:
This actually doesn't annoy me for a few reasons. it's served by Techdirt site itself it's something that will help fund a site I like and follow almost daily you can easily close it you can turn off all other advertising without ad blockers if you so wish *no sounds, no full screen bullshit This is actually very reasonable. Troy Hunt did it to his own site. There's a strip displayed between the top menu and the content of the site itself and nothing else. Why should it bother me if it helps the owners without being obnoxious?
[ link to this | view in chronology ]
Re: Re: Re:
This actually doesn't annoy me for a few reasons.
-it's served by Techdirt site itself
-it's something that will help fund a site I like and follow almost daily
-you can easily close it you can turn off all other advertising without ad blockers if you so wish
-no sounds, no full screen bullshit
This is actually very reasonable. Troy Hunt did it to his own site. There's a strip displayed between the top menu and the content of the site itself and nothing else. Why should it bother me if it helps the owners without being obnoxious?
[ link to this | view in chronology ]
Re: Re:
Does it flash, move around to cover what you want to look at, spew audio, or other really annoying crap?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
At DeviantArt, the top half of the screen would be taken up with a big message saying "We know you're not here for ads, but please turn your AdBlocker off". They're telling their users that the "best experience" involves letting the ad-system serve them annoying, flashing ads and possibly malware.
At ComicsAlliance, there's a javascript pop-up that's coded so you have 3 minutes to disable your ad-blocker (and allow ads, malware, etc) or a big banner will cover the entire page and stop you from reading it. Yes, you can disable javascript which disables the pop-up, but that also blocks the images from appearing, which isn't helpful on a comic book site.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Ms. Litay must be trapped in a temporal distortion.
[ link to this | view in chronology ]
Re:
That, or someone divided by zero again and attempted to solve it using Common Core Math, thus fracturing the space-time continuum.
[ link to this | view in chronology ]
TIME
1998 to 2018??
It took them 20 years to discover something we have KNOWN FOR YEARS??????
Anyone ever TRY to goto a Kids cartoon site??
Used to be cartoons..
TRYING to get these people to QUIT, is as hard as Quitting smoking..
And they will find every way/form/fashion/cheap trick and MAKE NEW ONES..
It wont matter, what computer interface you use..
THEY GET PAID..and who is paying them??
Roku is getting bad. depending on channel, its as BAD as cable tv. And they REPEAT the same adverts in the SAME position, you get to watch 2-3 of the same commercial.
It fun to have a few single player, Anywhere you can, GAMES..but they Mostly want connection to the net.
AND the idea of playing a 2 player direct, both in same room/location and use BT??
Smart phones COULD BE SMART..I would watch a commercial EACH time I OPENED(not phone calls) my device for use. But Every #@$@$ program HAS THEM..and many want to Start when you turn it on..
How many times do you need to SHUT THINGS OR GET RID OF THEM, so your hours arent used up?? Iv had my phone charged and sitting near me, and Loose 50% of its power in 1-2 hours..
About ready for a trip to Canada to see if a person up there can do the SAME for me, he does for gangs, and turn OFF EVERYTHING..Un-solder them..so no one can track me or remote turn on the GPS..
[ link to this | view in chronology ]
Re: TIME
[ link to this | view in chronology ]
Re: TIME
[ link to this | view in chronology ]
"before shoving into the "Family" section of the Play Store."
Before being shoved? And shoved how exactly?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It would be an unnecessary burden for a company that works with many apps to actually make a conclusion about the nature of the app just based on the app name. It is not even suggested by the COPPA, and can be easily proved as a lousy indicator. For example, there can be apps named "Kid Rock Music App", "Killer Barbie", "Sweet Child of Mine Fan App", etc. Which would be likely not be considered as directed to children.
On the other hand, there are many apps that are directed to children that have names that have nothing to do with children like "Hair Saloon", "Minion Rush", etc.
[ link to this | view in chronology ]