A federal lawsuit filed recently in California claims that The Walt Disney Company “secretly collects personal information on some of their youngest customers and shares that data illegally with advertisers without parental consent.” Yikes.
The complaint (PDF) alleges that Disney, and the creators of popular 3rd party advertising libraries and (software development kits) SDKs Upsight, Unity, and Kochava, which are embedded into 43 popular Disney apps (full list below), are violating the law by harvesting information about users under the age of 13 for “commercial exploitation”. If true, this could mean that the parties involved violated COPPA (Children’s Online Privacy Protection Act). Disney denies any wrongdoing, stating that they have a “robust” COPPA compliance program and that they complied with the law’s privacy disclosure requirements.
The lawsuit claims the advertising SDKs collect device and user persistent identifiers, which are considered PII (Personally Identifiable Information), to track users across different apps and services, and then share that collected data with advertising services which provide targeted ads. The complaint then argues that the apps fail to properly verify parental consent for these invasive behaviors in apps that are clearly targeting children under 13.
So, other than freaking out those of us in the security industry who have children, what does this news mean to our readers with respect to enterprise mobile security? Here are a few thoughts:
The news highlights how often even large companies rely on 3rd party developers to either outsource the entire development of their apps or provide 3rd party SDKs and libraries to add functionality and advertising or tracking capabilities. The use of 3rd party software often introduces behaviors and risks that even the app developer is not aware of, which could expose large companies to receiving bad press, hurting their brand, or worse, facing legal action related to compliance issues around security and privacy. As Appthority has highlighted before, not all app risk comes from malware or with malicious intent. More often than not, risk is introduced by accident, so it’s important for Enterprise Security teams to leverage services like Appthority’s app security testing. A MARS (Mobile Application Reputation Service) like Appthority can be used not just to automatically analyze apps on employees devices within our Mobile Threat Protection (MTP) solution, but also to analyze enterprise developed apps (whether developed in-house or through a 3rd party) before they are published to internal enterprise app stores or external app stores for customer distribution.
Another point this news brings home is that even free apps aren’t really free. Apps rely on monetizing user data. And, if children’s game apps from reputable companies like Disney can exhibit this type of user surveillance, what can we expect from apps that don’t have stricht COPPA requirements? Developers have to support their development efforts to create content, make updates, provide support, add new features, etc. However, the app ecosystem has evolved in a way that makes it difficult to sell apps, as most users often choose free apps. In order for users to receive these apps for “free,” developers rely on ad networks and tracking solutions to learn everything they can about the users and then sell targeted ads. However, it’s also worth noting that smartphones are the perfect spying tool. They are with us 24/7, they are always on, and they have multiple cameras, a microphone, GPS, as well as ALL of our most precious data. It makes sense that it’s not just ad networks that are investing in user surveillance, but also governments and bad actors who wish to gain insight into users, or the users employers. Again, another reason to invest in Mobile Threat Protection.
Lastly, employees are consumers too. Do your employees know what risks are found in the apps they use every day, whether for work or for personal use? As a parent, many of us would think twice about allowing our kids to use apps if we knew how the apps behave in the background. As users, we’d think twice about using certain apps if we knew they didn’t properly protect our personal data. However, as users, we just don’t know the risks. Enterprises can change that by deploying a Mobile Threat Protection solution. The optional employee app in Appthority’s solution, for example, gives employees the power to self manage and self remediate mobile risks, but more importantly, the knowledge to confidently manage their own privacy and data risk. Our customer’s have had great success in improving their risk profiles by providing the Mobile Threat Protection App as an employee benefit. Some have seen a 90%+ install rate. These employees now have the power to learn about app risks before they even install potentially risky apps on their devices. Obviously this change of behavior (vs just downloading apps from the official app stores without any knowledge of risks) protects user’s data, but vicariously, it also protects the enterprise. Win-win.
We’ll continue to monitor the Disney case for further development, but Appthority customers can rest assured that their employees, their data, and their kids’ data, continue to be protected.
The full list of affected apps named in the complaint includes:
- Beauty and the Beast
- Perfect Match
- Cars Lightening League
- Club Penguin Island
- Color by Disney
- Disney Color and Play
- Disney Crossy Road
- Disney Dream Treats
- Disney Emoji Blitz
- Disney Gif
- Disney Jigsaw Puzzle!
- Disney LOL
- Disney Princess: Story Theater
- Disney Store Become
- Disney Story Central
- Disney’s Magic Timer by Oral-B
- Disney Princess: Charmed Adventures
- Dodo Pop
- Disney Build It Frozen
- DuckTales: Remastered
- Frozen Free Fall
- Frozen Free Fall: Icy Shot
- Good Dinosaur Storybook Deluxe
- Inside Out Thought Bubbles
- Maleficent Free Fall
- Miles from Tomorrowland: Missions
- Moana Island Life
- Olaf’s Adventures
- Palace Pets in Whisker Haven
- Sofia the First Color and Play
- Sofia the First Secret Library
- Star Wars: Puzzle DroidsTM
- Star WarsTM: Commander
- Temple Run: Oz
- Temple Run: Brave
- The Lion Guard
- Toy Story: Story Theater
- Where’s My Water?
- Where’s My Mickey?
- Where’s My Water? 2
- Where’s My Water? Lite/Where’s My Water? Free
- Zootopia Crime Files: Hidden Object
Read more mobile security blog posts here.