Ad Software Dev Doesn't Like Being Called Out For Privacy Violations ; Sends Threatening Letter To Researchers Who Exposed It
from the fixing-it-in-post dept
The Children’s Online Privacy Protection Act (COPPA), passed in 1998, governs the sort of data that can be collected from children under the age of 13. That’s why kids have to age themselves prematurely to create accounts on some social media networks. It’s a law kids under the age of 13 subvert every day, but it’s in place to protect kids from online services and restricts information collected by apps and online services that cater to children.
Unfortunately, there are a lot of app developers ignoring this law. A recently-published research paper shows a host of violations and questionable practices that smartphone/tablet app developers are engaged in. Serge Egelman, one of the paper’s co-authors, notes that thousands of apps are violating this law every day. In just one example, an advertising SDK (software development kit) made by ironSource is harvesting personal data from 466 child-directed apps.
It’s not as though this is a simple oversight. In an earlier blog post detailing COPPA violations, Egelman points out Android developers must take a series of affirmative steps to market apps directed at children. There’s a long list of stipulations that must be met before Google will allow apps to become part of its Designed For Families program.
Apps using ironSource’s SDK are being marketed to kids, making the presence of a targeted advertising tool not merely questionable, but possibly illegal. As Egelman’s blog post notes, it certainly violates ironSource’s own terms of service. This is taken from its privacy policy, as archived late last year.
The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services. ironSource also does not knowingly collect or maintain personal information collected online from children under the age of 13, to the extent prohibited by the Children’s Online Privacy Protection Act.
“Services” is explained further in the Privacy Policy.
This Privacy Policy (the “Privacy Policy”) describes how ironSource Ltd. and its subsidiaries (collectively “ironSource” or “we”, “us”, “our”) uses end users [sic] (“you” or “your”) information when you view ads served by platforms and services operated by ironSource Mobile Ltd. on third party websites or mobile apps (the “Services”).
This would appear to indicate children under the age of 13 should not see ads served by ironSource. The easiest way to do that would be not to use the targeted ad SDK, as Egelman points out. But the research shows the opposite occurs repeatedly, with developers adding ironSource’s ad software to their apps before shoving into the “Family” section of the Play Store.
This research paper — and the attendant blog posts — weren’t published until this year. Shortly after publication, ironSource apparently chose to express its irritation with being named and shamed as an accomplice in COPPA violations. But the story is stranger than it first appears. IronSource apparently obtained a leaked copy of the report prior to its official publication. The angry letter it sent Egelman’s research partner, Irwin Reyes, claims their report is “inaccurate and misleading.” But if it is, it’s only because ironSource performed a legalese switcheroo after receiving the leaked paper.
To our surprise, between first receiving a leaked draft of our paper in February and sending this letter in April—presumably while they waited for the paper to appear online, for plausible deniability, so that they would not have to explain how they came into possession of a stolen draft—ironSource updated their privacy policy to remove the clause about children not using their services. The current policy, dated March 4, 2018 (i.e., after they were aware of the paper), now simply says that they have no knowledge of receiving data from children.
The letter involves ironSource blundering far across the line between clever and stupid.
Ms. Litay, who claims to be a lawyer, claims that our paper is incorrect because it cites a clause that was removed after the paper was written! This requires significant mental gymnastics (or a significant amount of chutzpah and the misguided belief that the recipients of her letter do not know that the web is archival).
Even with the hastily-applied patch job, ironSource’s COPPA “compliance” deserves scare quotes. ironSource is claiming it has “no knowledge” of personal data being collected from children under the age of 13. But this can’t possibly be true, even with its reworded privacy policy.
Looking at just our dataset for all the apps transmitting personal information to ironSource, several developers’ names include words like “child,” “baby,” or “kids.”
Behind all of this is a company displeased its questionable and possibly illegal business practices have become the subject of an unflattering research paper. The letter [PDF] ends with a veiled lawsuit threat, claiming the researchers fully-substantiated claims “may result in substantial financial damage” to ironSource.
Egelman’s response [PDF] pulls no punches. It calls out ironSource for its lie about its privacy policy’s wording.
IronSource’s privacy policy (or rather, the privacy policy of Supersonic, ironSource’s subsidiary), at the time that we accessed it (September of 2017, as documented in the article and since deleted from ironSource’s website), stated the following:
“The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services.”
Your allegations appear to be based upon your interpretation of the term “Services,” which you claim is defined as being those services that ironSource offers to app developers, and presumably not what is collected from end-users. That is, your letter is claiming that these statements mean that you do not allow developers under 13 to sign up on your website to use your SDK, and not that the SDK should only be used in non-child-directed apps. This may be a reasonable interpretation of the privacy policy and terms of service as they are currently written.
But that’s not how they were written before the paper was published — and before ironSource obtained a copy. Before then, the terms of service stated children under 13 should not use “this portion” of the services, referring to ironSource’s targeted ad SDK. If the SDK was bundled with apps targeting kids, information was harvested by the SDK in violation of federal law.
As to the thinly-veiled legal threat closing out ironSource’s ridiculous C&D, Egelman says, “Bring it on.”
As you know, the verbatim quotation in our paper of Supersonic’s privacy policy as it existed at the time the paper was written, and our reasonable interpretation of that privacy policy are protected speech. You can appreciate, I hope, our concern about your implied threat of a commercial defamation lawsuit, and our perspective that any such action would be a Strategic Lawsuit Against Public Participation (SLAPP), prohibited by California’s anti-SLAPP statute (Ca. Code of Civ. Proc., §§425.16 et seq.). Your concern about ironSource’s financial interests and reputation is not likely to be well served by unfounded threats to academic researchers acting in the public interest.
Rather than let the research paper filter its way into the collection consciousness with possibly minimal reputational damage, ironSource has chosen to draw more attention to it by attempting to silence its authors. Now, it looks like a company that threatens critics when not violating federal privacy laws. Retconning its privacy policies before calling researchers liars is just prime stupidity. The internet is forever. So is ironSource’s self-inflicted damage.
Filed Under: advertising, apps, coppa, irwin reyes, privacy, researchers, serge egelman, threats
Companies: ironsource
Comments on “Ad Software Dev Doesn't Like Being Called Out For Privacy Violations ; Sends Threatening Letter To Researchers Who Exposed It”
Advertisement has become so aggressively annoying and intrusive that I find myself wishing a fiery death to most of them. This doesn’t help fix that of course but explains in part why I arrived at this point. And I’m guessing others will agree.
As if I needed more reasons to hate advertisements, yesterday I was attending class and started reading an article about the subject we were studying. I was suddenly interrupted by a full screen ad in my phone with sound. Had to close the browser to stop the goddamn thing. Of course I installed an ad blocker right after the fact (I hadn’t used the browser on that phone before so I hadn’t taken some needed steps). Go die in hell ads.
Re: Re:
There are advertisements on the internet?
Signed, a happy user of a dozen or so blocking extensions, who also prefers not licking the sidewalk.
Re: Re:
And as you say that, I have an annoyingly large banner ad at the top of the screen that says "Only 6 days left to get your copy of the CIA’s declassified training game by backing CIA: Collect It All on Kickstarter"
It’s enough to make me wish that Kickstarter should offer some kind of refund or exchange mechanism for the people who wanted to make the project they donated to raise enough funds to proceed forward and not fail, but were later turned off when it got turned into a lucrative cash cow that went well beyond its goal but still never stopped annoyingly asking for more money over and over.
Such a refund system would not be hard for Kickstarter to implement. They could for instance use the new money coming in that’s over twice the established project goal amount to refund to the people who want to pull out. At 2x the original goal, the project would still be a raving success, but such a policy could help put a damper on the number of Kickstarter operators who start to grow too big for their britches and need to be put on a diet.
Just a thought.
Re: Re: Re:
This actually doesn’t annoy me for a few reasons.
it’s served by Techdirt site itself
it’s something that will help fund a site I like and follow almost daily
you can easily close it
you can turn off all other advertising without ad blockers if you so wish
*no sounds, no full screen bullshit
This is actually very reasonable. Troy Hunt did it to his own site. There’s a strip displayed between the top menu and the content of the site itself and nothing else. Why should it bother me if it helps the owners without being obnoxious?
Re: Re: Re: Re:
Markdown fail.
This actually doesn’t annoy me for a few reasons.
-it’s served by Techdirt site itself
-it’s something that will help fund a site I like and follow almost daily
-you can easily close it you can turn off all other advertising without ad blockers if you so wish
-no sounds, no full screen bullshit
This is actually very reasonable. Troy Hunt did it to his own site. There’s a strip displayed between the top menu and the content of the site itself and nothing else. Why should it bother me if it helps the owners without being obnoxious?
Re: Re: Re:
“I have an annoyingly large banner ad at the top of the screen”
Does it flash, move around to cover what you want to look at, spew audio, or other really annoying crap?
Re: Re: Re: Re:
It’s worse than that. There is another reading fail. Over to the right, no no, all the way over to the right there is a little ‘x’ in a box. The meta tag says “Hide This Announcement” and whoa and behold, click it and it does.
Re: Re: Re:2 Re:
Just because you experience something yourself does not necessarily mean that other people will also. Web pages have always had a reputation for appearing different because of variations in operating systems, browsers, plugins, screen sizes … and spoofing. (Anyway, the “X” appears on the left side of the banner, not the right.) Neither of those two banners (why are two needed anyway?) will go away (even with Javascript enabled) but I suppose I can always just edit the code and reload the pages if things get too bad … or maybe I can just stay away from Techdirt for the next week until the banners are gone.
Re: Re: Re:3 Re:
Poor baby
Re: Re: Re:3 Re:
I’m sure you are still moaning over the loss of Gopher. You must be one of the three remaining server operators left. There’s a good reason why Gopher died and the Web flourished : the former forced a certain structure on pages, while the latter enabled free expression. With Gopher, you would not get obnoxious ads, but I’d rather have the Web and block all the damned content.
Re: Re: Re:2 Re:
Wait, this isn’t one of those hijacked ads where the X that should close the window is actually the “install malware and destroy my PC” button is it?
Re: Re: Re:
I’m not sure if you’re being serious or sarcastic, but in case you’re being serious, the 1 line of text at the top of TechDirt is FAR, FAR better than other sites:
At DeviantArt, the top half of the screen would be taken up with a big message saying “We know you’re not here for ads, but please turn your AdBlocker off”. They’re telling their users that the “best experience” involves letting the ad-system serve them annoying, flashing ads and possibly malware.
At ComicsAlliance, there’s a javascript pop-up that’s coded so you have 3 minutes to disable your ad-blocker (and allow ads, malware, etc) or a big banner will cover the entire page and stop you from reading it. Yes, you can disable javascript which disables the pop-up, but that also blocks the images from appearing, which isn’t helpful on a comic book site.
Re: Re: Re:
This is some high-quality concern trolling that also has no idea how Kickstarter projects work.
Re: Re: Re:
“Just a thought.” You are a true waste of space…
Ms. Litay, who claims to be a lawyer, claims that our paper is incorrect because it cites a clause that was removed after the paper was written!
Ms. Litay must be trapped in a temporal distortion.
Re: Re:
I was thinking more precisely Ms. Litay got up that morning from under the wrong side of a Einstein-Rosen bridge (in an alternate universe), and then tried to sell said bridge too.
That, or someone divided by zero again and attempted to solve it using Common Core Math, thus fracturing the space-time continuum.
TIME
Ummmmm!
1998 to 2018??
It took them 20 years to discover something we have KNOWN FOR YEARS??????
Anyone ever TRY to goto a Kids cartoon site??
Used to be cartoons..
TRYING to get these people to QUIT, is as hard as Quitting smoking..
And they will find every way/form/fashion/cheap trick and MAKE NEW ONES..
It wont matter, what computer interface you use..
THEY GET PAID..and who is paying them??
Roku is getting bad. depending on channel, its as BAD as cable tv. And they REPEAT the same adverts in the SAME position, you get to watch 2-3 of the same commercial.
It fun to have a few single player, Anywhere you can, GAMES..but they Mostly want connection to the net.
AND the idea of playing a 2 player direct, both in same room/location and use BT??
Smart phones COULD BE SMART..I would watch a commercial EACH time I OPENED(not phone calls) my device for use. But Every #@$@$ program HAS THEM..and many want to Start when you turn it on..
How many times do you need to SHUT THINGS OR GET RID OF THEM, so your hours arent used up?? Iv had my phone charged and sitting near me, and Loose 50% of its power in 1-2 hours..
About ready for a trip to Canada to see if a person up there can do the SAME for me, he does for gangs, and turn OFF EVERYTHING..Un-solder them..so no one can track me or remote turn on the GPS..
Re: TIME
Control yourself or you’ll spurt.
Re: TIME
ECA, stay the fsck away from Canada. We want nothing to do with you.
But the research shows the opposite occurs repeatedly, with developers adding ironSource’s ad software to their apps before shoving into the “Family” section of the Play Store.
“before shoving into the “Family” section of the Play Store.”
Before being shoved? And shoved how exactly?
Re: Re:
The SDK is not free software, or at least not in their Github account, so it likely is proprietary software which enforces some kind of EULA by requiring registration and payments under the company name and likely some app detail, e.g. the app ID. It was suggested in the article that many apps for children contain some hint about their intented audience in the title, likely also in the ID. I’m not familiar with the text of COPPA, but I would expect some required scrutiny for the company and that failure to do so results in punishment. But maybe it’s just some slap on the wrist?
Re: Re: Re:
What you wrote doesn’t make any sense.
It would be an unnecessary burden for a company that works with many apps to actually make a conclusion about the nature of the app just based on the app name. It is not even suggested by the COPPA, and can be easily proved as a lousy indicator. For example, there can be apps named “Kid Rock Music App”, “Killer Barbie”, “Sweet Child of Mine Fan App”, etc. Which would be likely not be considered as directed to children.
On the other hand, there are many apps that are directed to children that have names that have nothing to do with children like “Hair Saloon”, “Minion Rush”, etc.