Several apps were providing location data to third-party advertisers, and also collected device identifiers that can’t be reset unless you buy a new phone.
Education apps with millions of downloads are sharing location data on kids without their knowledge, the report found.
The user may withdraw consent to Shaw Academy and our partners’ collection, use, transmission, processing and maintenance of location and account data at any time by not using the location-based features and turning off the Location Services settings (as applicable) on the users device and computer," White said in an email.
Security researchers will analyze network traffic and examine code on apps to figure out where the data is going, but the average person shouldn’t be expected to learn this skill to protect their privacy.
Researchers found that 79 out of 123 apps manually tested were sharing user data with third parties.
The manual tests found nine apps that were collecting and sharing this data with third-party advertisers, each of which were installed on at least 10 million devices.
The study also found that more than 140 third-party companies were getting data from ed tech apps, the majority of which went to Facebook, followed by Google.
One app, Shaw Academy, was collecting location data and personal identifiers and sending it to third-party marketing firm WebEngage. In June, Shaw Academy boasted that its online educational platform saw a nearly eightfold increase since COVID-19 lockdowns began in March, with the majority of its new users aged between 25 and 34.
Facebook had the widest pool, getting user data from 128 apps, followed by advertising company Unity, which got data from 72 education apps.
While the majority of apps examined in the report met privacy standards, the scale of data collection discovered raised alarms about the nature of education apps.
Security researchers often find privacy issues with apps, many of which harvest data from devices even when you don’t give consent.
Even when apps aren’t collecting your location data specifically, if they’re collecting data related to your Wi-Fi like your router details, that serves as a de facto location marker.
The study found 27 apps that were taking location data.
On average, the education apps examined shared data with at least three third-party companies.
Many of the apps also collected device identifiers along with advertising IDs, which goes against Google’s developers policy.
Researchers from the International Digital Accountability Council looked at 496 education apps across 22 countries, finding privacy issues with many of these services.
An unnamed app, which had more than 1 billion installations, didn’t know it was sharing data with the mobile analytics firm Amplitude until the researchers brought it up to the company, the report stated.
Google’s policies don’t allow developers to collect both the advertising ID and the device ID, because data brokers can just link new advertising IDs with the permanent device IDs, essentially making the effort useless.
Education apps are sending your location data and personal info to advertisers https://t.co/vDJpq9Wwej— CNET News (@CNETNews) September 1, 2020