In late February of this year, we received word that an advertising company, ironSource, had obtained a leaked draft of our paper on COPPA violations in Android apps. In that version of the paper, we mentioned them (and their subsidiary, Supersonic) exactly once: in a table of advertising SDKs whose terms of service prohibit their use in child-directed apps (Table 2 of the final paper). We noted that many third-party SDKs include these clauses presumably because they do things with the received data that would violate COPPA, such as user profiling or behavioral advertising.
The point of this analysis was to show that app developers are systematically violating these contractual obligations. For instance, we noted that ironSource receives personal data from 466 unique child-directed apps.
Background on ironSource
ironSource is a mobile advertising company, which seems to specialize in highly targeted ads. Here is a screenshot from their website:
Performing this type of profiling and targeting is very likely to violate COPPA, if it is being done within apps that are directed at children under 13. This is likely why ironSource (and many other companies in this line of work) include clauses in their terms of service to prevent developers of kids’ apps from using their software. In the paper, we demonstrated that these clauses seem to be systematically violated (e.g., we observed 466 child-directed apps transmitting personal data to ironSource), and these terms don’t seem to be enforced by the SDK providers.
At the top of the policy, “Services” is defined as (again, emphasis mine):
Here is a screenshot of the policy from the Wayback Machine:
Thus, the policy indicates that children under 13 should not be allowed to see ads served by ironSource in mobile apps. How can a developer make sure that “children under the age of 13 should not be using any portion of the Services”? By not including ironSource’s SDK in child-directed apps.
On April 9, 2018, Irwin (the paper’s first author) received the following letter:Letter from ironSource
Ms. Litay, who claims to be a lawyer, claims that our paper is incorrect because it cites a clause that was removed after the paper was written! This requires significant mental gymnastics (or a significant amount of chutzpah and the misguided belief that the recipients of her letter do not know that the web is archival).
Thus, if they know that they are receiving personal data from apps with the word “kids” in their names, how can they claim to not knowingly receive data from children or child-directed apps?
After consulting with the Office of General Counsel at U.C. Berkeley, I sent the following response this week:ironSource Response