Which Apps Are Safe for Kids? Three Tools That Read the Fine Print for You

Data Privacy

Which Apps Are Safe for Kids? Three Tools That Read the Fine Print for You

By Emily Tate     Dec 17, 2018

Which Apps Are Safe for Kids? Three Tools That Read the Fine Print for You

Some apps do more harm than good. And “free” apps often come with hidden costs. These tenets hold as true for education apps as they do for those in the consumer market, privacy experts contend.

A recent New York Times investigation found that many companies receive such precise, extensive data on their users that they—and anyone else they share this information with—could easily identify a single individual and pinpoint their location. That user data is often sold to or shared with other companies, such as advertisers who have a vested interest in behavioral data, and it’s not as anonymous as people think. This is how many free apps monetize.

Every time users click “allow” when an app asks them to enable location services or provide access to their contacts, microphone or folders, they are potentially making a transaction: sharing their personal information in exchange for using the app.

Yet few users read the fine print—let alone students, as researchers have found. Today, the Apple app store alone features more than 75,000 education apps. Countless more are available for Android devices. But which are safe to use with students? And how can you be sure?

There’s not enough time in the day for educators to read each company’s privacy policy. Those who make the time will often find that the policies tend to be long, dense and difficult to decipher. Harder still is uncovering the trackers that reveal how the data is being shared.

Fortunately, several tools have done the heavy lifting for educators and parents. Below are three resources you could use when considering whether an app is appropriate for students.

Common Sense Privacy Evaluations

Common Sense, a nonprofit education and advocacy organization, maintains a database that evaluates edtech tools on whether they are safe for use in schools.

The privacy evaluations are broken down into three tiers: blue (“Use Responsibly”), yellow (“Use with Caution”) and red (“Not Recommended”).

“That’s our best way of communicating what’s in a 20-page privacy policy,” says Girard Kelly, counsel and director of the privacy review at Common Sense.

When establishing each rating, Common Sense’s privacy team considers federal and state privacy regulations as well as industry best practices. It’s all covered in the team’s 150-question rubric, which is used to assign a tier to each tool.

Tools that earn a “Use Responsibly” badge meet Common Sense’s minimum criteria, while those that are labeled “Use with Caution” fail to clearly or fully define how they protect student information. Apps that are deemed “Not Recommended” either don’t support data encryption or lack a complete privacy policy.

Since the project began in 2015, the privacy team has evaluated nearly 300 education apps. But that’s just the tip of the iceberg, Kelly tells EdSurge.

The team started by evaluating about 200 apps that school district leaders indicated as high priority—in other words, those that were most downloaded in the app store or that district leaders identified as most popular in their schools. “Some of these apps have millions of kids using them,” Kelly says. “That alone is a huge footprint.”

Common Sense recently began chipping away at the remaining 3,000 apps they identified, going in alphabetical order. Most of the ones that have been evaluated are outright educational apps. The ones they’ll be focusing on in the next year tend to be situated in the consumer space—think Angry Birds, Instagram and Pinterest, which are not intended for learning but are used widely by kids.

The team may never be able to provide an exhaustive list, not least because the privacy evaluations are incredibly time-intensive, Kelly explains. For each app, the team spends between eight and 16 hours reviewing it.

Of the 297 apps evaluated to date, the majority (187) earned a yellow “Use with Caution” badge.

Common Sense Privacy Evaluations

Take Duolingo. The language-learning platform earned a yellow badge and received an overall score of 31 out of 100. That’s because Duolingo shares data for advertising or marketing purposes, displays behavioral or contextual advertisements and provides data to third-parties, according to Common Sense.

Quizlet, on the other hand, earned a yellow badge and received an overall score of 52. Quizlet, like Duolingo, displays behavioral or contextual ads and allows third parties to collect its data. However, it earned a higher overall score than Duolingo because Quizlet’s privacy policy explicitly states that it does not sell or rent data to third parties, whereas Duolingo’s policy doesn’t clarify one way or the other.

This is an important distinction, Kelly says. Just because a company does not have a clearly written policy does not mean that it is engaging in bad or questionable practices. At the same time, by not having a clear statement, the company implicitly assumes that users are okay should the company decide to do them.

Before publishing a company’s privacy evaluation, someone at Common Sense contacts the company to discuss what was found and “open up a dialogue,” Kelly says.

“If we want to raise the bar, we need to make sure these companies understand,” he says. “It’s very valuable information for them.”

Kelly has had many conversations with officials at companies that fall into the “Use with Caution” category, and what he’s noticed is that a lot of them aren’t writing certain practices, such as the selling of user data or behavioral advertising, into their privacy policies “because they feel it doesn’t apply to them,” he explains. “They’re asking, ‘Why do I need to talk about behavioral advertising if I don’t do it?’”

In a number of cases, Kelly adds, vendors have reached back out about a month after their initial conversation to say they’ve updated their policies to better reflect their practices. It’s a huge reason Common Sense is spending the time on this project, he says.

The privacy evaluations have been useful for educators, too. Common Sense meets with its 200 district partners every month and hears that many of them are using the evaluations in their procurement processes.

AppCensus

Another tool—though not specific to edtech—is AppCensus.

AppCensus, powered by a group of privacy and security researchers based in Berkeley, Calif., analyzes smartphone apps and outlines the personally identifiable information (PII) the apps extract and share with third parties. (Its slogan is “Learn the privacy costs of free apps.”) It issues badges if an app falls into any of these three categories: “Transmits sensitive data,” “uses sensitive permissions” and has “no privacy policy.”

For example, ClassDojo, a classroom communication app, earned a badge from AppCensus for “transmitting sensitive data” on its app. ClassDojo requests permission to access users’ location, storage, microphone, camera and start silently (a setting that allows the app to start running when the device is turned on).

AppCensus determines whether an app transmits personal information or device identifiers, which are unique to each person and track behavior over time. Device IDs are very helpful for advertisers and analytics companies. The AppCensus tool also identifies the recipients of each app user’s data. In the case of ClassDojo, a relatively harmless example, data goes back to the company and to Google Crashlytics. In the case of Quizlet, data is sent to Facebook and Google ad services, according to AppCensus.

AppCensus has tested many of the same education apps reviewed by Common Sense (search for other app reports here). The catch with AppCensus is that, due to certain restrictions on iOS, AppCensus is only able to analyze Android apps.

Privacy of education apps
Source: Common Sense, AppCensus and Exodus.

Exodus

Another privacy evaluation tool, created and maintained by Exodus, a French non-profit organization, is also limited to Android apps.

Exodus publicizes how many trackers—or software that collects data about users and their usage—and permissions are found in each app. For Duolingo, it found 15 trackers and 22 permissions, and for Schoology, a K-12 learning management system, it found three trackers and 11 permissions.

In each report, Exodus identifies where the trackers are coming from. Some common origins are ads and analytics services offered by Google and Facebook, along with other tools like Flurry, Inmobi and MixPanel.

None of the three aforementioned tools provide a perfect picture of an app’s data-sharing practices or privacy policies. The important thing, Kelly says, is that educators, parents and students use these tools as a gateway into greater awareness and control of their own data.

“Because this can happen invisibly,” he says, referring to the sharing and selling of user data, “those two big things—awareness and control over the collection and use of your information—are a good place to start.”

Some apps do more harm than good. And “free” apps often come with hidden costs. These tenets hold as true for education apps as they do for those in the consumer market, privacy experts contend.

A recent New York Times investigation found that many companies receive such precise, extensive data on their users that they—and anyone else they share this information with—could easily identify a single individual and pinpoint their location. That user data is often sold to or shared with other companies, such as advertisers who have a vested interest in behavioral data, and it’s not as anonymous as people think. This is how many free apps monetize.

Every time users click “allow” when an app asks them to enable location services or provide access to their contacts, microphone or folders, they are potentially making a transaction: sharing their personal information in exchange for using the app.

Yet few users read the fine print—let alone students, as researchers have found. Today, the Apple app store alone features more than 75,000 education apps. Countless more are available for Android devices. But which are safe to use with students? And how can you be sure?

There’s not enough time in the day for educators to read each company’s privacy policy. Those who make the time will often find that the policies tend to be long, dense and difficult to decipher. Harder still is uncovering the trackers that reveal how the data is being shared.

Fortunately, several tools have done the heavy lifting for educators and parents. Below are three resources you could use when considering whether an app is appropriate for students.

Common Sense Privacy Evaluations

Common Sense, a nonprofit education and advocacy organization, maintains a database that evaluates edtech tools on whether they are safe for use in schools.

The privacy evaluations are broken down into three tiers: blue (“Use Responsibly”), yellow (“Use with Caution”) and red (“Not Recommended”).

“That’s our best way of communicating what’s in a 20-page privacy policy,” says Girard Kelly, counsel and director of the privacy review at Common Sense.

When establishing each rating, Common Sense’s privacy team considers federal and state privacy regulations as well as industry best practices. It’s all covered in the team’s 150-question rubric, which is used to assign a tier to each tool.

Tools that earn a “Use Responsibly” badge meet Common Sense’s minimum criteria, while those that are labeled “Use with Caution” fail to clearly or fully define how they protect student information. Apps that are deemed “Not Recommended” either don’t support data encryption or lack a complete privacy policy.

Since the project began in 2015, the privacy team has evaluated nearly 300 education apps. But that’s just the tip of the iceberg, Kelly tells EdSurge.

The team started by evaluating about 200 apps that school district leaders indicated as high priority—in other words, those that were most downloaded in the app store or that district leaders identified as most popular in their schools. “Some of these apps have millions of kids using them,” Kelly says. “That alone is a huge footprint.”

Common Sense recently began chipping away at the remaining 3,000 apps they identified, going in alphabetical order. Most of the ones that have been evaluated are outright educational apps. The ones they’ll be focusing on in the next year tend to be situated in the consumer space—think Angry Birds, Instagram and Pinterest, which are not intended for learning but are used widely by kids.

The team may never be able to provide an exhaustive list, not least because the privacy evaluations are incredibly time-intensive, Kelly explains. For each app, the team spends between eight and 16 hours reviewing it.

Of the 297 apps evaluated to date, the majority (187) earned a yellow “Use with Caution” badge.

Common Sense Privacy Evaluations

Take Duolingo. The language-learning platform earned a yellow badge and received an overall score of 31 out of 100. That’s because Duolingo shares data for advertising or marketing purposes, displays behavioral or contextual advertisements and provides data to third-parties, according to Common Sense.

Quizlet, on the other hand, earned a yellow badge and received an overall score of 52. Quizlet, like Duolingo, displays behavioral or contextual ads and allows third parties to collect its data. However, it earned a higher overall score than Duolingo because Quizlet’s privacy policy explicitly states that it does not sell or rent data to third parties, whereas Duolingo’s policy doesn’t clarify one way or the other.

This is an important distinction, Kelly says. Just because a company does not have a clearly written policy does not mean that it is engaging in bad or questionable practices. At the same time, by not having a clear statement, the company implicitly assumes that users are okay should the company decide to do them.

Before publishing a company’s privacy evaluation, someone at Common Sense contacts the company to discuss what was found and “open up a dialogue,” Kelly says.

“If we want to raise the bar, we need to make sure these companies understand,” he says. “It’s very valuable information for them.”

Kelly has had many conversations with officials at companies that fall into the “Use with Caution” category, and what he’s noticed is that a lot of them aren’t writing certain practices, such as the selling of user data or behavioral advertising, into their privacy policies “because they feel it doesn’t apply to them,” he explains. “They’re asking, ‘Why do I need to talk about behavioral advertising if I don’t do it?’”

In a number of cases, Kelly adds, vendors have reached back out about a month after their initial conversation to say they’ve updated their policies to better reflect their practices. It’s a huge reason Common Sense is spending the time on this project, he says.

The privacy evaluations have been useful for educators, too. Common Sense meets with its 200 district partners every month and hears that many of them are using the evaluations in their procurement processes.

AppCensus

Another tool—though not specific to edtech—is AppCensus.

AppCensus, powered by a group of privacy and security researchers based in Berkeley, Calif., analyzes smartphone apps and outlines the personally identifiable information (PII) the apps extract and share with third parties. (Its slogan is “Learn the privacy costs of free apps.”) It issues badges if an app falls into any of these three categories: “Transmits sensitive data,” “uses sensitive permissions” and has “no privacy policy.”

For example, ClassDojo, a classroom communication app, earned a badge from AppCensus for “transmitting sensitive data” on its app. ClassDojo requests permission to access users’ location, storage, microphone, camera and start silently (a setting that allows the app to start running when the device is turned on).

AppCensus determines whether an app transmits personal information or device identifiers, which are unique to each person and track behavior over time. Device IDs are very helpful for advertisers and analytics companies. The AppCensus tool also identifies the recipients of each app user’s data. In the case of ClassDojo, a relatively harmless example, data goes back to the company and to Google Crashlytics. In the case of Quizlet, data is sent to Facebook and Google ad services, according to AppCensus.

AppCensus has tested many of the same education apps reviewed by Common Sense (search for other app reports here). The catch with AppCensus is that, due to certain restrictions on iOS, AppCensus is only able to analyze Android apps.

Privacy of education apps
Source: Common Sense, AppCensus and Exodus.

Exodus

Another privacy evaluation tool, created and maintained by Exodus, a French non-profit organization, is also limited to Android apps.

Exodus publicizes how many trackers—or software that collects data about users and their usage—and permissions are found in each app. For Duolingo, it found 15 trackers and 22 permissions, and for Schoology, a K-12 learning management system, it found three trackers and 11 permissions.

In each report, Exodus identifies where the trackers are coming from. Some common origins are ads and analytics services offered by Google and Facebook, along with other tools like Flurry, Inmobi and MixPanel.

None of the three aforementioned tools provide a perfect picture of an app’s data-sharing practices or privacy policies. The important thing, Kelly says, is that educators, parents and students use these tools as a gateway into greater awareness and control of their own data.

“Because this can happen invisibly,” he says, referring to the sharing and selling of user data, “those two big things—awareness and control over the collection and use of your information—are a good place to start.”

Trending

Get our email newsletterSign me up
Keep up to date with our email newsletterSign me up