Last year, several parents at EFF enrolled kids into daycare and were instantly told to download an application for managing their children’s care. These applications frequently include notifications of feedings, diaper changes, pictures, activities, and who picked-up/dropped-off the child—potentially useful features for overcoming separation anxiety of newly enrolled children and their anxious parents. But working at a privacy-oriented organization, as we do, we had concerns about the security of this data.
Normally, our student privacy work focuses on those in elementary or middle school at the youngest. But EFF goes where the security risks are, so we decided to dig into these concerns further.
First, our technologists investigated the apps to identify privacy and security flaws. Next, our legal experts identified gaps in the law and highlighted the need for regulatory action in a letter to the Federal Trade Commission (“FTC”). And finally, our advocacy team reiterated our concerns in comments submitted to the FTC, in response to its request for public input on commercial surveillance.
The Investigation
EFF’s technologists, led by Director of Engineering Alexis Hancock, investigated several popular daycare apps and quickly uncovered dangerous security and privacy flaws in the way these apps function.
Lackluster security was rampant: common practices included public access to children’s photos, weak password policies, and inadequate or even absent encryption.
We also discovered that we weren’t alone in our concern. Of 42 daycare apps that privacy experts researched, 13 companies did not specify the data they collect in their privacy policies. In policies of those that do describe data collection processes, most admitted to sharing sensitive information (such as the average number of diaper changes per day) with third parties. Only 10 of the 42 apps stated in their privacy policies that they did not share data with third parties—but seven of those 10 actually were doing so anyway.
We alerted these app makers of the flaws. But unfortunately, little change was made to fix these problems, and in many cases, there was no response at all.
Letter to FTC
Given the lack of response from the app developers themselves, we decided to raise a red flag to the FTC, asking them to look into the matter and address the rampant negligence.
The letter describes our troubling findings regarding the sensitivity of the data collected by these apps and the lack of sufficient privacy and security protections in place.
It also points out that current laws don’t address the problem. The Children’s Online Privacy Protection Act only applies to operators of online services “directed to” children under 13; early education and daycare apps, however, are used solely by adults. The Family Educational Rights and Privacy Act also falls short: It restricts schools from disclosing students’ “education records” to certain third parties without parental consent, but does not typically regulate the actions of third parties who may receive that data, such as daycare apps.
“Since parents do not have the tools or proper information to currently assess the privacy and security of their children’s data in daycare and early education apps, the Federal Trade Commission should review the current gaps in the law and assess potential paths to strengthen protections for young children’s data, or investigate other means to improve protections for children’s data in this context,” the letter concludes.
FTC Comments
The letter was subsequently included as part of an open comments period where the FTC solicited the public for information on industry surveillance, the first stage in the long process of its federal rulemaking to regulate commercial surveillance and lax data security practices.
Our comments explain that there are insufficient safeguards to secure the data collected by daycare apps from theft or misuse. It is likely only a matter of time before these companies leak data or become subject of a breach, and a single compromise of the application servers could affect hundreds of daycares and preschools.
The comments also point out that the problems with these apps—privacy policy defects and lackluster security practices—fall squarely under the “unfair or deceptive acts or practices” clause built into the FTC Act. It is deceptive to mislead parents and daycares into thinking these apps collect and share less information than they do. And it is unfair practice to expose young children to the risk of their data being misused or breached.
We will continue to investigate this ecosystem in the coming year, and to follow up on possible regulations to protect this sensitive data. Daycare apps collect vast quantities of detailed information about young children and infants, and if this data were breached or given to a third party, it would form a very accurate profile of a child’s development. It doesn’t matter the age: private data should be secure, and right now, these apps are not.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2022.