Over the past year, we’ve seen schools shift to digital services at an unprecedented rate as a way to educate kids safely during the covid-19 pandemic. We’ve also seen these digital tools slurp up these kid’s data at a similarly unprecedented rate, suffer massive breaches, and generally handle student’s personal information with a lot less care than they should.
Case in point: A new report published Tuesday by the tech-focused nonprofit Me2B Alliance found the majority of school utility apps were sharing some amount of student data with third-party marketing companies. The Me2B team surveyed a few dozen so-called “utility” apps for school districts—the kind that students and parents download to, say, review their school’s calendar or bussing schedules—and found roughly 60% of them sharing everything from a student’s location to their entire contact list, to their phone’s mobile ad identifiers, all with companies these students and their parents likely never heard of.
In order to figure out what kind of data these apps were sharing, Me2B analyzed the software development kits (or SDKs) that these apps came packaged with. While SDks can do all sorts of things, these little libraries of code often help developers monetize their free-to-download apps by sharing some sort of data with third-party ad networks. Facebook has some super popular SDKs, as does Google. Of the 73 apps surveyed in the report, there were 486 total SDKs throughout—with an average of just over 10 SDKs per app surveyed.
Of that 486 total bits of code, nearly 63% (306) were owned and operated by either Facebook or Google. The rest of those SDKs were sharing data with some lesser-known third parties, with names like AdColony and Admob.
But the data sharing didn’t stop there. As the report points out, these lesser-known SDKs would often share the data pulled from these student apps with dozens—if not hundreds—of other little-known third parties. What’s interesting here is that these SDKs, in particular, were found abundantly in Android apps, but way fewer iOS apps ended up bringing these pieces of tech onboard (91% versus 26%, respectively).
There are a few reasons why this might be the case. First, even if Apple isn’t always careful about following its own privacy rules, the company does set a certain standard that every iOS developer needs to follow, particularly when it comes to tracking and targeting the people using their apps. Most recently, Apple turned this up to 11 by mandating App Tracking Transparency (ATT) reports for the apps in its store, which literally request a user’s permission in order to track their activity outside of the app.
Even though Android does have its own review process for apps, historically, we’ve seen some insecure apps slip through the cracks and onto countless people’s devices. Also, there’s a good chance that many apps developed for Android are beaming some degree of data right back to Google.
And with Apple slowly tightening its standards surrounding ATT, it’s possible that the divide between the two OS’s will only keep broadening—which leaves student’s data stuck in the middle.