SAN FRANCISCO—The Federal Trade Commission must review the lack of privacy and security protections among daycare and early education apps, the Electronic Frontier Foundation (EFF) urged Wednesday in a letter to Chair Lina Khan.

Daycare and preschool applications frequently include notifications of feedings, diaper changes, pictures, activities, and which guardian picked up or dropped off the child—potentially useful features for overcoming separation anxiety of newly enrolled children and their anxious parents.

But EFF Director of Engineering Alexis Hancock’s recent investigation found early education and daycare apps have several troubling security risks. Some allow public access to children’s photos via insecure cloud storage; many have dangerously weak password policies; at least one (Tadpoles for Parents) sends “event” data, including when the app is activated and deactivated, to Facebook; and several enable cleartext traffic that can be exploited by network eavesdroppers.

“Parents find themselves in a bind: either enroll children at a daycare and be forced to share sensitive information with these apps, or don’t enroll them at all,” EFF’s letter to Khan said. “Paths for parents to opt a child out of data sharing are, with rare exception, completely absent.”

“Since parents do not have the tools or proper information to currently assess the privacy and security of their children’s data in daycare and early education apps, the Federal Trade Commission should review the current gaps in the law and assess potential paths to strengthen protections for young children’s data, or investigate other means to improve protections for children’s data in this context,” the letter concludes.

Of 42 daycare apps that privacy experts researched, 13 companies did not specify the data they collect in their privacy policies. In policies of those that do describe data collection processes, most admitted to sharing sensitive information (such as the average number of diaper changes per day) with third parties. Only 10 of the 42 apps stated in their privacy policies that they did not share data with third parties – but seven of those 10 actually were doing so anyway.

Current laws don’t address the problem. The Children’s Online Privacy Protection Act only applies to operators of online services “directed to” children under 13; early education and daycare apps, however, are used solely by adults like teachers. The Family Educational Rights and Privacy Act also falls short: It restricts schools from disclosing students’ “education records” to certain third parties without parental consent, but does not regulate the actions of third parties who may receive that data, such as daycare apps.

For EFF’s letter to Federal Trade Commission Chair Lina Khan: https://eff.org/document/eff-letter-ftc-daycare-apps-9-28-2022

For more on daycare apps’ privacy and security problems: https://www.eff.org/deeplinks/2022/06/daycare-apps-are-dangerously-insecure

Related Issues