NEW YORK (NYTIMES) - Before Ms Kim Slingerland downloaded the "Fun Kid Racing" app for her then five-year-old son, Shane, she checked to make sure it was in the family section of the Google Play store and rated as age-appropriate. The game, which lets children race cartoon cars with animal drivers, has been downloaded millions of times.
Until last month, the app also shared users' data - sometimes including the precise location of devices - with more than a half-dozen advertising and online tracking companies.
On Tuesday (Sept 11) evening, New Mexico's attorney-general filed a lawsuit claiming that the maker of "Fun Kid Racing" had violated a federal children's privacy law through dozens of Android apps that shared children's data.
"I don't think it's right," said Ms Slingerland, a mother of three in Alberta, Canada. "I don't think that's any of their business, location or anything like that."
The suit accuses the app maker, Tiny Lab Productions, along with online ad businesses run by Google, Twitter and three other companies, of flouting a law intended to prevent the personal data of children under 13 from falling into the hands of predators, hackers and manipulative marketers.
The suit also contends that Google misled consumers by including the apps in the family section of its store.
An analysis by The New York Times found that children's apps by other developers were also collecting data.
The review of 20 children's apps - 10 each on Google Android and Apple iOS - found examples on both platforms that sent data to tracking companies, potentially violating the children's privacy law. The iOS apps, however, sent less data overall.
These findings are consistent with those published this spring by academic researchers who analysed nearly 6,000 free children's Android apps. They reported that more than half of the apps, including those by Tiny Lab, shared details with outside companies in ways that may have violated the law.
Although federal law does not provide many digital privacy protections for adults, there are safeguards for children under 13. The Children's Online Privacy Protection Act protects them from being improperly tracked, including for advertising purposes.
Without explicit, verifiable permission from parents, children's sites and apps are prohibited from collecting personal details including names, e-mail addresses, geolocation data and tracking codes like cookies if they're used for targeted ads.
But the New Mexico lawsuit and the analyses of children's apps suggest that some app developers, ad tech companies and app stores are falling short in protecting children's privacy.
"These sophisticated tech companies are not policing themselves," New Mexico attorney-general Hector Balderas said. "The children of this country ultimately pay the price."
Ms Jessica Rich, a former consumer protection director at the Federal Trade Commission, called the findings "significant and disturbing". They suggest, she said, "that the 'safe spaces' for kids in the apps stores aren't safe at all".
Google spokesman Aaron Stein said that developers are responsible for declaring whether their apps are primarily for children, and that apps in the store's family section "must comply with more stringent policies".
A Twitter spokesman said that the company's ad platform, MoPub, does not allow its services to be used to collect information from children's apps for targeted advertising and that it suspended the maker of "Fun Kid Racing" in September of 2017 for violating its policies.
Mr Jonas Abromaitis, founder of the Lithuania-based Tiny Lab, said he believed he had followed the law and Google's requirements, because the app asked for users' ages and tracked those who identified as over 13. "We thought we were doing everything the right way," he said.
A MARKET FOR TRACKING
Dozens of companies now track consumers on their phones to build behavioural profiles that help tailor the ads they see. Two of the largest are AdMob and MoPub.
To make money, app developers generally have two options: publish free apps supported by ads, or charge users. But children do not have the money to make purchases, and under federal law they cannot be tracked for ad targeting.
The app industry has had trouble adapting to children, said Mr Dylan Collins, the chief executive of SuperAwesome, a technology firm that helps companies build apps for children without tracking them.
Mr Collins said some top children's app makers had started charging parents for subscriptions or showing ads that did not use tracking. But, he noted, small developers typically sell fewer subscriptions and do not always sell enough ads using only child-friendly ad networks. "As a result, there's still a huge amount of data being collected on kids," he said.
In 2013, Apple introduced a children's section in its App Store. It told developers that, to be listed there, they could "do no tracking across sites or across apps".
Apple tells parents that it reviews each app in the section "to make sure it does what it says it does".
Google introduced a similar programme, Designed for Families, in 2015. The company informed Android developers that apps that were "primarily child-directed must participate" in the programme and that developers must confirm that their apps complied with the children's privacy law.
Google has said it developed its family section to help parents find "suitable, trusted, high-quality apps" for their children.
'FOR CHILDREN' VS 'FOR FAMILIES'
Mr Abromaitis created "Fun Kid Racing" in 2013, after searching unsuccessfully for a racing game to play with his three-year-old nephew. Other Tiny Lab apps include simple games with titles such as "Run Cute Little Pony".
Still, Mr Abromaitis said in an interview, the company's apps were directed at "mixed audiences", with children under 13 forming only part of the market.
The distinction is important: Under privacy law, apps aimed at younger children are prohibited from tracking any users for ads without parental consent, but those intended for a general audience can ask players their age and track older users.
When Tiny Lab submitted apps to Google's store, it indicated they were for families, not just children, and Google accepted the apps.
In The Times' tests of "Fun Kid Racing" in July, the app asked that players select their birth year from a list. But with the default set between 2000 and 2001, a young child eager to get to the next screen could simply tap through quickly and be counted as a teenager. In the tests, the app did not collect location data if the player identified as under 13.
In early June, e-mails show, the academic researchers who had done the earlier study informed Google that app developers "seem to have an incentive to mischaracterise" their children's apps as "not primarily directed to children", freeing them to track users for targeted ads.
They cited 84 apps from Tiny Lab as examples and said they had identified nearly 3,000 apps that appeared to be similarly mislabelled.
In July, a Google manager responded that the company had investigated the Tiny Lab apps and had found they had not violated the privacy law. Google, he said, did not consider "these apps to be designed primarily for children, but for families in general".
A month later, Google appeared to reverse course: The company told Mr Abromaitis it had identified a Tiny Lab app that should be designated for children. Google gave Tiny Lab a week to change that app and any others like it.
Tiny Lab labelled 10 of its apps for children and used ad networks in them designed for children's apps. Google approved the updates but flagged more apps at the end of August, Mr Abromaitis said, so he made another round of changes.
Then, this week, after inquiries from The Times, Google terminated Tiny Lab's account and removed all of its apps from the Google Play store, citing multiple policy violations.
Asked about the earlier e-mails, Google said the statements were made in error and that it does not certify whether apps in Google Play comply with the children's privacy law.
Mr Abromaitis said he hoped to work with Google to get back into the store.
THE TRACKING OF CHILDREN IS RIFE
The study this spring showed not only that more than half of children's apps on Android were sharing tracking ID numbers but also that 5 per cent collected children's location or contact information without their parents' permission.
To evaluate tracking on iOS as well as Android, The Times conducted a small study, looking at 10 apps on each platform. The Times chose a mix of the most popular children's apps and smaller apps that had been flagged in the academics' research for sharing data, to test whether the apps had problems on iOS and whether they had been fixed on Android.
Although it is difficult to know whether companies are actually violating the federal rules, six of the Android apps shared data such as precise location, IP addresses and tracking IDs in ways that could be problematic. On iOS, five apps sent IDs to tracking companies in questionable ways.
In addition to "Fun Kid Racing", the tests showed one other Android app sending precise location data to other companies: "Masha and the Bear: Free Animal Games for Kids", an animated game app with millions of downloads. The iOS version sent advertising ID codes to a company that generally prohibits children's apps from using its network.
In an e-mail, Indigo Kids, the Cyprus-based maker of the "Masha" app, said it was not responsible for harvesting children's information because third-party companies collected the data. "We, as a company, do not collect or store any data of our users," the company said.
Other apps with data practices that could violate the children's privacy rules sent data to multiple tracking companies that do not allow children's apps, or sent the data with notes in the computer code incorrectly indicating that it had not come from children.
Several apps reviewed by The Times also sent the advertising ID to other companies but said this was for specific purposes allowed under the law, such as preventing an ad from being shown too many times.
Mr Tom Neumayr, an Apple spokesman, said that children's privacy in apps "is something we take very seriously" and that developers must follow strict guidelines about tracking in children's apps.
ENFORCING THE LAW
Since the federal children's online privacy law was enacted in 1998, the Federal Trade Commission (FTC) has brought nearly 30 cases alleging violations by companies including Sony BMG Music Entertainment and Yelp. All of those firms ultimately settled with the agency.
"The FTC has made enforcement of the Children's Online Privacy Protection Act a high priority," said Ms Juliana Gruenwald, an agency spokesman.
But the New Mexico lawsuit is different. The state is not just going after a single app maker or ad company; it's also implicating the ad platforms of Google and Twitter, and the vetting process of Google's app store.
"Google knows that Tiny Lab's apps track children unlawfully," the complaint said. "Google's bad acts are compounded because it represents to parents" that Tiny Lab's apps comply with the children's privacy law and are "safe for children".
The case is particularly fraught for Google and Twitter, which are each already subject to federal settlements over consumer privacy or security violations. Those settlements prohibit the companies from misrepresenting their consumer data protections, and violations could trigger hefty fines.
"I don't see any way that anything would change unless there are enforcement actions," said Mr Serge Egelman, a researcher at the University of California, Berkeley, who helped lead the study this spring.
New Mexico's attorney-general said he hoped the FTC and others in Washington would follow his lead. "This is as much a black eye on the federal government as the tech space," Mr Balderas said. "I'm trying to get lawmakers at the federal level to wake up."