Steven Roosa is a Partner at our New York office
The Usable Security & Privacy Group at Berkeley has published a website entitled AppCensus which purports to give a privacy health check for Android mobile apps. One can go to the site and type in the name of an Android mobile app and, for approximately 19,000 or so mobile apps on Google Play, the site will give a rough list of the device IDs and special permissions requested by the App from the Android OS; the host names on the Internet to which the app transmits device IDs; and an indication of whether location is used.
The Washington Post just featured the AppCensus site in a story about (alleged) COPPA non-compliance.
AppCensus has significant shortcomings, but has dramatically lowered the bar for journalists, regulators and privacy researchers to make meaningful inquiries or public statements about any companies' Android apps. It will unfortunately make the "gotcha" game for perceived violations nearly a turn-key exercise for reporters, researchers, and regulators. One can see this tool being used not just for COPPA, but also for VPPA, HIPAA and GLBA (although it is critical to note that VPPA, HIPAA and GLBA require the confluence of both a device ID and another piece of information—healthcare, movie title or genre, financial information, etc.—and AppCensus does not provide that second piece, but the site would still likely be the starting point for regulators, the media and plaintiffs' counsel on these issues).
We would recommend, to the greatest extent possible, that companies have apps privacy tested in Beta, so as to avoid an adverse event associated with AppCensus.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
