DiffAudit: Auditing Privacy Practices of Online Services for Children and Adolescents

TL;DR

DiffAudit is a novel platform-agnostic methodology that uses differential analysis and GPT-4 based data classification to audit privacy practices of online services for children, adolescents, and adults, revealing concerning data handling behaviors.

Contribution

The paper introduces DiffAudit, a new privacy auditing framework combining differential network traffic analysis with GPT-4 data classification, enabling detailed comparison of data practices across user ages and consent states.

Findings

Detected problematic data practices before consent and age disclosure

Identified lack of differentiation in age-specific data flows

Revealed sharing of linkable data with third parties

Abstract

Children's and adolescents' online data privacy are regulated by laws such as the Children's Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA). Online services that are directed towards general audiences (i.e., including children, adolescents, and adults) must comply with these laws. In this paper, first, we present DiffAudit, a platform-agnostic privacy auditing methodology for general audience services. DiffAudit performs differential analysis of network traffic data flows to compare data processing practices (i) between child, adolescent, and adult users and (ii) before and after consent is given and user age is disclosed. We also present a data type classification method that utilizes GPT-4 and our data type ontology based on COPPA and CCPA, allowing us to identify considerably more data types than prior work. Second, we apply DiffAudit to a set of popular general audience mobile and web services and observe a rich set of behaviors extracted from over 440K outgoing requests, containing 3,968 unique data types we extracted and classified. We reveal problematic data processing practices prior to consent and age disclosure, lack of differentiation between age-specific data flows, inconsistent privacy policy disclosures, and sharing of linkable data with third parties, including advertising and tracking services.