Skip to content

146 EdTech apps are harvesting student data for targeted advertising

  • by
  • 5 min read

Technical analysis of 164 EdTech products recommended by 49 countries by the Human Rights Watch found that these products have risked or violated several different children’s privacy rights, including building profiles on children using the apps to deliver targeted ads. 

The analysis was conducted between March and August 2021. The report measures the prevalence and frequency of tracking technologies used in each product on a given date in the window mentioned above.

Out of all the products studied, 146 seemed to be either putting children’s rights at risk, undermining them or actively infringing upon them. 

These products could monitor children secretly in most cases. Making matters worse, the monitoring was done without consent from the child or parents, with data being harvested on who they were, including family and friends, activities in the classroom and the kind of devices used. 

This data was then sent to third-party companies, usually advertising technology companies allowing them to build profiles on each child. Access to these insights might even be sold to advertisers, data brokers and anyone else looking to target a particular group of people online.

In the News: Google Chrome updated with 32 security fixes including one critical fix

Edtech’s invasive tracking in numbers 

Out of the 42 governments included in the investigation, 39 produced or used products that mishandled children’s data, with some governments even making it mandatory to use their recommended EdTech products. 

As for the monitored products themselves, 39 were mobile apps, 91 were websites, and 34 were available in both formats.

What’s worse is that four of these apps are built and owned by the education ministries of India, Indonesia, Iran, and Turkey letting these governments track and pinpoint the exact locations of 29.5 million children collectively. 

Android apps were the focus of the investigation owing to Android’s dominance in the smartphone space. 

The examined products were divided into four categories:

  • That doesn’t require user accounts to access the content.
  • Where signing up was optional.
  • That requires a user account to access the content.
  • Require verification of the child’s identity as a student either by their school or the ministry of education to make an account. 

Here’s a breakdown of the key findings explaining how these EdTech apps tracked children.

  • Advertising ID collection: Out of the 73 apps examined, 41 collected users’ advertising IDs allowing them to tag children and their devices for advertising purposes.
  • Tagging and tracking: These 41 apps were endorsed by 29 governments, collectively identifying, tagging and tracking around 6.24 million users, including children. 
    • 33 apps seemed to have collected AAIDs (Android Advertising IDs) of an estimated 86.9 million children.
  • Non-consensual tracking: Around 27 apps didn’t inform their user that they were being tracked, not even in their privacy policies. None of the apps examined allowed users to decline to be tracked either.
    • Further, these apps may have provided 33 AdTech companies access to students’ AAIDs. 
  • MAC and IMEI tracking: 14 EdTech apps had access to MAC addresses and IMEI numbers, with eight of them granting themselves the required access permissions. 10 of these apps did not disclose this in their privacy policies. 
    • Recommended by 13 governments, these apps collected MAC addresses of around 15.6 million people, with three of these apps doing so from an estimated 610,000 children. 
    • Nine apps were found to have the ability to collect IMEI numbers recommended by 12 governments. Four of these apps, designed exclusively for children, may have collected IMEI numbers from approximately 3.1 million children in Brazil, Indonesia, Pakistan, and South Africa.
  • Location tracking: 22 apps also granted themselves access to students’ precise location data. Out of these, 10 apps have collected location data from 52.1 million children, marketing them for children’s use in education.
    • None of these apps disclosed this to the students.

Website trackers: Out of the 125 websites examined by Human Rights Watch, eight were fingerprinting their users, tracking them beyond the sites on the internet and none of them revealed this to their users. 

All of this data collection is just the tip of the iceberg, with websites and apps collecting more information such as contact data, coarse location data, WiFi SSIDs and even what children do in the classroom. 

The Human Rights Watch also included recommendations for governments and app developers on making their apps not infringe on privacy rights and be more transparent in their data collection practices.

The findings were presented to 95 EdTech companies, 199 AdTech companies and the 49 governments included in the study to respond and provide comments and clarifications. As of May 24, 48 EdTech companies, 78 AdTech companies, and only 10 governments responded. 

In the News: Dorsey leaves board, Musk renews bid, FTC fines Twitter $150 million


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: