Sicheng Jin (University of New South Wales), Rahat Masood (University of New South Wales), Jung-Sook Lee (University of New South Wales), Hye-Young (Helen) Paik (University of New South Wales)
The integration of educational technology (edtech) into primary and secondary schools has substantially accelerated, making digital applications core components of modern learning environments. While ostensibly beneficial, these apps introduce substantial privacy and security risks for children, frequently through opaque data collection and sharing practices. However, existing research on children’s applications has predominantly relied on automated dynamic analysis tools which fail to replicate authentic human behaviours, such as navigating parental gates, configuring privacy settings, or specifically claiming as student or teacher. Furthermore, prior studies have largely overlooked the accessibility of privacy policies for non-legal experts and do not reflect the current practices of Australian education departments. This paper presents a comprehensive analysis of approximately 200 Android applications sourced from both Australian school recommendations and the Google Play Store’s ”Kids” and ”Educational” categories. Our methodology follows three-stepped approach: (1) static analysis of application code; (2) dynamic analysis of live network traffic to observe real-world data transmissions; and (3) textual analysis of privacy policies to assess their readability and compare their disclosures against observed behaviour. The findings indicate that a substantial subset, 46% of apps, still engage in risky data practices, such as transmitting persistent identifiers not explicitly mentioned in their privacy policies. Additionally, these policies are typically written at a reading level above that of the average Australian parent. Our analysis shows that only 3% of privacy policies meet the threshold of being “fairly easy” to read, leaving most apps effectively inaccessible for parents. Policies rarely matched practice: only about 1 in 4 apps were fully consistent, while the remainder showed partial or conflicting disclosures, often omitting the information about third-party recipients and timing of collection. The vast majority (89.3%) of apps initiated outbound connections before any user activity on the apps. These findings offer crucial insights for educators, parents, developers, and policymakers in Australia and abroad to make informed decisions about selecting apps for children and shaping appropriate policy frameworks for educational apps.