UNIVERSITY OF CALIFORNIA, BERKELEY BERKELEY · DAVIS · IRVINE · LOS ANGELES · RIVERSIDE · SAN DIEGO · SAN FRANCISCO Please Reply To: SANTA BARBARA · SANTA CRUZ BERKELEY, CALIFORNIA 94720 Serge Egelman Director, Berkeley Laboratory for Usable and Experimental Security Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 94720-1774 egelman@cs.berkeley.edu May 8, 2018 Dalia Litay General Counsel ironSource Ltd. Ms. Litay, I am in receipt of your letter dated April 9, 2018, addressed to Mr. Irwin Reyes, who is a member of my research sta↵, concerning the article entitled, “Won’t Somebody Think of the Children? Examining COPPA Compliance at Scale.” In your letter, you state that “ironSource’s terms of service do not prohibit our SDK from being used in applications targeted at Children.” Based upon that claim, you assert that the article is inaccurate and misleading by its inclusion of ironSource in Table 2 of the article. Because ironSource’s concerns were communicated by its General Counsel, and your letter threatens pursuit of substantial financial damages in the event we do not accede to your demand to remove ironSource from Table 2, please be aware that I have consulted legal counsel for the University of California in the preparation of this response, who is copied on this letter. I assume you were not aware of pertinent facts, which I describe below, when you sent your letter. Based on those facts, I think you will agree that the article’s characterization of ironSource’s terms of service, based upon its privacy policy, is accurate as of the time the article was submitted for publication. Following publication of the article, ironSource changed its privacy policy in relevant particulars. IronSource’s privacy policy (or rather, the privacy policy of Supersonic, ironSource’s subsidiary), at the time that we accessed it (September of 2017, as documented in the article and since deleted from ironSource’s website), stated the following: The Services are not directed to children under the age of 13 and children under the age of 13 should not use any portion of the Services. Your allegations appear to be based upon your interpretation of the term “Services,” which you claim is defined as being those services that ironSource o↵ers to app developers, and presumably not what is collected from end-users. That is, your letter is claiming that these statements mean that you do not allow developers under 13 to sign up on your website to use your SDK, and not that the SDK should only be used in non-child-directed apps. This may be a reasonable interpretation of the privacy policy and terms of service as they are currently written. To Dalia Litay May 8, 2018 Page 2 However, the version of Supersonic’s privacy policy (dated July 14, 2016) that we quoted in the paper, which appears to have been operative until very recently, unambiguously stated the following, in literally its second sentence:1 This Privacy Policy (the “Privacy Policy”) describes how ironSource Ltd. and its subsidiaries (collectively “ironSource” or “we”, “us”, “our”) uses end users [sic] (“you” or “your”) information when you view ads served by platforms and services operated by ironSource Mobile Ltd. on third party websites or mobile apps (the “Services”). In this version, “Services” is defined to mean ironSource’s content that appears on other websites and within mobile apps, including via your mobile SDK, and directed at end-users. This definition of Services taken in conjunction with the statement that “children under the age of 13 should not use any portion of the Services” plainly indicates that the SDK should not be bundled with child-directed apps: if your SDK is bundled with apps directed at children under 13, then children under 13 will be using your Services—as the term was defined in the version of the privacy policy that we cited—in contravention of this policy. In the article, to the extent that ironSource is mentioned in Table 2, we only point out that despite the language that was in your privacy policy, many child-directed apps do use your SDK. This is a factually accurate statement. As you know, the verbatim quotation in our paper of Supersonic’s privacy policy as it existed at the time the paper was written, and our reasonable interpretation of that privacy policy are protected speech. You can appreciate, I hope, our concern about your implied threat of a commercial defamation lawsuit, and our perspective that any such action would be a Strategic Lawsuit Against Public Participation (SLAPP), prohibited by California’s anti-SLAPP statute (Ca. Code of Civ. Proc., §§425.16 et seq.). Your concern about ironSource’s financial interests and reputation is not likely to be well served by unfounded threats to academic researchers acting in the public interest. In your letter you emphasize that “ironSource does not knowingly collect or maintain personal information collected online from children under the age of 13, to the extent prohibited by the Children’s Online Privacy Protection Act.” Emphasis provided by you. I am not a COPPA expert, so will leave it to you to determine whether the following facts align with your statement. You acknowledge that all developers wishing to use ironSource’s SDK must sign up using your dashboard. As part of that signup procedure, ironSource collects the developer’s name, as well as the app names in which the SDK will appear. As a result, ironSource knows the names of all developers and the developers’ apps that are using its service. Here are the names of a few companies that appear to be using ironSource’s SDK in their Android games, all within Google’s Designed for Families Program (i.e., targeted at children): • Arial & Babies • For Little Kids • Babies Funny World • KidsUnityApps • Androbaby • BabyBus Kids Games 1 • GameForKids https://web.archive.org/web/20170621232408/www.supersonic.com/privacy-policy/ To Dalia Litay May 8, 2018 Page 3 Clearly, all of these companies are focused on children. In total, we have observed 495 kids’ apps—the paper reports 466—from 82 unique developers (to date) transmitting personal identifiers to your company. Based on your letter, it is our understanding that ironSource is aware of all of these companies and their apps via ironSource’s dashboard. Is it your position that COPPA permits ironSource to collect identifiers from child-directed apps? Or is it your position that ironSource only collects this information to perform COPPA-allowed contextual advertising? In the case of the latter, as the advertising on your website indicates that ironSource specializes in “well-targeted” marketing campaigns, you may wish to revisit the accuracy of that statement. Finally, based on the spirit of good will that you raised in your letter, I was hoping that you could assist us in a related matter. Mr. Reyes first posted a copy of the paper on his personal website on Friday, April 6, 2018, in the late afternoon, which would have been the weekend for ironSource. More importantly, the copy on his website is not linked anywhere, and Google does not appear to have indexed it until April 10, a day after your letter was received. I have become aware that working drafts of this paper, which were shared with a limited number of individuals in confidence, may have been leaked. I take this very seriously, and as we investigate potential unauthorized disclosures of copyrighted work, we seek the assistance of ironSource. In particular, I am hoping you can answer the following questions: 1. When did ironSource first become aware of this research? 2. Has anyone outside of ironSource alerted ironSource to this research? If so, who? 3. Does anyone at ironSource have any previous drafts of this research, and if so, how did they obtain them? 4. How and when was ironSource first alerted to the publicly released version on Mr. Reyes’ website? Sincerely, Serge Egelman, Ph.D. cc: Steven Drown, Senior Counsel, University of California