Copyright © 2022 Internet Safety Labs
• Measured Risk: SDKs included in the app and their risk ratings,
• Observed Risk: Observed network traffic to what we refer to as the “big six”
data aggregators (Adobe, Apple, Amazon, Facebook, Google, and Twitter), and
• Observed bad behaviors:
o Advertising presence,
o Retargeting advertising presence,
o WebView use,
o Dangling domain presence,
o Inclusion of Max Preps (an advertising supported platform analyzed by
us in Spotlight Report #4).
Important to note that the scoring criteria for this benchmark are unique to the
domain of K12 Edtech. For a different industry vertical (such as FinTech, for example)
the scoring categories will be the same, but the criteria/thresholds will be different.
There are four possible outcomes for the ISL app Safety Score:
• Some Risk: This represents the “safest” of all safety scores. Note that “no risk” is
not an option in our scoring rubric as all apps entail some level of risk.
• High-Risk: This represents the middle tier of safety risk. Apps that receive this
rating meet at least one of the following criteria:
o Presence of high-risk SDKs (at least one Very High Risk or High Risk SDK).
o App’s use of Webview.
o Presence of data aggregators: Google or Apple, as determined from
either the presence of SDKs or from network traffic analysis.
o Presence of one or more dangling domains in the app.
• Do Not Use: This score represents the least safe apps and ISL recommends
that these apps are not safe for students. Apps receive this score if they meet
at least one of the following criteria:
o Presence of advertising (of any kind). The safety score doesn’t
distinguish between contextual and retargeted advertising in K-12 ed
tech apps, since no matter what kind of advertising is present, student
data is being shared/leaked into advertising networks. This is
dangerous because there is no way for the public to inspect where the
data goes or how it’s used.
o Presence of one or more Data Broker SDKs (per the California and
Vermont Data Broker registries).
o Presence of data aggregators: Facebook, Amazon, Twitter, or Adobe, as
determined either by the presence of SDKs or from network traffic
analysis.
o Presence of MaxPreps. Refer to our earlier research which deeply
examines the extremely risky behavior of MaxPreps, an advertising
school sports platform [owned by CBS/Viacom, parent to Disney] used