What can I do when I've discovered that my client's app might violate COPPA and they're taking no action

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
8
down vote

favorite












My employer is a staffing company, and I'm on a 4-month contract with the client. The client gets funding from the National Science Foundation, Bill and Melinda Gates Foundation, and others.



They make an app for kids, used in classrooms.



I've found numerous security flaws in the software. The worst is: When the child student clicks "logout", the system tells them they're logged out, but they're actually not. It's possible to continue to initiate actions through the UI as the child.



I brought it to their attention twice and the managers aren't too concerned. The developer responsible for the system (with custom coded security functions coded by him) was defensive, saying that it probably wasn't a big deal, and it'd be impossible to test. I know this is B.S., of course.



I'm considering my range of options.



(The other security flaws also implicate COPPA because they risk childrens' indentifying data: API keys, to e.g. file storage services, exposed in the app.)



COPPA FAQ




software-industry security




share|improve this question


















  • 9




    Make sure you have written documentation of your objection and identification of the issue and the refusal by management to deal with it. It may get nasty, so protect yourself.
    – Jane S♦
    Jun 3 '15 at 23:40










  • @JoeStrazzere No, they don't. The dev told me that they don't need it because when there's a bug, he simply fixes it. ;-) They use Asana, but in a very non-standard way — projects aren't used for projects, etc.
    – senior-dev
    Jun 4 '15 at 21:04
















up vote
8
down vote

favorite












My employer is a staffing company, and I'm on a 4-month contract with the client. The client gets funding from the National Science Foundation, Bill and Melinda Gates Foundation, and others.



They make an app for kids, used in classrooms.



I've found numerous security flaws in the software. The worst is: When the child student clicks "logout", the system tells them they're logged out, but they're actually not. It's possible to continue to initiate actions through the UI as the child.



I brought it to their attention twice and the managers aren't too concerned. The developer responsible for the system (with custom coded security functions coded by him) was defensive, saying that it probably wasn't a big deal, and it'd be impossible to test. I know this is B.S., of course.



I'm considering my range of options.



(The other security flaws also implicate COPPA because they risk childrens' indentifying data: API keys, to e.g. file storage services, exposed in the app.)



COPPA FAQ




software-industry security




share|improve this question


















  • 9




    Make sure you have written documentation of your objection and identification of the issue and the refusal by management to deal with it. It may get nasty, so protect yourself.
    – Jane S♦
    Jun 3 '15 at 23:40










  • @JoeStrazzere No, they don't. The dev told me that they don't need it because when there's a bug, he simply fixes it. ;-) They use Asana, but in a very non-standard way — projects aren't used for projects, etc.
    – senior-dev
    Jun 4 '15 at 21:04












up vote
8
down vote

favorite









up vote
8
down vote

favorite











My employer is a staffing company, and I'm on a 4-month contract with the client. The client gets funding from the National Science Foundation, Bill and Melinda Gates Foundation, and others.



They make an app for kids, used in classrooms.



I've found numerous security flaws in the software. The worst is: When the child student clicks "logout", the system tells them they're logged out, but they're actually not. It's possible to continue to initiate actions through the UI as the child.



I brought it to their attention twice and the managers aren't too concerned. The developer responsible for the system (with custom coded security functions coded by him) was defensive, saying that it probably wasn't a big deal, and it'd be impossible to test. I know this is B.S., of course.



I'm considering my range of options.



(The other security flaws also implicate COPPA because they risk childrens' indentifying data: API keys, to e.g. file storage services, exposed in the app.)



COPPA FAQ




software-industry security




share|improve this question














My employer is a staffing company, and I'm on a 4-month contract with the client. The client gets funding from the National Science Foundation, Bill and Melinda Gates Foundation, and others.



They make an app for kids, used in classrooms.



I've found numerous security flaws in the software. The worst is: When the child student clicks "logout", the system tells them they're logged out, but they're actually not. It's possible to continue to initiate actions through the UI as the child.



I brought it to their attention twice and the managers aren't too concerned. The developer responsible for the system (with custom coded security functions coded by him) was defensive, saying that it probably wasn't a big deal, and it'd be impossible to test. I know this is B.S., of course.



I'm considering my range of options.



(The other security flaws also implicate COPPA because they risk childrens' indentifying data: API keys, to e.g. file storage services, exposed in the app.)



COPPA FAQ





software-industry security





share|improve this question













share|improve this question




share|improve this question








edited Jun 4 '15 at 21:41

























asked Jun 3 '15 at 23:23









senior-dev

37118




37118







  • 9




    Make sure you have written documentation of your objection and identification of the issue and the refusal by management to deal with it. It may get nasty, so protect yourself.
    – Jane S♦
    Jun 3 '15 at 23:40










  • @JoeStrazzere No, they don't. The dev told me that they don't need it because when there's a bug, he simply fixes it. ;-) They use Asana, but in a very non-standard way — projects aren't used for projects, etc.
    – senior-dev
    Jun 4 '15 at 21:04












  • 9




    Make sure you have written documentation of your objection and identification of the issue and the refusal by management to deal with it. It may get nasty, so protect yourself.
    – Jane S♦
    Jun 3 '15 at 23:40










  • @JoeStrazzere No, they don't. The dev told me that they don't need it because when there's a bug, he simply fixes it. ;-) They use Asana, but in a very non-standard way — projects aren't used for projects, etc.
    – senior-dev
    Jun 4 '15 at 21:04







9




9




Make sure you have written documentation of your objection and identification of the issue and the refusal by management to deal with it. It may get nasty, so protect yourself.
– Jane S♦
Jun 3 '15 at 23:40




Make sure you have written documentation of your objection and identification of the issue and the refusal by management to deal with it. It may get nasty, so protect yourself.
– Jane S♦
Jun 3 '15 at 23:40












@JoeStrazzere No, they don't. The dev told me that they don't need it because when there's a bug, he simply fixes it. ;-) They use Asana, but in a very non-standard way — projects aren't used for projects, etc.
– senior-dev
Jun 4 '15 at 21:04




@JoeStrazzere No, they don't. The dev told me that they don't need it because when there's a bug, he simply fixes it. ;-) They use Asana, but in a very non-standard way — projects aren't used for projects, etc.
– senior-dev
Jun 4 '15 at 21:04










1 Answer
1






active

oldest

votes

















up vote
11
down vote













You might want to point your client at the TinyCo case, to demonstrate that the risk they are taking is real.



According to the COPPA FAQ you can report violations on the FTC site, or by calling (877) FTC-HELP.



As Jane S says in a comment above, document everything (your specific complaint, how you asked the company to address it, how they replied, dates of all of these interactions, etc).






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "423"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f47736%2fwhat-can-i-do-when-ive-discovered-that-my-clients-app-might-violate-coppa-and%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    11
    down vote













    You might want to point your client at the TinyCo case, to demonstrate that the risk they are taking is real.



    According to the COPPA FAQ you can report violations on the FTC site, or by calling (877) FTC-HELP.



    As Jane S says in a comment above, document everything (your specific complaint, how you asked the company to address it, how they replied, dates of all of these interactions, etc).






    share|improve this answer
























      up vote
      11
      down vote













      You might want to point your client at the TinyCo case, to demonstrate that the risk they are taking is real.



      According to the COPPA FAQ you can report violations on the FTC site, or by calling (877) FTC-HELP.



      As Jane S says in a comment above, document everything (your specific complaint, how you asked the company to address it, how they replied, dates of all of these interactions, etc).






      share|improve this answer






















        up vote
        11
        down vote










        up vote
        11
        down vote









        You might want to point your client at the TinyCo case, to demonstrate that the risk they are taking is real.



        According to the COPPA FAQ you can report violations on the FTC site, or by calling (877) FTC-HELP.



        As Jane S says in a comment above, document everything (your specific complaint, how you asked the company to address it, how they replied, dates of all of these interactions, etc).






        share|improve this answer












        You might want to point your client at the TinyCo case, to demonstrate that the risk they are taking is real.



        According to the COPPA FAQ you can report violations on the FTC site, or by calling (877) FTC-HELP.



        As Jane S says in a comment above, document everything (your specific complaint, how you asked the company to address it, how they replied, dates of all of these interactions, etc).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jun 3 '15 at 23:47









        LindaJeanne

        1,441912




        1,441912






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f47736%2fwhat-can-i-do-when-ive-discovered-that-my-clients-app-might-violate-coppa-and%23new-answer', 'question_page');

            );

            Post as a guest
































































            Comments

            Post a Comment

            Popular posts from this blog

            What does second last employer means? [closed]

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address...
            Read more

            List of Gilmore Girls characters

            Image
            The season three cast—(Back row): Lane, Michel, Paris, Emily, Richard, Sookie, Miss Patty, Kirk; Front row: Jess, Luke, Lorelai, Rory, Dean This is a list of characters for the comedy-drama television series Gilmore Girls . Contents 1 Main characters 1.1 Lorelai Gilmore 1.2 Rory Gilmore 1.3 Sookie St. James 1.4 Lane Kim 1.5 Michel Gerard 1.6 Luke Danes 1.7 Emily Gilmore 1.8 Richard Gilmore 1.9 Paris Geller 1.10 Dean Forester 1.11 Jess Mariano 1.12 Kirk Gleason 1.13 Jason Stiles 1.14 Logan Huntzberger 2 Major recurring characters 2.1 Christopher Hayden 2.2 Jackson Belleville 2.3 Mrs. Kim 2.4 Tristin DuGray 2.5 Max Medina 2.6 Taylor Doose 2.7 Dave Rygalski 2.8 Marty 3 Recurring characters 3.1 Stars Hollow 3.2 Chilton 3.3 Yale 3.4 Other 4 Notable guest stars 5 Unseen characters 6 Notes 7 References Main characters Actor Character Appearances Season 1 Season 2 Season 3 Season 4 Season 5 Season 6 Season 7 A Year in the Life Lauren Graham Lorelai Gilmore...
            Read more

            Confectionery

            Image
            Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of ...
            Read more