ABSTRACT
Adopted in May 2018, the European Union's General Data Protection Regulation (GDPR) requires the consent for processing users' personal data to be freely given, specific, informed, and unambiguous. While prior work has shown that this often is not given through automated network traffic analysis, no research has systematically studied how consent notices are currently implemented and whether they conform to GDPR in mobile apps.
To close this research gap, we perform the first large-scale study into consent notices for third-party tracking in Android apps to understand the current practices and the current state of GDPR's consent violations. Specifically, we propose a mostly automated and scalable approach to identify the currently implemented consent notices and apply it to a set of 239,381 Android apps. As a result, we recognize four widely implemented mechanisms to interact with the consent user interfaces from 13,082 apps. We then develop a tool that automatically detects users' personal data sent out to the Internet with different consent conditions based on the identified mechanisms. Doing so, we find 30,160 apps do not even attempt to implement consent notices for sharing users' personal data with third-party data controllers, which mandate explicit consent under GDPR. In contrast, out of 13,082 apps implemented consent notices, we identify 2,688 (20.54%) apps violate at least one of the GDPR consent requirements, such as trying to deceive users into accepting all data sharing or even continuously transmitting data when users have explicitly opted out. To allow developers to address the problems, we send emails to notify affected developers and gather insights from their responses. Our study shows the urgent need for more transparent processing of personal data and supporting developers in this endeavor to comply with legislation, ensuring users can make free and informed choices regarding their data.
- Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In MSR.Google Scholar
- Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with POLICHECK. In USENIX Security.Google Scholar
- Apple. 2022. User Privacy and Data Use. https://developer.apple.com/app-store/user-privacy-and-data-use/. 2022/04/29.Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan Notices.Google ScholarDigital Library
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the android permission specification. In CCS.Google ScholarDigital Library
- Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving apps to test the security of third-party components. In USENIX Security.Google Scholar
- Benjamin Bichsel, Veselin Raychev, Petar Tsankov, and Martin Vechev. 2016. Statistical deobfuscation of android applications. In CCS.Google Scholar
- European Data Protection Board. 2019. Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects". https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf. 2019/02.Google Scholar
- Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin. 2022. Automating Cookie Consent and GDPR Violation Detection. In USENIX Security.Google Scholar
- Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering flaws in security-focused static analysis tools for android using systematic mutation. In USENIX Security.Google Scholar
- CCPA. 2022. California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa. 2022/04/29.Google Scholar
- Aldo Cortesi, Maximilian Hils, Thomas Kriechbaumer, and contributors. 2010--. mitmproxy: A free and open source interactive HTTPS proxy. https://mitmproxy.org/ [Version 6.0].Google Scholar
- Datatilsynet. 2022. Intention to issue ? 10 million fine to Grindr LLC. https://www.datatilsynet.no/en/news/2021/intention-to-issue--10-million-fine-to-grindr-llc2/2022/04/29.Google Scholar
- Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2019. We value your privacy... now take some cookies: Measuring the GDPR's impact on web privacy. In NDSS.Google Scholar
- Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide scanning and its security applications. In USENIX Security.Google ScholarDigital Library
- europa.eu. 2022/04/29. ?Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (Article 29 Working Party). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.Google Scholar
- Facebook. 2022. FB SDK Best Practices for GDPR Compliance. https://developers.facebook.com/docs/app-events/gdpr-compliance/. 2022/04/28.Google Scholar
- Filyp. 2022. autocorrect. https://github.com/filyp/autocorrect2022/04/28.Google Scholar
- Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack overflow considered harmful? the impact of copy&paste on android application security. In SP.Google Scholar
- NOYB -- European Center for Digital Rights. 2022. NCC & noyb GDPR complaint: Grindr fined ? 6.3 Mio over illegal data sharing. https://noyb.eu/en/ncc-noyb-gdpr-complaint-grindr-fined-eu-63-mio-over-illegal-data-sharing 2022/04/28.Google Scholar
- forbrukerradet.no. 2022/04/29. OUT OF CONTROL. https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf.Google Scholar
- GDPR. 2013. Opinion 03/2013 on purpose limitation (WP 203), adopted on 2 April 2013. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf 2022/04/21.Google Scholar
- GDPR. 2021a. Art. 4 Definitions. https://gdpr.eu/article-4-definitions/2021/02/01.Google Scholar
- GDPR. 2021b. Art. 6 Lawfulness of processing. https://gdpr.eu/article-6-how-to-process-personal-data-legally/ 2021/02/01.Google Scholar
- GDPR. 2021c. Art. 7 Conditions for consent. https://gdpr.eu/article-7-how-to-get-consent-to-collect-personal-data/2021/02/01.Google Scholar
- Google. 2021/02/02. Advertising ID. https://support.google.com/googleplay/android-developer/answer/6048248?hl=en.Google Scholar
- Google. 2022a. Advertising ID. https://support.google.com/googleplay/android-developer/answer/6048248?hl=en 2022/04/28.Google Scholar
- Google. 2022b. Android Permission. https://developer.android.com/reference/android/Manifest.permission 2022/04/28.Google Scholar
- Google. 2022c. Obtaining Consent with the User Messaging Platform. https://developers.google.com/admob/ump/android/quick-start2022/04/24.Google Scholar
- IAB Europe GDPR Implementation Group. 2017. The definition of Personal Data - Working Paper 02/2017. https://iabeurope.eu/wp-content/uploads/2019/08/20170719-IABEU-GIG-Working-Paper02_Personal-Data.pdf.Google Scholar
- Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall. 2011. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In CCS.Google Scholar
- Andreas Hotho, Steffen Staab, and Gerd Stumme. 2003. Ontologies improve text document clustering. In ICDM.Google Scholar
- ICCL. 2022/03/08. Landmark litigation. https://www.iccl.ie/rtb-june-2021/.Google Scholar
- Georgios Kampanos, Siamak F Shahandashti, and Name Name. 2021. Accept All: The Landscape of Cookie Banners in Greece and the UK. In IFIP SEC.Google Scholar
- Simon Koch, Malte Wessels, Benjamin Altpeter, Madita Olvermann, and Martin Johns. 2022. Keeping Privacy Labels Honest. PoPETs (2022).Google Scholar
- Konrad Kollnig, Pierre Dewitte, Max Van Kleek, Ge Wang, Daniel Omeiza, Helena Webb, and Nigel Shadbolt. 2021. A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps. In SOUPS.Google Scholar
- Ronald Leenes and Eleni Kosta. 2015. Taming the cookie monster with dutch law--a tale of regulatory failure. Computer Law & Security Review (2015).Google Scholar
- Li Li, Tegawendé F Bissyandé, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Le Traon. 2017a. Static analysis of android apps: A systematic literature review. Information and Software Technology (2017).Google Scholar
- Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017b. Droidbot: a lightweight ui-guided test input generator for android. In ICSE-C.Google Scholar
- Rachel Tsz-Wai Lo, Ben He, and Iadh Ounis. 2005. Automatically building a stopword list for an information retrieval system. In DIR.Google Scholar
- Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2020. Do Cookie Banners Respect my Choice?: Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework. In SP.Google Scholar
- GA Miller. 1995. WordNet: a lexical database for English. COMMUN ACM (1995).Google Scholar
- Trung Tin Nguyen, Michael Backes, Ninja Marnau, and Ben Stock. 2021. Share First, Ask Later (or Never?) Studying Violations of {GDPR's} Explicit Consent in Android Apps. In USENIX Security.Google Scholar
- Trung Tin Nguyen, Duc Cuong Nguyen, Michael Schilling, Gang Wang, and Michael Backes. 2020. Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile Apps. In ASIA CCS.Google Scholar
- NOYB -- European Center for Digital Rights. 2021. Google: If you don't want us to track your phone -- just get another tracking ID! https://noyb.eu/en/complaint-filed-against-google-tracking-id. 2021/01/17.Google Scholar
- objection. 2021. Runtime Mobile Exploration. https://github.com/sensepost/objection. 2021/01/17.Google Scholar
- Marten Oltrogge, Nicolas Huaman, Sabrina Amft, Yasemin Acar, Michael Backes, and Sascha Fahl. 2021. Why Eve and Mallory Still Love Android: Revisiting {TLS}({In) Security} in Android Applications. In USENIX Security.Google Scholar
- Xiang Pan, Yinzhi Cao, Xuechao Du, Boyuan He, Gan Fang, Rui Shao, and Yan Chen. 2018. Flowcog: context-aware semantics extraction and analysis of information flow leaks in android apps. In USENIX Security.Google Scholar
- The European Parliament and the Council of the European Union. 2002. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). (2002).Google Scholar
- Data Protection Working Party. 2010. Opinion 4/2010 on the European code of conduct of FEDMA for the use of personal data in direct marketing. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp174_en.pdf. 2022/04/28.Google Scholar
- Data Protection Working Party. 2016. Guidelines on Consent under Regulation 2016/679 (wp259rev.01). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051. 2020/09/04.Google Scholar
- Sai Teja Peddinti, Igor Bilogrevic, Nina Taft, Martin Pelikan, Ulfar Erlingsson, Pauline Anthonysamy, and Giles Hogben. 2019. Reducing Permission Requests in Mobile Apps. In Proceedings of ACM Internet Measurement Conference (IMC).Google ScholarDigital Library
- publicsuffixlist. 2021. publicsuffixlist. https://github.com/ko-zu/psl. 2021/05.Google Scholar
- Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. 2018. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In NDSS.Google Scholar
- General Data Protection Regulation. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46. OJEU (2016).Google Scholar
- Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. 2016. Recon: Revealing and controlling pii leaks in mobile network traffic. In MobiSys.Google ScholarDigital Library
- Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman. 2018. Won't somebody think of the children?" examining COPPA compliance at scale. PETS (2018).Google Scholar
- Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can i opt out yet? gdpr and the global illusion of cookie control. In Asia CCS.Google Scholar
- Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D Breaux, and Jianwei Niu. 2016. Toward a framework for detecting privacy policy violations in android application code. In ICSE.Google Scholar
- Bharath Sriram, Dave Fuhry, Engin Demir, Hakan Ferhatosmanoglu, and Murat Demirbas. 2010. Short text classification in twitter to improve information filtering. In ACM SIGIR.Google Scholar
- Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, you have a problem: On the feasibility of large-scale web vulnerability notification. In USENIX Security.Google Scholar
- Techcrunch. 2022a. France spanks Google $170M, Facebook $68M over cookie consent dark patterns. https://techcrunch.com/2022/01/06/cnil-facebook-google-cookie-consent-eprivacy-breaches/2022/04/28.Google Scholar
- Techcrunch. 2022b. How a small French privacy ruling could remake adtech for good. https://techcrunch.com/2018/11/20/how-a-small-french-privacy-ruling-could-remake-adtech-for-good/ 2022/04/28.Google Scholar
- Vasant Tendulkar and William Enck. 2014. An application package configuration approach to mitigating android ssl vulnerabilities. MoST (2014).Google Scholar
- Tesseract. 2022/03/08. Tesseract-OCR. https://github.com/tesseract-ocr/tesseract.Google Scholar
- Stefano Traverso, Martino Trevisan, Leonardo Giannantoni, Marco Mellia, and Hassan Metwalley. 2017. Benchmark and comparison of tracker-blockers: Should you trust them?. In TMA.Google Scholar
- Martino Trevisan, Stefano Traverso, Eleonora Bassi, and Marco Mellia. 2019. 4 years of EU cookie law: Results and lessons learned. PETS (2019).Google Scholar
- Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (Un) informed Consent: Studying GDPR Consent Notices in the Field. In CCS.Google Scholar
- Pelayo Vallina, Álvaro Feal, Julien Gamba, Narseo Vallina-Rodriguez, and Antonio Fernández Anta. 2019. Tales from the porn: A comprehensive privacy analysis of the web porn ecosystem. In IMC.Google Scholar
- Yan Wang, Hailong Zhang, and Atanas Rountev. 2016. On the unsoundness of static analysis for Android GUIs. In PLDI.Google Scholar
- Joe H Ward Jr. 1963. Hierarchical grouping to optimize an objective function. Journal of the American statistical association (1963).Google Scholar
- Takuya Watanabe, Mitsuaki Akiyama, Tetsuya Sakai, and Tatsuya Mori. 2015. Understanding the Inconsistencies between Text Descriptions and the Use of Privacy-sensitive Resources of Mobile Apps. In SOUPS.Google Scholar
- Charles Weir, Ben Hermann, and Sascha Fahl. 2020. From Needs to Actions to Secure Apps? The Effect of Requirements and Developer Practices on App Security. In USENIX Security.Google Scholar
- Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android permissions remystified: A field study on contextual integrity. In USENIX Security.Google Scholar
- Lei Xue, Hao Zhou, Xiapu Luo, Le Yu, Dinghao Wu, Yajin Zhou, and Xiaobo Ma. 2020. Packergrind: An adaptive unpacking system for android apps. IEEE Trans. Softw. Eng (2020).Google Scholar
- Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang. 2013. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In CCS.Google ScholarDigital Library
- Le Yu, Xiapu Luo, Xule Liu, and Tao Zhang. 2016. Can we trust the privacy policies of android apps?. In DSN.Google Scholar
- Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman M Sadeh, Steven M Bellovin, and Joel R Reidenberg. 2017. Automated Analysis of Privacy Requirements for Mobile Apps.. In NDSS.Google Scholar
Index Terms
- Freely Given Consent?: Studying Consent Notice of Third-Party Tracking and Its Violations of GDPR in Android Apps
Recommendations
(Un)informed Consent: Studying GDPR Consent Notices in the Field
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecuritySince the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and ...
The crisis of consent: how stronger legal protection may lead to weaker consent in data protection
In this article we examine the effectiveness of consent in data protection legislation. We argue that the current legal framework for consent, which has its basis in the idea of autonomous authorisation, does not work in practice. In practice the legal ...
Consent Verification Monitoring
Advances in personalization of digital services are driven by low-cost data collection and processing, in addition to the wide variety of third-party frameworks for authentication, storage, and marketing. New privacy regulations, such as the General Data ...
Comments