CISPA
Browse
cispa_all_3400.pdf (798.37 kB)

Share First, Ask Later (or Never?) - Studying Violations of GDPR's Explicit Consent in Android Apps

Download (798.37 kB)
conference contribution
posted on 2023-11-29, 18:16 authored by Trung Tin NguyenTrung Tin Nguyen, Michael BackesMichael Backes, Ninja MarnauNinja Marnau, Ben StockBen Stock
Since the General Data Protection Regulation (GDPR) went into effect in May 2018, online services are required to obtain users' explicit consent before sharing users' personal data with third parties that use the data for their own purposes. While violations of this legal basis on the Web have been studied in-depth, the community lacks insight into such violations in the mobile ecosystem. We perform the first large-scale measurement on mobile apps in the wild to understand the current state of the violation of GDPR's explicit consent. Specifically, we build an automated pipeline to detect data sent out to the Internet without prior consent and apply it to a set of 86,163 Android apps. Based on the domains that receive data protected under the GDPR without prior consent, we collaborate with a legal scholar to assess if these contacted domains are third-party data controllers. Doing so, we find 24,838 apps send personal data towards data controllers without the user's explicit prior consent. To understand the reasons behind this, we run a notification campaign to inform affected developers and gather insights from their responses. We then conduct an in-depth analysis of violating apps, the corresponding third parties' documentation, and privacy policies. Based on the responses and our analysis of available documentation, we derive concrete recommendations for all involved entities in the ecosystem to allow data subjects to exercise their fundamental rights and freedoms.

History

Preferred Citation

Trung Nguyen, Michael Backes, Ninja Marnau and Ben Stock. Share First, Ask Later (or Never?) - Studying Violations of GDPR's Explicit Consent in Android Apps. In: Usenix Security Symposium (USENIX-Security). 2021.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date

2021-05-07

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3400, title = "Share First, Ask Later (or Never?) - Studying Violations of GDPR's Explicit Consent in Android Apps", author = "Nguyen, Trung Tin and Backes, Michael and Marnau, Ninja and Stock, Ben", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC