Freely Given Consent?: Studying Consent Notice of Third-Party Tracking and Its Violations of GDPR in Android Apps

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2022-11-07 DOI:10.1145/3548606.3560564

Trung Tin Nguyen, M. Backes, Ben Stock

{"title":"Freely Given Consent?: Studying Consent Notice of Third-Party Tracking and Its Violations of GDPR in Android Apps","authors":"Trung Tin Nguyen, M. Backes, Ben Stock","doi":"10.1145/3548606.3560564","DOIUrl":null,"url":null,"abstract":"Adopted in May 2018, the European Union's General Data Protection Regulation (GDPR) requires the consent for processing users' personal data to be freely given, specific, informed, and unambiguous. While prior work has shown that this often is not given through automated network traffic analysis, no research has systematically studied how consent notices are currently implemented and whether they conform to GDPR in mobile apps. To close this research gap, we perform the first large-scale study into consent notices for third-party tracking in Android apps to understand the current practices and the current state of GDPR's consent violations. Specifically, we propose a mostly automated and scalable approach to identify the currently implemented consent notices and apply it to a set of 239,381 Android apps. As a result, we recognize four widely implemented mechanisms to interact with the consent user interfaces from 13,082 apps. We then develop a tool that automatically detects users' personal data sent out to the Internet with different consent conditions based on the identified mechanisms. Doing so, we find 30,160 apps do not even attempt to implement consent notices for sharing users' personal data with third-party data controllers, which mandate explicit consent under GDPR. In contrast, out of 13,082 apps implemented consent notices, we identify 2,688 (20.54%) apps violate at least one of the GDPR consent requirements, such as trying to deceive users into accepting all data sharing or even continuously transmitting data when users have explicitly opted out. To allow developers to address the problems, we send emails to notify affected developers and gather insights from their responses. Our study shows the urgent need for more transparent processing of personal data and supporting developers in this endeavor to comply with legislation, ensuring users can make free and informed choices regarding their data.","PeriodicalId":435197,"journal":{"name":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","volume":"60 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3548606.3560564","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

Adopted in May 2018, the European Union's General Data Protection Regulation (GDPR) requires the consent for processing users' personal data to be freely given, specific, informed, and unambiguous. While prior work has shown that this often is not given through automated network traffic analysis, no research has systematically studied how consent notices are currently implemented and whether they conform to GDPR in mobile apps. To close this research gap, we perform the first large-scale study into consent notices for third-party tracking in Android apps to understand the current practices and the current state of GDPR's consent violations. Specifically, we propose a mostly automated and scalable approach to identify the currently implemented consent notices and apply it to a set of 239,381 Android apps. As a result, we recognize four widely implemented mechanisms to interact with the consent user interfaces from 13,082 apps. We then develop a tool that automatically detects users' personal data sent out to the Internet with different consent conditions based on the identified mechanisms. Doing so, we find 30,160 apps do not even attempt to implement consent notices for sharing users' personal data with third-party data controllers, which mandate explicit consent under GDPR. In contrast, out of 13,082 apps implemented consent notices, we identify 2,688 (20.54%) apps violate at least one of the GDPR consent requirements, such as trying to deceive users into accepting all data sharing or even continuously transmitting data when users have explicitly opted out. To allow developers to address the problems, we send emails to notify affected developers and gather insights from their responses. Our study shows the urgent need for more transparent processing of personal data and supporting developers in this endeavor to comply with legislation, ensuring users can make free and informed choices regarding their data.

查看原文本刊更多论文

自愿同意?:研究Android应用中第三方跟踪同意声明及其违反GDPR行为

欧盟于2018年5月通过的《通用数据保护条例》(GDPR)要求，处理用户个人数据的同意必须是自由、具体、知情和明确的。虽然之前的研究表明，这通常不是通过自动网络流量分析得出的，但没有研究系统地研究过目前如何实施同意通知，以及它们是否符合移动应用程序中的GDPR。为了缩小这一研究差距，我们对Android应用中第三方跟踪的同意通知进行了首次大规模研究，以了解当前的做法和违反GDPR同意的现状。具体来说，我们提出了一种自动化和可扩展的方法来识别当前实施的同意通知，并将其应用于239,381个Android应用程序。因此，我们发现了四种广泛实施的机制来与来自13082个应用程序的同意用户界面进行交互。然后，我们开发了一种工具，可以根据确定的机制，自动检测以不同同意条件发送到互联网的用户个人数据。这样做，我们发现30,160个应用程序甚至没有尝试执行同意通知，与第三方数据控制器共享用户的个人数据，根据GDPR要求明确同意。相比之下，在实施了同意通知的13082个应用程序中，我们发现2688个(20.54%)应用程序违反了至少一项GDPR同意要求，例如试图欺骗用户接受所有数据共享，甚至在用户明确选择退出的情况下继续传输数据。为了让开发者能够解决问题，我们会发送电子邮件通知受影响的开发者，并从他们的回复中收集见解。我们的研究表明，迫切需要更透明的个人数据处理，并支持开发者遵守法律，确保用户可以对他们的数据做出自由和知情的选择。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量