IDPFilter: Mitigating interdependent privacy issues in third-party apps

Abstract

Third-party applications have become an essential part of today’s online ecosystem, enhancing the functionality of popular platforms. However, the intensive data exchange underlying their proliferation has raised concerns about interdependent privacy (IDP). This paper investigates the IDP issues of third-party apps that were previously not studied comprehensively. Specifically, first, we analyze the permission structure of multiple app platforms, identifying permissions that have the potential to cause interdependent privacy issues by enabling a user to share someone else’s personal data with an app. Second, we collect datasets and characterize the extent to which existing apps request these permissions, revealing the relationship between characteristics such as the respective app platform, the app’s type, and the number of interdependent privacy-related permissions it requests. Third, we analyze why IDP is neglected by both data protection regulations and app platforms and then devise the principles that should be followed when designing a mitigation solution. Finally, based on these principles and satisfying clearly defined objectives, we propose IDPFilter, a platform-agnostic API that enables application providers to minimize collateral information collection by filtering out data collected from their users, but implicating others as data subjects. We implement a proof-of-concept prototype, IDPTextFilter, that implements the filtering logic on textual data, and provide its initial performance evaluation concerning privacy, accuracy, and efficiency.