The Norwegian consumer protection agency Forbrukerrådet documents the direct transfer of sensitive data through popular apps to sometimes dozens of different advertising partners. The consumer advocates even filed a complaint against the dating app Grindr, which is popular with homosexual and bisexual men, and several advertising partners for violating the European General Data Protection Regulation (GDPR).
General data protection regulation does not slow down tracking
"Twenty months after the General Data Protection Regulation came into effect, users are still being secretly monitored and tracked – with no way of knowing who is processing their data or how to stop them," said a study by the government-funded consumer protection agency submitted on Tuesday. In it, Forbrukerrådet documents a detailed legal and technical analysis of how user data from a total of ten Android apps are processed and passed on.
Among the tested apps are several dating apps like Grindr and OKCupid, but also an app for Muslims, two period calendars and the app "My Tanking Tom 2" aimed at children. In order to document the data passed on to advertising customers, the consumer advocates analyzed both the data protection declarations of the manufacturers and the data communication of the apps that can be observed directly.
Advertising out of control
Data flows to 135 different third-party companies were documented for the ten apps. Many of these are advertising platforms that pass on data in the course of the advertising business, such as programmatic advertising auctions, to a large number of other companies. The front runner was the Perfect365 make-up app, which forwarded user data to more than 70 third-party companies.
The data sent often included exact location data and unique identifiers of the smartphones used, as well as the IP address of the users. The companies repeatedly emphasize that they only pass on pseudonymised data; Forbrukerrådet, on the other hand, points out that this is counteracted by passing on unique ID numbers. Given the abundance of circulating data, many industry participants can combine the data into a comprehensive profile, a "digital twin".
"None of the apps provided the users with the necessary data to make an informed decision about tracking," criticize consumer advocates. Many providers simply refer to the system-wide settings in Android. A standard advertising ID is integrated into Google's operating system, which apps can access without requesting explicit authorization from the user. This ID was transmitted to 70 different third-party companies in the test.
Users can deactivate personalization using this ID via Android system settings. However, a 2016 survey found that only 17 percent of users changed these settings. It emerged that 30 percent mistakenly assumed that they had deactivated the data transmission.
. (TagsToTranslate) DSGVO (t) Privacy (t) Grindr