Before and after GDPR: tracking in mobile apps

  title={Before and after GDPR: tracking in mobile apps},
  author={Konrad Kollnig and Reuben Binns and Max Van Kleek and Ulrik Lyngs and Jun Zhao and Claudine Tinsman and Nigel Shadbolt},
  journal={Internet Policy Rev.},
Third-party tracking, the collection and sharing of behavioural data about individuals, is a significant and ubiquitous privacy threat in mobile apps. The EU General Data Protection Regulation (GDPR) was introduced in 2018 to protect personal data better, but there exists, thus far, limited empirical evidence about its efficacy. This paper studies tracking in nearly two million Android apps from before and after the introduction of the GDPR. Our analysis suggests that there has been limited… 

Figures and Tables from this paper

TrackerControl: Transparency and Choice around App Tracking

Third-party tracking allows companies to collect users’ behavioural data, track their activity across digital devices, and potentially share this data with third-party companies. This can put deep

The Cost of the GDPR for Apps? Nearly Impossible to Study without Platform Data

A recently published pre-print titled ‘GDPR and the Lost Generation of Innovative Apps’ 1 observes that a third of apps on the Google Play Store disappeared from this app store around the

Tracking on the Web, Mobile and the Internet-of-Things

  • R. Binns
  • Computer Science
    Found. Trends Web Sci.
  • 2022
This paper aims to introduce tracking on the web, smartphones, and the Internet of Things, to an audience with little or no previous knowledge, and aims to provide an overarching narrative spanning this large research space.

An (Un)Necessary Evil - Users' (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering

It is demonstrated that users are uncertain about the necessity of granting app permissions for about half of the tested permission requests, resulting in a call for user protecting interventions by privacy engineers.

A Value-centered Exploration of Data Privacy and Personalized Privacy Assistants

This work utilizes Suzy Killmister’s Four-Dimensional Theory of Autonomy (4DT) to operationalize value-centered privacy decisions and assesses the degree that an existing technology, personalized privacy assistants (PPAs), use notices in a manner that allows for value- centered decision-making.



Tracking in apps' privacy policies

Data sharing across countries, payment models and platforms is compared, finding that only opening the policy webpages shares data with third-parties for 48.5% of policies, potentially violating the GDPR.

Third Party Tracking in the Mobile Ecosystem

It is found that most apps contain third party tracking, and the distribution of trackers is long-tailed with several highly dominant trackers accounting for a large portion of the coverage.

A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps

It is found that most apps engage in third-party tracking, but few obtained consent before doing so, indicating potentially widespread violations of EU and UK privacy law.

Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem

An automated methods to detect third-party advertising and tracking services at the traffic level are developed and the business relationships between the providers of these services are uncovered, revealing them by their prevalence in the mobile and Web ecosystem.

Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps

It is found that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children, and that neither platform is clearly better than the other for privacy across the dimensions the authors studied.

Measuring Third-party Tracker Power across Web and Mobile

The results reveal that tracker prominence and parent–subsidiary relationships have significant impact on accurately measuring concentration, and a new approach is proposed to measure the concentration of tracking capability, based on the reach of a tracker on popular websites and apps.

On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies

Analysis of 68,051 apps from the Google Play Store, their corresponding privacy policies, and observed data transmissions, investigates the potential misrepresentations of apps in the Designed For Families program, inconsistencies in disclosures regarding third-party data sharing, as well as contradictory disclosures about secure data transmissions.

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

“Money makes the world go around”: Identifying Barriers to Better Privacy in Children’s Apps From Developers’ Perspectives

It is revealed that developers largely respect children’s best interests; however, they have to make compromises due to limited monetisation options, perceived harmlessness of certain third-party libraries, and lack of availability of design guidelines.

ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic

ReCon leverages machine learning to reveal potential PII leaks by inspecting network traffic, and provides a visualization tool to empower users with the ability to control these leaks via blocking or substitution of PII.