Home Privacy One Year Into GDPR, Most Apps Still Harvest Data Without Permission

One Year Into GDPR, Most Apps Still Harvest Data Without Permission

SHARE:

While good-acting companies knock themselves out trying to comply with data protection and privacy laws, and regulators debate the minutiae of cookie consent policies, bad actors simply couldn’t care less.

The front door may be locked, but the basement windows are wide open.

Unauthorized data harvesting from mobile apps has continued nearly unabated in the year since Europe’s General Data Protection Regulation came into force last May.

In a recent test conducted for AdExchanger, mobile analytics company Kochava examined the behavior of the top 2,700 apps in the Google Play store in the United States compared with France, where GDPR applies.

Despite a small drop in the average number of network requests coming per app in France, which was to be expected, there was no discernible difference in the prevalence of data transmission between regions.

Sharing, not caring

Nearly 60% of apps sent advertising IDs to a remote endpoint at least once either directly or through a third-party SDK, regardless of where the users were located or whether they’d given consent.

Apps often presented users with a consent notice screen and then ignored the user’s choice, transmitting the data regardless of the user’s preference.

“The regulation exists, but is there a body in Belgium looking at the mobile ecosystem to try and determine which calls from a device are legitimate or not – hell no, that’s not happening,” said Grant Simmons, head of client analytics at Kochava.

But even if there was, this stuff is hard to catch by design, Simmons said. Around 30% of the data calls transmitted to and from devices are encrypted and when fraudsters enter the picture, they usually use transitory domains to obscure their actions, including data harvesting.

Reap and sow

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

To be fair, the GDPR was created to unify privacy laws for the collection and processing of personal data across EU member states, not to tackle ad fraud.

But the lucrative nature of ad fraud is a primary motivator behind shady data collection and non-permissioned data sharing.

And some of the worst GDPR violators are app developers that monetize by adding third-party code and SDKs to their apps without understanding the implications, said Asaf Greiner, CEO and founder of Protected Media, a provider of anti-fraud technology.

In some cases, developers harvest personally identifiable information from app users to share with advertisers, which advertisers might find useful but also represents a violation of GDPR.

If an app doesn’t care about draining a user’s battery or slurping up their data plan, “it’s safe to assume that data protection is low down on their list,” said Greiner, noting that most ad fraud is uncovered because of the bite it takes out of advertising budgets, while the privacy violation aspects “remain under the radar.”

Protected Media is regularly approached by companies offering to sell data or social graphs. Greiner always makes a point of asking the salesperson how the data they’re peddling was obtained and what’s in it. “Invariably, they can never answer me,” Greiner said, “which leaves me to believe that they’re very rarely asked where they get the data from.”

GDPR doesn’t touch the digital ad ecosystem’s “chain of custody issue,” Simmons said.

“Bad information is collected and syndicated at scale through ad networks,” he said. “It’s like data laundering – ad networks as willful clearing houses for nefarious publishers.”

An intractable problem

There’s no easy way to end illicit data sharing by apps because the ecosystem is so murky.

“Not a single regulator understands this, and there aren’t even laws [against ad fraud] yet for them to use to go after bad actors,” said independent ad fraud researcher Augustine Fou.

Then again, there’s no reason European regulators can’t at least use their new powers to shine a light on companies that aren’t making an effort to comply with GDPR, if not the unabashed criminal element.

“GDPR introduced a very clear accountability duty for businesses, and regulators can perform ad hoc audits when they like,” said Enza Iannopollo, a senior analyst covering security and risk at Forrester. “The barrier, in my opinion, is not GDPR, but a shortage of resources.”

Be that as it may, the industry only really has a shot at cutting down on bad acting apps with ulterior motives if there’s “a significant amount of collaboration” between regulatory watchdogs, the government and the app store providers themselves, said Gabe Morazan, director of product and digital governance at Evidon parent company Crownpeak.

Because even if good actors try to stay clean, fishy apps – and apps with fishy SDKs – will keep harvesting data and pumping it out into the mobile ecosystem if there’s a buck to be made.

Must Read

Rest In Privacy, Sandbox

Last week, after nearly six years of development and delays, Google officially retired its Privacy Sandbox.
Which means it’s time for a memorial service.

AWS Launches A Cloud Infrastructure Service For Ad Tech

AWS RTB Fabric offers ad tech platforms more streamlined integrations with ecosystem and infrastructure partners, allegedly lower latency compared to the public internet and discounts on data transfers.

Netflix Boasts Its Best Ad Sales Quarter Ever (Again)

In a livestreamed presentation to investors on Tuesday, co-CEO Greg Peters shared that Netflix had its “best ad sales quarter ever” in Q3, and more than doubled its upfront commitments for this year.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: No One To Play With

Google Pulls The Plug On Topics, PAAPI And Other Major Privacy Sandbox APIs (As The CMA Says ‘Cheerio’)

Google’s aborted cookie crackdown ends with a quiet CMA sign-off and a sweeping phaseout of Privacy Sandbox technologies, from the Topics API to PAAPI.

The Trade Desk’s Auction Evolutions Bring High Drama To The Prebid Summit

TTD shared new details about OpenAds features that let publishers see for themselves whether it’s running a fair auction. But tension between TTD and Prebid hung over the event.

Monopoly Man looks on at the DOJ vs. Google ad tech antitrust trial (comic).

How Google Stands In The DOJ’s Ad Tech Antitrust Suit, According To Those Who Tracked The Trial

The remedies phase of the Google antitrust trial concluded last week. And after 11 days in the courtroom, there is a clearer sense of where Judge Leonie Brinkema is focused on, and how that might influence what remedies she put in place.