A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps Konrad Kollnig, Reuben Binns, Pierre Dewitte*, Max Van Kleek, Ge Wang, Daniel Omeiza, Helena Webb, Nigel Shadbolt Department of Computer Science, University of Oxford, UK *Centre for IT and IP Law, KU Leuven, Belgium firstname.lastname@(cs.ox.ac.uk | kuleuven.be) Abstract trackers benefits app developers in several ways, notably by Third-party tracking allows companies to collect users’ be- providing analytics to improve user retention, and by enabling havioural data and track their activity across digital devices. the placement of personalised advertising within apps, which This can put deep insights into users’ private lives into the often translates into a vital source of revenue for them [32,62]. hands of strangers, and often happens without users’ aware- However, it also makes app developers dependent on privacy- ness or explicit consent. EU and UK data protection law, invasive data practices that involve the processing of large however, requires consent, both 1) to access and store infor- amounts of personal data [40, 48, 62], with little awareness mation on users’ devices and 2) to legitimate the processing from users and app developers [28,71,74,85]. Data protection of personal data as part of third-party tracking, as we analyse and privacy legislation such as the General Data Protection in this paper. Regulation (GDPR) [38] in the EU and the UK, and the Chil- This paper further investigates whether and to what extent dren’s Online Privacy Protection Act (COPPA) [79] in the US, consent is implemented in mobile apps. First, we analyse a establish clear rules when it comes to the processing of per- representative sample of apps from the Google Play Store. sonal data and provide additional safeguards when it comes We find that most apps engage in third-party tracking, but to information relating to children. As explained in Section3, few obtained consent before doing so, indicating potentially consent is a necessary precondition for third-party tracking. widespread violations of EU and UK privacy law. Second, we The implementation of consent in mobile apps has—since examine the most common third-party tracking libraries in the end of 2020—sparked a fierce public battle between Ap- detail. While most acknowledge that they rely on app develop- ple and Facebook over tracking controls in iOS 14.5 [1,2]. ers to obtain consent on their behalf, they typically fail to put To give users more control over their data, Apple has intro- in place robust measures to ensure this: disclosure of consent duced an opt-in mechanism for the use of the Advertising requirements is limited; default consent implementations are Identifier (AdID)—similar to how apps currently request lo- lacking; and compliance guidance is difficult to find, hard to cation or contacts access. Facebook, like many other mobile read, and poorly maintained. advertising companies, is concerned that most users will not agree to tracking if asked more clearly and explicitly [3]; iOS users could already opt-out from the use of AdID, but were arXiv:2106.09407v2 [cs.CY] 18 Jun 2021 1 Introduction not explicitly asked by every app. By comparison, Google does not currently offer users the option to prevent apps from Third-party tracking, the deliberate collection, processing and accessing the AdID on Android in general, but intends to sharing of users’ behavioural data with third-party compa- change this from ‘late 2021’ [84]. The importance of consent nies, has become widespread across both mobile app ecosys- aside, there exists little empirical evidence as to whether mo- tems [16, 83, 85] and the web [16, 67]. The use of third-party bile apps implement any type of consent mechanisms before engaging in tracking. Despite their crucial role within the software development life cycle, putting the blame of implementing consent incor- rectly on app developers might be misguided. Many lack legal Copyright is held by the author/owner. Permission to make digital or hard expertise, depend on the use of tracking software, and face copies of all or part of this work for personal or classroom use is granted limited negotiation power in the design of tracker software, without fee. USENIX Symposium on Usable Privacy and Security (SOUPS) 2021. which is usually developed by large, multinational compa- August 8–10, 2021, Virtual Conference. nies [12,21,32,49,62]. At the same time, failure to implement (a) This app uses the Consent API devel- (b) This app uses the consent implemen- (c) This app uses a custom consent solu- oped by Google. The popup suggests that tation by Twitter MoPub. By declining, a tion. Consent is not granular. The answer personal data may be shared with 199 com- user rejects a ‘personalized ad experience’, options do not match the question. It is panies before user consent is given (‘con- but potentially not all app tracking. unclear if ‘No’ rejects analytics. tinue’). Figure 1: While most apps on the Google Play Store use third-party tracking, only few apps allow users to refuse consent (less than 3:5%). The figure shows three common examples of these 3:5% of apps. Since very few apps give users a genuine choice over tracking, our paper suggests widespread violations of EU and UK privacy law. appropriate consent mechanisms in software impacts individ- cept of consent, app privacy analysis, and existing system- uals’ choice over data collection and their informational self- wide tracking controls for Android. Section3 discusses the determination, and may expose vulnerable groups—such as role of consent for third-party tracking in the EU and UK by children—to disproportionate data collection. This underlines drawing on the guidance issued by national Data Protection the need for robust privacy guarantees in code. Authorities (DPAs). Section4 analyses the presence of con- Driven by these observations, the present contribution aims sent for third-party tracking in 1,297 Android apps randomly to answer the following research questions: sampled from the Google Play Store. Section5 reviews the guidance offered by tracker companies to app developers. Af- 1. Do app developers need to obtain valid user consent ter discussing the limitations of our approach in Section6, before engaging in third-party tracking in the EU and we turn to the discussion of our results in Section7 and our (consent requirements for tracking) UK? conclusions in Section8. 2. To what extent do apps engage in third-party tracking, and obtain valid user consent before doing so? (practices of app developers) 2 Background 3. To what extent do third-party tracking companies en- In this section, we discuss previous relevant literature, cover- courage and support app developers to obtain consent as ing the concept of consent, the empirical analysis of privacy and where required? (practices of tracker companies) in apps, and existing system-wide tracking controls for An- droid. In particular, we highlight the limits of consent, and the Contributions. In answering these questions, this paper dependence of end-users on the privacy options implemented makes three contributions. First, we clarify the role of consent by their apps and smartphone operating system. in the regulatory framework applicable in the EU and the UK when it comes to the processing of personal data for third- party tracking. Second, we provide empirical evidence as to 2.1 Promises and Limits of Consent a widespread absence of consent mechanisms to legitimise third-party tracking in 1,297 apps. Third, we analyse the Consent is a pillar of privacy and data protection law, in guidance provided by 13 commonly used tracker companies the US, EU, and many other jurisdictions and international and assess whether they inform app developers about how to frameworks. As an approach to privacy protection, consent is translate consent in code (see Figure2 and Table2). associated with the regime of notice & choice [74]. For many Structure. The rest of this paper is structured as follows. data-processing activities, companies that want to process Section2 reviews the relevant literature surrounding the con- data from an individual must 1. Adequately inform the individual (Notice), and As for network analysis, Ren et al. instrumented the VPN functionality of Android, iOS, and Windows Phone to expose 2. Obtain consent from the individual (Choice). leaks of personal data over the Internet [70]. Conducting a manual traffic analysis of 100 Google Play and 100 iOS These two fundamental requirements are often implemented apps, they found regular sharing of personal data in plain in software through the provision of a privacy policy, accom- text, including device identifiers (47 iOS, 52 Google Play panied by consent options for the end-user. apps), user location (26 iOS, 14 Google Play apps), and user The limitations of the notice & choice paradigm have been credentials (8 iOS, 7 Google Play apps). Van Kleek et al. used explored in a range of scholarship. Regarding “notice”, it has dynamic analysis to expose unexpected data flows to users and been documented that most people do not read privacy poli- design better privacy indicators for smartphones [80]. Reyes cies, and that when they try to, have difficulties understanding et al. used dynamic analysis to assess the compliance of them [69] and do not have enough time to read every such children’s apps with COPPA [71], a US privacy law to protect policy [61]. children. Having found that 73% of studied children’s apps Regarding “choice”, evidence suggests that many individ- transmit personal data over the Internet, they argued that none uals struggle with privacy decisions in practice [5, 72]. The of these apps had obtained the required “verifiable parental mismatch between stated and observed privacy preferences consent” because their automated testing tool could trigger is known as the “privacy paradox”[64], although this so- these network calls, and a child could likely do so as well.