Home Privacy One Year Into GDPR, Most Apps Still Harvest Data Without Permission

One Year Into GDPR, Most Apps Still Harvest Data Without Permission

SHARE:

While good-acting companies knock themselves out trying to comply with data protection and privacy laws, and regulators debate the minutiae of cookie consent policies, bad actors simply couldn’t care less.

The front door may be locked, but the basement windows are wide open.

Unauthorized data harvesting from mobile apps has continued nearly unabated in the year since Europe’s General Data Protection Regulation came into force last May.

In a recent test conducted for AdExchanger, mobile analytics company Kochava examined the behavior of the top 2,700 apps in the Google Play store in the United States compared with France, where GDPR applies.

Despite a small drop in the average number of network requests coming per app in France, which was to be expected, there was no discernible difference in the prevalence of data transmission between regions.

Sharing, not caring

Nearly 60% of apps sent advertising IDs to a remote endpoint at least once either directly or through a third-party SDK, regardless of where the users were located or whether they’d given consent.

Apps often presented users with a consent notice screen and then ignored the user’s choice, transmitting the data regardless of the user’s preference.

“The regulation exists, but is there a body in Belgium looking at the mobile ecosystem to try and determine which calls from a device are legitimate or not – hell no, that’s not happening,” said Grant Simmons, head of client analytics at Kochava.

But even if there was, this stuff is hard to catch by design, Simmons said. Around 30% of the data calls transmitted to and from devices are encrypted and when fraudsters enter the picture, they usually use transitory domains to obscure their actions, including data harvesting.

Reap and sow

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

To be fair, the GDPR was created to unify privacy laws for the collection and processing of personal data across EU member states, not to tackle ad fraud.

But the lucrative nature of ad fraud is a primary motivator behind shady data collection and non-permissioned data sharing.

And some of the worst GDPR violators are app developers that monetize by adding third-party code and SDKs to their apps without understanding the implications, said Asaf Greiner, CEO and founder of Protected Media, a provider of anti-fraud technology.

In some cases, developers harvest personally identifiable information from app users to share with advertisers, which advertisers might find useful but also represents a violation of GDPR.

If an app doesn’t care about draining a user’s battery or slurping up their data plan, “it’s safe to assume that data protection is low down on their list,” said Greiner, noting that most ad fraud is uncovered because of the bite it takes out of advertising budgets, while the privacy violation aspects “remain under the radar.”

Protected Media is regularly approached by companies offering to sell data or social graphs. Greiner always makes a point of asking the salesperson how the data they’re peddling was obtained and what’s in it. “Invariably, they can never answer me,” Greiner said, “which leaves me to believe that they’re very rarely asked where they get the data from.”

GDPR doesn’t touch the digital ad ecosystem’s “chain of custody issue,” Simmons said.

“Bad information is collected and syndicated at scale through ad networks,” he said. “It’s like data laundering – ad networks as willful clearing houses for nefarious publishers.”

An intractable problem

There’s no easy way to end illicit data sharing by apps because the ecosystem is so murky.

“Not a single regulator understands this, and there aren’t even laws [against ad fraud] yet for them to use to go after bad actors,” said independent ad fraud researcher Augustine Fou.

Then again, there’s no reason European regulators can’t at least use their new powers to shine a light on companies that aren’t making an effort to comply with GDPR, if not the unabashed criminal element.

“GDPR introduced a very clear accountability duty for businesses, and regulators can perform ad hoc audits when they like,” said Enza Iannopollo, a senior analyst covering security and risk at Forrester. “The barrier, in my opinion, is not GDPR, but a shortage of resources.”

Be that as it may, the industry only really has a shot at cutting down on bad acting apps with ulterior motives if there’s “a significant amount of collaboration” between regulatory watchdogs, the government and the app store providers themselves, said Gabe Morazan, director of product and digital governance at Evidon parent company Crownpeak.

Because even if good actors try to stay clean, fishy apps – and apps with fishy SDKs – will keep harvesting data and pumping it out into the mobile ecosystem if there’s a buck to be made.

Must Read

play button with many coins isolated on blue background. The concept of monetization of the video. Making money on video content. minimal style. 3d rendering

Exclusive: Connatix And JW Player Merge To Create A One-Stop Shop For Video Monetization

On Wednesday, video monetization platforms Connatix and JW Player announced plans to merge into a new entity called JWP Connatix. The deal was first rumored in July.

HUMAN Raises $50 Million

HUMAN plans to build a deterministic ID from its tracking of more than 20 trillion digital signals per week across 3 billion devices, which will aid attribution for ecommerce.

Buyers Can Now Target High-Attention Inventory In The Trade Desk

By applying Adelaide’s Attention Unit scoring, buyers can target low-, medium- and high-attention inventory via TTD’s self-serve platform.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

How Should Advertisers Navigate A TikTok Ban Or Google Breakup? Just Ask Brian Wieser

The online advertising industry is staring down the barrel of not one but two potential shutdowns that could radically change where brands put their ad dollars in 2025, according to Madison and Wall’s Brian Weiser and Olivia Morley.

Intent IQ Has Patents For Ad Tech’s Most Basic Functions – And It’s Not Afraid To Use Them

An unusual dilemma has programmatic vendors and ad tech platforms worried about a flurry of potential patent infringement suits.

TikTok Video For Open Web Publishers? Outbrain Built It.

Outbrain is trying to shed its chumbox rep by bringing social media-style vertical video to mobile publishers on the open web.