A Comprehensive Study on Third-Party User Tracking in Mobile Applications

Federica Paci; Jacopo Pizzoli; Nicola Zannone

doi:10.1145/3600160.3605079

A Comprehensive Study on Third-Party User Tracking in Mobile Applications

Federica Paci, Jacopo Pizzoli, Nicola Zannone

Data Protection

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

4 Citations (Scopus)

14 Downloads (Pure)

Abstract

Third-party tracking is becoming a prevalent practice in mobile app ecosystems. While providing benefits for app developers, this practice also introduces several privacy issues for end-users. The European General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD) mandate that mobile apps must obtain user consent before sharing users' personal data with third-party trackers. This work presents an empirical study investigating the compliance of 400 popular mobile apps (200 Android apps and their corresponding version for iOS) with the ePD and GDPR requirements on valid consent. Moreover, we determined whether these mobile apps actually enforce the consent given by users on being tracked and which are the more common third-party tracker domains contacted by the apps. The analysis shows that none of the studied apps fully comply with ePD and GDPR requirements on valid consent. The most common violations were associated with the principles of freely-given, specific, and revocable consent. Moreover, we found that almost half of the analyzed apps contact third-party tracker domains even when the user has not given their consent to be tracked.

Original language	English
Title of host publication	ARES '23
Subtitle of host publication	Proceedings of the 18th International Conference on Availability, Reliability and Security
Place of Publication	New York
Publisher	Association for Computing Machinery, Inc
Number of pages	8
ISBN (Electronic)	979-8-4007-0772-8
DOIs	https://doi.org/10.1145/3600160.3605079
Publication status	Published - 29 Aug 2023
Event	18th International Conference on Availability, Reliability and Security, ARES 2023 - Benevento, Italy Duration: 29 Aug 2023 → 1 Sept 2023 Conference number: 18

Conference

Conference	18th International Conference on Availability, Reliability and Security, ARES 2023
Abbreviated title	ARES 2023
Country/Territory	Italy
City	Benevento
Period	29/08/23 → 1/09/23

Keywords

ePD
GDPR
mobile apps
Privacy
third-party tracking
valid consent

Access to Document

10.1145/3600160.3605079

pdfFinal published version, 1.57 MB

Cite this

@inproceedings{c9bdb57706c0420f991d8bccc632bd02,

title = "A Comprehensive Study on Third-Party User Tracking in Mobile Applications",

abstract = "Third-party tracking is becoming a prevalent practice in mobile app ecosystems. While providing benefits for app developers, this practice also introduces several privacy issues for end-users. The European General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD) mandate that mobile apps must obtain user consent before sharing users' personal data with third-party trackers. This work presents an empirical study investigating the compliance of 400 popular mobile apps (200 Android apps and their corresponding version for iOS) with the ePD and GDPR requirements on valid consent. Moreover, we determined whether these mobile apps actually enforce the consent given by users on being tracked and which are the more common third-party tracker domains contacted by the apps. The analysis shows that none of the studied apps fully comply with ePD and GDPR requirements on valid consent. The most common violations were associated with the principles of freely-given, specific, and revocable consent. Moreover, we found that almost half of the analyzed apps contact third-party tracker domains even when the user has not given their consent to be tracked.",

keywords = "ePD, GDPR, mobile apps, Privacy, third-party tracking, valid consent",

author = "Federica Paci and Jacopo Pizzoli and Nicola Zannone",

year = "2023",

month = aug,

day = "29",

doi = "10.1145/3600160.3605079",

language = "English",

booktitle = "ARES '23",

publisher = "Association for Computing Machinery, Inc",

address = "United States",

note = "18th International Conference on Availability, Reliability and Security, ARES 2023, ARES 2023 ; Conference date: 29-08-2023 Through 01-09-2023",

}

Paci, F, Pizzoli, J & Zannone, N 2023, A Comprehensive Study on Third-Party User Tracking in Mobile Applications. in ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security., 97, Association for Computing Machinery, Inc, New York, 18th International Conference on Availability, Reliability and Security, ARES 2023, Benevento, Italy, 29/08/23. https://doi.org/10.1145/3600160.3605079

A Comprehensive Study on Third-Party User Tracking in Mobile Applications. / Paci, Federica; Pizzoli, Jacopo; Zannone, Nicola.
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security. New York: Association for Computing Machinery, Inc, 2023. 97.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - A Comprehensive Study on Third-Party User Tracking in Mobile Applications

AU - Paci, Federica

AU - Pizzoli, Jacopo

AU - Zannone, Nicola

N1 - Conference code: 18

PY - 2023/8/29

Y1 - 2023/8/29

N2 - Third-party tracking is becoming a prevalent practice in mobile app ecosystems. While providing benefits for app developers, this practice also introduces several privacy issues for end-users. The European General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD) mandate that mobile apps must obtain user consent before sharing users' personal data with third-party trackers. This work presents an empirical study investigating the compliance of 400 popular mobile apps (200 Android apps and their corresponding version for iOS) with the ePD and GDPR requirements on valid consent. Moreover, we determined whether these mobile apps actually enforce the consent given by users on being tracked and which are the more common third-party tracker domains contacted by the apps. The analysis shows that none of the studied apps fully comply with ePD and GDPR requirements on valid consent. The most common violations were associated with the principles of freely-given, specific, and revocable consent. Moreover, we found that almost half of the analyzed apps contact third-party tracker domains even when the user has not given their consent to be tracked.

AB - Third-party tracking is becoming a prevalent practice in mobile app ecosystems. While providing benefits for app developers, this practice also introduces several privacy issues for end-users. The European General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD) mandate that mobile apps must obtain user consent before sharing users' personal data with third-party trackers. This work presents an empirical study investigating the compliance of 400 popular mobile apps (200 Android apps and their corresponding version for iOS) with the ePD and GDPR requirements on valid consent. Moreover, we determined whether these mobile apps actually enforce the consent given by users on being tracked and which are the more common third-party tracker domains contacted by the apps. The analysis shows that none of the studied apps fully comply with ePD and GDPR requirements on valid consent. The most common violations were associated with the principles of freely-given, specific, and revocable consent. Moreover, we found that almost half of the analyzed apps contact third-party tracker domains even when the user has not given their consent to be tracked.

KW - ePD

KW - GDPR

KW - mobile apps

KW - Privacy

KW - third-party tracking

KW - valid consent

UR - http://www.scopus.com/inward/record.url?scp=85169667945&partnerID=8YFLogxK

U2 - 10.1145/3600160.3605079

DO - 10.1145/3600160.3605079

M3 - Conference contribution

AN - SCOPUS:85169667945

BT - ARES '23

PB - Association for Computing Machinery, Inc

CY - New York

T2 - 18th International Conference on Availability, Reliability and Security, ARES 2023

Y2 - 29 August 2023 through 1 September 2023

ER -

A Comprehensive Study on Third-Party User Tracking in Mobile Applications

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this