🔬 Research summary by Konrad Kollnig, a doctoral researcher at the Department of Computer Science at the University of Oxford. In his research, he analyses how the technical architecture of the smartphone ecosystem may pose harm to its users, particularly their right to data protection and their ability to limit these harms.
[Original paper by Konrad Kollnig, Reuben Binns, Max Van Kleek, Jun Zhao, Ulrik Lyngs, Claudine Tinsman, Nigel Shadbolt]
Overview: The GDPR was introduced with great hopes in 2018, but has it actually changed the data practices of mobile apps? Our paper analyses tracking, a common and invasive data practice in mobile apps, and finds that change has been limited so far.
Introduction
Tracking, the collection and sharing of behavioural data about individuals, is a significant and ubiquitous privacy threat in mobile apps. The EU General Data Protection Regulation (GDPR) was introduced in 2018 to protect personal data better, but there exists, thus far, limited empirical evidence about the law’s efficacy in achieving its aims. Our recent paper “Before and after GDPR: tracking in mobile apps” – jointly authored together with my colleagues at the University of Oxford – studies tracking in nearly two million Android apps from before and after the introduction of the GDPR. Our results suggest that there has been limited change in the presence of tracking in apps, and that the concentration of tracking capabilities among a few large gatekeeper companies persists.
Methodology
To study the impact of the GDPR on tracking in apps, we analysed 2 million apps from the UK Google Play Store, 1 million apps from 2017 and 1 million from 2020. Methodologically, we replicated previous work by Binns, Lyngs et al. (2018) on analysing tracking in 1 million Android apps and another study by Binns, Zhao et al. (2018) that computed the market concentration of tracking companies from 5,000 apps and 5,000 websites. In contrast to these previous studies, we focused on the changes of the tracking ecosystem over time and since the introduction of the GDPR. We performed an automated scan of apps’ *.dex files (corresponding to the compiled application code) to identify all domains that are known to belong to tracking companies, thereby characterising what companies apps can potentially send personal data to. If there have been changes in the extent of tracking following the introduction of the GDPR, we should expect that they show up in our results.
The distribution of trackers has not changed much
Our results suggest that the GDPR has not had a large effect on the distribution of tracking across apps on the UK Google Play Store (see Figure 1). For instance, 85% of apps from 2017 could send data to Alphabet, compared to 89% in 2020. 43% could send data to Facebook/Meta in 2017, and 38% in 2020. The same handful of tracking companies have similar prevalence and prominence; the average app contains a similar number of trackers (measured at the level of companies rather than domains); and a consistent percentage of apps (15%) contain more than ten tracker companies.
Figure 1. Prevalence and prominence tracking companies in the studied apps.
Market concentration and competition
Our analysis hints at a high level of concentration in the tracking market (see Figure 2). Alphabet/Google and Meta/Facebook continue to dominate app tracking. Their dominance is particularly present in the number of apps they cover (“Prevalence” in Figure 1, rather than share of app installs). If these companies can show ads on devices that other competitor advertising companies hardly have access to (e.g. due to the default bias of app developers to use the software solutions of established brands), they can extract sizeable revenues from their dominance of the tracking market, and might even be able to exert meaningful control over advertising prices. From our data, this seems to be particularly the case for those apps that have few installs.
Figure 2. Various metrics for market concentration in tracking show limited change and a level of concentration in the tracking market. An HHI over 0.1 is deemed by EU competition authorities as an indicator of high market concentration. For details, consult our paper.
Conclusions
Our results might seem surprising, given that the GDPR presents significant challenges for compliance in the context of multiple third parties, particularly potential fines (up to 4% of global annual turnover), better regulatory alignment and enforcement (by the GDPR being a Regulation instead of a Directive and prescribing coordination mechanisms between regulators), and a higher bar for consent (which is necessary for most forms of tracking). Crucially, most instances of tracking without user consent were already against the law before the GDPR, under the 2009 ePrivacy Directive. In previous research analysing a representative subset of the same apps from 2020, we found that about 70% of apps sent data to tracking companies immediately at the first app start; less than 10% asked for the legally required consent (Kollnig et al., 2021). This hints to widespread violations of basic principles of EU data protection law, and underlines that data protection law cannot operate without enforcement.
While our analysis points to limited change in the tracking ecosystem so far, change might be imminent. Apple and Google have been introducing various privacy measures (e.g. Google’s FLOC and Apple’s Tracking Transparency Framework) that could, despite increasing the concentration of data collection with these companies, improve data protection and user privacy. An important driver of these new privacy measures has been the emergence and overhaul of data protection and privacy laws around the globe, more extensive regulatory action, and ultimately the increased privacy expectations of citizens. In this sense, the GDPR has already contributed to changing the mobile tracking ecosystem by shaping people’s expectations around privacy, increasing data protection enforcement, and motivating the emergence of new and revised data protection laws outside the EU.
Between the lines
While the GDPR is far-reaching, the law is not perfect. The analysis of apps’ privacy practices remains difficult, which conflicts with the strict transparency requirements for the processing of personal data laid out in the GDPR (Article 5). Moreover, enforcement of existing privacy rules remains limited. Both the EU and UK are currently planning to revise their data protection and privacy laws. According to our analysis, the lack of transparency and of enforcement of the existing rules are key issues that need to be addressed.
References
Binns, R., Lyngs, U., Van Kleek, M., Zhao, J., Libert, T., & Shadbolt, N. (2018). Third Party Tracking in the Mobile Ecosystem. Proceedings of the 10th ACM Conference on Web Science, 23–31. https://doi.org/10.1145/3201064.3201089
Binns, R., Zhao, J., Kleek, M. V., & Shadbolt, N. (2018). Measuring Third-party Tracker Power across Web and Mobile. ACM Transactions on Internet Technology, 18(4), 1–22. https://doi.org/10.1145/3176246
Kollnig, K., Binns, R., Dewitte, P., Kleek, M. V., Wang, G., Omeiza, D., Webb, H., & Shadbolt, N. (2021, September 9). A fait accompli? A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps. Proceedings of the Seventeenth Symposium on Usable Privacy and Security. https://www.usenix.org/system/files/soups2021_slides_kollnig.pdf