An analysis of 10 highly popular Android apps found what researchers are calling the “out of control” sharing of potentially sensitive information with third parties, in some cases in likely violation of Europe’s GDPR privacy regulations.
The findings, which were published in a report issued by the Norwegian Consumer Council (NCC), prompted a coalition of nine consumer advocate and privacy groups to call on federal and state authorities to investigate. Additionally, Twitter has reportedly booted Grindr — one of the apps detailed in the study — off of its ad network.
The 10 apps were named as menstrual health trackers Clue and My days; online dating apps Grindr, Happn, OkCupid and Tinder, beauty app Perfect365, the religion app Muslim: Qibla Finder, the game My Talking Tom 2 and keyboard app Wave Keyboard. Cybersecurity company Mnemonic is credited with conducting the technical test on the apps from June through November 2019, checking them for integrated software development kits (SDKs) and other third-party tools that could enable them to record data and share it with partners.
Altogether, the 10 apps were found to have transmitted user data to at least 135 unique third parties who play a role in advertising or behavioral profiling, all to help marketers better optimize their efforts of targeting their ideal audience. Many users may never have even heard of some of these companies, let alone know that they are collecting their data, the report states.
Mobile device users are assigned various unique numerical identifiers, which allow marketing and adtech industry players to collect scores of information, tie it to these identifiers, and create complex and accurate user profiles for advertising purposes. One such identifier is the Android Advertising ID, which allows companies to track consumers across different services. All 10 apps transmitted this form of identifier to at least some of its third-party partners — 70 altogether.
Only one stopped there — Wave Keyboard — while the remaining nine shared additional information with partners. “This information included the IP address and GPS location of the user, personal attributes including gender and age, and various user activities. Such information can be used to track and target these users with ads, to profile them, and consumers like them, and to infer many highly sensitive infer attributes including sexual orientation and religious beliefs,” the report states.
While such information is helpful to advertisers, it could also allow companies to personally identify individual users and conduct surveillance on them, or discriminate against people based on their attributes. And if such data is leaked to or accessed by malicious actors, users could be at risk of identity theft and blackmail, the report continues.
The 135 third-party partners of the 10 studied apps include such universally known names as Facebook, Google, and Twitter via its mobile app advertising platform MoPub. It also includes players such as Braze, a provider of customer relationship management and mobile marketing automation software; the mobile advertising and marketing platform AdColony, and mobile push notification service OneSignal.
According to the NCC, the researchers observed Grinder sending users’ GPS coordinates IP addresses, ages, and genders to certain partners, and information about “relationship type” to one company in particular — Braze (although Braze did not receive users’ Android Advertising ID).
“Twitter’s adtech subsidiary MoPub was used as a mediator for much of this data sharing, and was observed passing personal data to a number of other advertising third parties including the major adtech companies AppNexus and OpenX,” the report notes. “Many of these third parties reserve the right to share the data they collect with a very large number of partners.”
Shortly after the NCC report was released, Twitter suspended Grindr’s MoPub account, and provided this statement to various media outlets: “We are currently investigating this issue to understand the sufficiency of Grindr’s consent mechanism. In the meantime, we have disabled Grindr’s MoPub account.”
Fellow dating app Tinder was also found to send GPS position and “target gender” to certain of its partners. Meanwhile, OkCupid shared user-provided data on sexuality, drug use, political views and more to Braze.
“With how the adtech industry works today, personal data is being broadcast and spread with few restraints. The multitude of violations of fundamental rights are happening at a rate of billions of times per second, all in the name of profiling and targeting advertising. It is time for a serious debate about whether the surveillance-driven advertising systems that have taken over the internet, and which are economic drivers of misinformation online, is a fair trade-off for the possibility of showing slightly more relevant ads,” the report concludes.
“Every day, millions of Americans share their most intimate personal details on these apps, upload personal photos, track their periods and reveal their sexual and religious identities. But these apps and online services spy on people, collect vast amounts of personal data and share it with third parties without people’s knowledge. Industry calls it adtech. We call it surveillance. We need to regulate it now, before it’s too late,” said Burcu Kilic, digital rights program director at Public Citizen, one of the nine organizations that sent letters to Congress, the FTC and the state AGs in California, Texas and Oregon asking for an investigation.
The other organizations to sign the letter were the American Civil Liberties Union of California, Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, Consumer Action, the Consumer Federation of America, Consumer Reports, the Electronic Privacy Information Center (EPIC) and U.S. Public Interest Research Groups.
“The purpose of the testing has been to increase our understanding of the mobile advertising ecosystem,” said Andreas Claesson, senior security consultant with Mnemonic and lead researcher on the project, in a company blog post. “In particular, we have aimed to identify some of the main actors collecting user data from our sample set of apps, understand the type and frequency of data flows, and examine the specific information that is being transmitted.”
“We were quite surprised by the amount of data sharing occurring,” added project partner Tor Bjørstad, application security lead and principal consultant. “A key motivation for this project has been that data collection, sharing, and processing within the advertising industry on mobile platforms is poorly understood. We hope that this work documenting the current industry practices will help start a debate on how user data is collected and used for mobile advertising.”
SC Media attempted to find press contacts for each of the 10 software developers in order to request an official comment. SC Media will add such comments as they are received.