Computer Scientists on Undercover Mission

Three researchers have tested more than 200 apps: Do they provide personal data of their users on request?

There are also undercover investigators in science: With so-called “undercover field research”, three computer scientists from the universities of Bamberg and Hamburg and the Weizenbaum Institute put the vendors of mobile apps to the test. They wanted to find out whether app vendors would release personal user data on request as required by law. “Our study shows that many vendors do not comply with their legal obligation to provide information,” says Prof. Dr. Dominik Herrmann, holder of the Chair for Privacy and Security in Information Systems at the University of Bamberg. “In total, we examined 225 iOS and Android apps. Most vendors had something to complain about.” The study was presented at the international IT security conference “ARES 2020” in August and won the Best Paper Award.

One fifth of the app vendors did not respond

Dominik Herrmann, Jens Lindemann from the University of Hamburg and Jacob Leon Kröger from the Weizenbaum Institute conducted the follow-up study between 2015 and 2019. The title is: “How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps”. For their undercover study, the computer scientists created fake user profiles, so that a total of 225 app vendors were given access to this personal data. Around a third of the apps came from Germany, the others from countries around the world. In 2015, 2018 and 2019, the scientists asked the providers to tell them the personal data they had stored about them. “Many vendors – on average 20 percent – did not respond at all, some were not even reachable,” explains Dominik Herrmann. Often the answers were insufficient, for example because they were incomprehensibly structured or the links to the requested data did not work. “One provider even sent us sensitive data of another person.”

GDPR did not lead to an improvement

The scientists paid particular attention to the differences between 2018 and 2019. In May 2018, the EU’s General Data Protection Regulation (GDPR) was introduced, which among other things specifies the right of users to access the personal data that companies hold about them. “We expected a positive trend after its introduction,” said Dominik Herrmann. “Instead, the number of acceptable responses declined: from 53 percent in 2018 to 41 percent in 2019.” A response was rated as acceptable by the scientists if the vendor either sent the requested user data or if the vendor could credibly justify that the data was no longer stored. The research team was concerned that around three-quarters of the providers did not check the identity of the person making the request. The researchers only noted positive developments within the four-year period in individual areas, for example, the inquirers were provided with more comprehensible data.

Improvement through more resources and sampling

What can users do if they do not receive the information they require? “Data subjects should contact data protection authorities that pursue such violations,” explains Dominik Herrmann. He also recommends that apps should always be selected carefully and that as little personal information as possible should be disclosed – or even false information should be given if possible. In order to better enforce the provisions of the GDPR, the research team believes that the government needs to act: “The responsible supervisory authorities need more budget and personnel in order to fulfill their legally stipulated task. They could then carry out comprehensive spot checks or issue sector-specific guidelines for companies. Ideally, app vendors will provide us with uniform and automated interfaces for privacy requests in the future, obviating the need for the error-prone manual processing of such requests.”

Publication (Open Access):

Jacob Leon Kröger, Jens Lindemann, Dominik Herrmann. 2020. How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps. ARES ’20: Proceedings of the 15th International Conference on Availability, Reliability and Security.

Video presentation of the main results (15 minutes):

This post was originally published by the University of Bamberg (in German) and can be found here.