惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
小众软件
小众软件
The Last Watchdog
The Last Watchdog
Latest news
Latest news
P
Palo Alto Networks Blog
C
Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
T
Threatpost
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
Spread Privacy
Spread Privacy
T
Tor Project blog
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
AWS News Blog
AWS News Blog
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy & Cybersecurity Law Blog
Hugging Face - Blog
Hugging Face - Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
CERT Recently Published Vulnerability Notes
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
博客园 - 司徒正美
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
罗磊的独立博客
A
Arctic Wolf
腾讯CDC
WordPress大学
WordPress大学
IT之家
IT之家
Last Week in AI
Last Week in AI
博客园 - 聂微东
P
Proofpoint News Feed
Y
Y Combinator Blog
Apple Machine Learning Research
Apple Machine Learning Research
Hacker News: Ask HN
Hacker News: Ask HN
Help Net Security
Help Net Security
Blog — PlanetScale
Blog — PlanetScale
爱范儿
爱范儿
美团技术团队
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Tailwind CSS Blog

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
Mobile App Tracking Under Fire
Carlo Cilent · 2023-10-17 · via Blog of Simple Analytics

In September Dutch NGO SDBN proposed a class action against XCorp (formerly Twitter) for unlawfully tracking its users and collecting personal data for advertising.

The action also involves MoPub, a mobile advertising platform formerly owned by Twitter and later sold to AppLovin. The involvement of MoPub is a big deal because its trackers are found in thousands of apps, including popular services such as Shazam and Duolingo.

Around the same time, privacy NGO noyb filed complaints against three mobile apps with the French privacy authority, claiming the apps track users illegally. More information on the complaints can be found on the organization’s website.

EU regulators are finally called to enforce the law against mobile apps. But what is the issue with trackers and mobile apps, and why do these cases matter?

  1. An overlooked issue
  2. How does mobile tracking work?
  3. Is mobile tracking concerning?
  4. What does the GDPR say about mobile tracking?
  5. What is there to know about the cases?
  6. Why are these cases important?
  7. Will things change for the better?

The UK Government chose Simple AnalyticsJoin them

An overlooked issue

Tracking and behavioral advertising have been a hot topic in the privacy community for a while now. This is no surprise, as countless companies rely on tools such as Meta’s Pixels or Google Analytics.

There has been plenty of news on the topic, from Meta’s €400M fine for the unlawful tracking and profiling of Facebook and Instagram users, to the Belgian DPA’s ongoing procedure on IAB Europe’s Transparency and Consent Framework.

Mobile apps do not get the same degree of attention as traditional, cookie-based tracking technology. So, let’s take a closer look at how apps track their users, and see why app surveillance is a huge threat to privacy.

How does mobile tracking work?

You are probably familiar with cookie-based tracking on the Internet. Companies want to identify visitors in order to evaluate the performance of their websites and their marketing campaigns. More often than not, they also want to track their visitors around the Web in order to display personalized advertising based on personal data such as interests, location, demographic, and so on.

Most websites do this by placing cookies in the user’s browser- which can only be done with the user’s consent under EU law (the general rules are a little more complicated than that, but that’s how it works for web analytics in a nutshell).

Mobile tracking is different: apps extract data directly from the user's device and send it to the mother company of the software development kits (SDKs) embedded in the apps.

SDKs are “building blocks” of sorts that make it easier for software developers to create an app. An SDK is essentially a pre-made bundle of code that allows apps to perform tasks such as authenticating users, retrieving information from an API, sharing data, and so on. Companies can save a lot of development time by including an SDK in their app instead of programming complex features from scratch.

SKDs are very useful for software developers. In the fast-paced, highly competitive mobile app market, companies constantly race each other in order to occupy a niche before the competition beats them to it. It is essential for devs to get the product out fast, and SDKs are the easiest way to do so. Using SDKs is pretty much standard practice in the industry, and we all have several on our smartphones.

But there is a catch. SDKs are typically made available for free, but include code that extracts information from end users and provides it to the company that developed the kit. So, developers get SDKs for free, and you pay for them with your data when you download the app.

Is mobile tracking concerning?

If you follow our blog, you probably know we are not the biggest fans of cookies. Tracking via mobile apps is even worse, for several reasons.

First of all, apps are sneaky. You can check your cookies with just a few clicks on through your browser, but it takes a lot of work and know-how to figure out what data your apps are collecting from your phone.

Noyb's complaints are a great example. The organization's website explains in detail how noyb found what personal data were being collected and shared. noyb first rooted a device, then used third-party software to capture and decrypt outgoing traffic. Not terribly user-friendly.

Furthermore, browsers give users control over cookies, as they can be cleared with just a few clicks. Users have no such control over mobile apps.

The access authorizations systems found in most OSs allow for some degree of user control over data collection- for instance, by allowing users to deny access to location data or the device’s microphone. However, other personal data are not locked behind the authorization system. Additionally, some apps will simply require the data in order to run- essentially blackmailing the user into providing unnecessary data.

Cross-device tracking is also trivial for mobile apps because many users install the same apps on different devices and log in with the same profile.

Finally, many apps use the same SDKs and feed data to the same companies, including usual suspects such as Google and Meta. This centralization is a significant privacy risk: the data collected by certain apps may appear innocuous, but can be very revealing when combined with data from other apps.

Let’s say you use a mental health app and a calorie tracking app. You frequently use them together because you tend to seek comfort in food when you feel sad or anxious. If the apps are powered by the same SDKs, you may see ads for food delivery whenever you visit a website after using the mental health app. Combining data from your apps allows the SDK’s developer to capitalize on your comfort-seeking behaviors.

This is just an example of the unethical and predatory advertising strategies made possible by the centralization of personal data on the mobile advertising market. Imagine what companies can do with a few more apps on your phone.

We already have rules to ensure that mobile apps respect user privacy- we just haven’t enforced them enough.

Under the ePrivacy Directive, consent is required for reading and writing any data on the user’s device. This includes the tracking IDs that SDKs typically write on mobile devices, as well as other economically valuable data such as location data. In practice, many apps either ignore this requirement entirely, or extort consent by refusing to work unless the user gives them the data they want (which is not allowed under the GDPR).

(To be clear, it is fine for apps to ask for data they really need. Google Maps needs your location, Tinder does not!)

Transparency is also quite problematic for apps. Under the GDPR, whenever someone collects your data, they are under an obligation to provide you with some essential information: what data is being collected, by whom, for what purpose, whether it will be shared with third parties, and so on. But most apps provide incomplete privacy policies because companies themselves often have no idea what data their apps collect through SDKs.

What is there to know about the cases?

Noyb’s complaints target three popular mobile apps available on the French market: FNAC, Se Loger, and MyFitnessPal (which coincidentally uses MoPub’s SDKs). As explained in this example complaint, noyb claims the apps unlawfully process data without user consent, which is against the ePrivacy Directive of the EU and the French laws that implement it. Noyb also claims that the apps violate the GDPR’s principle of data protection by design and default by collecting unnecessary data.

It is worth noting that the French data protection authority (CNIL) recently issued some big fines over illegal tracking (which we wrote about). We believe that noyb has a strong case and that the CNIL will take the matter quite seriously. Of course, only time will tell.

As for the class action against X Corp, the SDBN’s website claims that thousands of apps collected personal data without consent through MoPub’s trackers. We don’t know much aside from that, as the organization’s press release only describes the lawsuit in broad strokes.

It is worth noting that the organization is acting on behalf of millions of people, which could result in substantial damages being awarded by Dutch courts.

Why are these cases important?

As we explained, the privacy issues raised by mobile apps do not get the attention they deserve, and there has been little law enforcement against mobile app publishers and SDK distributors so far.

The legal actions from SDBN and noyb will hopefully change this. Noyb is a well known organization in the privacy community, and the CNIL is an influential authority. Noyb’s complaints are sure to draw some attention if they go well for the NGO.

As for SDBN, its lawsuit could cost X Corp a lot of money. But most importantly, it indirectly involves thousands of apps, including popular services such as Shazam and MyFitnessPal. So, this legal action could impact the trackers found in countless services.

Will things change for the better?

We sure hope so, and there are reasons to be optimistic.

Centralization makes the mobile advertising market profitable, but may also make the business model vulnerable to litigation. Successful legal action against the owners of ubiquitous SDKs may impact thousands of apps and send waves across the entire market- especially if a case were to make its way to the EU Court of Justice or the European Data Protection Board.

Furthermore, future complaints against mobile tracking will likely fall under the ePrivacy Directive and bypass the GDPR’s notoriously inefficient system for handling cross-border cases. This could lead to faster procedures because complaints would be decided in the State where they are filed instead of bouncing back and forth between different Member States.

Mobile apps have been looming in the background of our phones for years now, quietly hoarding personal data on a massive scale. Hopefully these legal actions will draw some attention on the issue of mobile tracking, and nudge regulators toward stricter enforcement in the long run.

As you have probably figured out, we do not like tracking. We believe it is irresponsible, dangerous, and unethical. This is why we created Simple Analytics to provide our customers with all the insights they need- without collecting personal data from the end user. If this sounds good to you, feel free to give us a try!