An analysis of 10 highly popular Android apps found what researchers are calling the "out of control" sharing of potentially sensitive information with third parties, in some cases in likely violation of Europe's GDPR privacy regulations.
The findings, which were published in a report issued by the Norwegian Consumer Council (NCC), prompted a coalition of nine consumer advocate and privacy groups to call on federal and state authorities to investigate. Additionally, Twitter has reportedly booted Grindr -- one of the apps detailed in the study -- off of its ad network.
The 10 apps were named as menstrual health trackers Clue and My days; online dating apps Grindr, Happn, OkCupid and Tinder, beauty app Perfect365, the religion app Muslim: Qibla Finder, the game My Talking Tom 2 and keyboard app Wave Keyboard. Cybersecurity company Mnemonic is credited with conducting the technical test on the apps from June through November 2019, checking them for integrated software development kits (SDKs) and other third-party tools that could enable them to record data and share it with partners.
Altogether, the 10 apps were found to have transmitted user data to at least 135 unique third parties who play a role in advertising or behavioral profiling, all to help marketers better optimize their efforts of targeting their ideal audience. Many users may never have even heard of some of these companies, let alone know that they are collecting their data, the report states.
Mobile device users are assigned various unique numerical identifiers, which allow marketing and adtech industry players to collect scores of information, tie it to these identifiers, and create complex and accurate user profiles for advertising purposes. One such identifier is the Android Advertising ID, which allows companies to track consumers across different services. All 10 apps transmitted this form of identifier to at least some of its third-party partners -- 70 altogether.
Only one stopped there -- Wave Keyboard -- while the remaining nine shared additional information with partners. "This information included the IP address and GPS location of the user, personal attributes including gender and age, and various user activities. Such information can be used to track and target these users with ads, to profile them, and consumers like them, and to infer many highly sensitive infer attributes including sexual orientation and religious beliefs," the report states.
While such information is helpful to advertisers, it could also allow companies to personally identify individual users and conduct surveillance on them, or discriminate against people based on their attributes. And if such data is leaked to or accessed by malicious actors, users could be at risk of identity theft and blackmail, the report continues.
The 135 third-party partners of the 10 studied apps include such universally known names as Facebook, Google, and Twitter via its mobile app advertising platform MoPub. It also includes players such as Braze, a provider of customer relationship management and mobile marketing automation software; the mobile advertising and marketing platform AdColony, and mobile push notification service OneSignal.
According to the NCC, the researchers observed Grinder sending users' GPS coordinates IP addresses, ages, and genders to certain partners, and information about "relationship type" to one company in particular -- Braze (although Braze did not receive users' Android Advertising ID).
"Twitter's adtech subsidiary MoPub was used as a mediator for much of this data sharing, and was observed passing personal data to a number of other advertising third parties including the major adtech companies AppNexus and OpenX," the report notes. "Many of these third parties reserve the right to share the data they collect with a very large number of partners."
Shortly after the NCC report was released, Twitter suspended Grindr's MoPub account, and provided this statement to various media outlets: "We are currently investigating this issue to understand the sufficiency of Grindr's consent mechanism. In the meantime, we have disabled Grindr's MoPub account."
Fellow dating app Tinder was also found to send GPS position and "target gender" to certain of its partners. Meanwhile, OkCupid shared user-provided data on sexuality, drug use, political views and more to Braze.
"With how the adtech industry works today, personal data is being broadcast and spread with few restraints. The multitude of violations of fundamental rights are happening at a rate of billions of times per second, all in the name of profiling and targeting advertising. It is time for a serious debate about whether the surveillance-driven advertising systems that have taken over the internet, and which are economic drivers of misinformation online, is a fair trade-off for the possibility of showing slightly more relevant ads," the report concludes.
“Every day, millions of Americans share their most intimate personal details on these apps, upload personal photos, track their periods and reveal their sexual and religious identities. But these apps and online services spy on people, collect vast amounts of personal data and share it with third parties without people’s knowledge. Industry calls it adtech. We call it surveillance. We need to regulate it now, before it’s too late,” said Burcu Kilic, digital rights program director at Public Citizen, one of the nine organizations that sent letters to Congress, the FTC and the state AGs in California, Texas and Oregon asking for an investigation.
The other organizations to sign the letter were the American Civil Liberties Union of California, Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, Consumer Action, the Consumer Federation of America, Consumer Reports, the Electronic Privacy Information Center (EPIC) and U.S. Public Interest Research Groups.
"The purpose of the testing has been to increase our understanding of the mobile advertising ecosystem," said Andreas Claesson, senior security consultant with Mnemonic and lead researcher on the project, in a company blog post. "In particular, we have aimed to identify some of the main actors collecting user data from our sample set of apps, understand the type and frequency of data flows, and examine the specific information that is being transmitted."
"We were quite surprised by the amount of data sharing occurring," added project partner Tor Bjørstad, application security lead and principal consultant. "A key motivation for this project has been that data collection, sharing, and processing within the advertising industry on mobile platforms is poorly understood. We hope that this work documenting the current industry practices will help start a debate on how user data is collected and used for mobile advertising."
SC Media attempted to find press contacts for each of the 10 software developers in order to request an official comment. SC Media will add such comments as they are received.
Match Group, which operates OkCupid, posted a full statement here.
Happn said in its own statement that "we don’t sell our users’ data to third parties under any circumstances."
" In regards to the advertisements displayed in the happn app, they are shown according to market segments based on the following minimalist criteria: country, age range and gender. Happn does not participate in contextual or behavioral advertising. Therefore we do not use users' personal preferences for such purposes. With reference to the Advertising ID mentioned in the report, it is gathered by our two partners, Adjust and Facebook; however is not intended to be used for targeted advertising. It is, rather, a tool which allows us to monitor and measure the performance of our marketing campaigns."
Outfit7, makers of My Talking Tom 2, said in a statement: "At Outfit7, the online privacy of our users is of the utmost importance. We cooperate with global data protection industry experts to make sure that our games uphold strict industry standards and comply with all applicable data protection laws. All ad providers we work with directly for the purpose of interest-based advertising are, by way of binding agreement, limited in the extent of the collection of our end users' data. Furthermore, an independent third party runs regular compliance monitoring of all tracking in our apps and we regularly monitor the collection of data by third-party ad providers to ensure and enforce compliance."
Clue also provided a statement: "Clue does not share any of our users' health or menstrual cycle data, nor do we sell any user data to any third-party service, including advertisers, and we never will... Clue does share anonymized data with carefully-vetted researchers within academic institutions working to improve female reproductive health, and we do so without any financial gain. We only share usage data, such as how often users open the app or which in-app screens they visit, with Braze. This usage data does not include when a user's fertile window occurs (i.e. when they are most likely to become pregnant), but rather if the user has enabled or disabled the ‘fertile window’ feature in the app (which they might choose to do for a variety of reasons). We share usage data with Braze so that we can make improvements to the Clue app and its features, and to ensure that our communication with users via in-app messages, push notifications, and email remains relevant."
The statement continues, " Usage data is less sensitive than the health-related private data that our users track, but we still follow best practices in data protection here, carefully vetting our service providers for their level of data protection compliance. We have removed usage data that could be used by third-party services to infer cycle or health data. We take GDPR compliance very seriously and have done so since the EU directive was introduced."