One Year Into GDPR, Most Apps Still Harvest Data Without Permission

While good-acting companies knock themselves out trying to comply with data protection and privacy laws, and regulators debate the minutiae of cookie consent policies, bad actors simply couldn’t care less.

The front door may be locked, but the basement windows are wide open.

Unauthorized data harvesting from mobile apps has continued nearly unabated in the year since Europe’s General Data Protection Regulation came into force last May.

In a recent test conducted for AdExchanger, mobile analytics company Kochava examined the behavior of the top 2,700 apps in the Google Play store in the United States compared with France, where GDPR applies.

Despite a small drop in the average number of network requests coming per app in France, which was to be expected, there was no discernible difference in the prevalence of data transmission between regions.

Sharing, not caring

Nearly 60% of apps sent advertising IDs to a remote endpoint at least once either directly or through a third-party SDK, regardless of where the users were located or whether they’d given consent.

Apps often presented users with a consent notice screen and then ignored the user’s choice, transmitting the data regardless of the user’s preference.

“The regulation exists, but is there a body in Belgium looking at the mobile ecosystem to try and determine which calls from a device are legitimate or not – hell no, that’s not happening,” said Grant Simmons, head of client analytics at Kochava.

But even if there was, this stuff is hard to catch by design, Simmons said. Around 30% of the data calls transmitted to and from devices are encrypted and when fraudsters enter the picture, they usually use transitory domains to obscure their actions, including data harvesting.

Reap and sow

To be fair, the GDPR was created to unify privacy laws for the collection and processing of personal data across EU member states, not to tackle ad fraud.

But the lucrative nature of ad fraud is a primary motivator behind shady data collection and non-permissioned data sharing.

And some of the worst GDPR violators are app developers that monetize by adding third-party code and SDKs to their apps without understanding the implications, said Asaf Greiner, CEO and founder of Protected Media, a provider of anti-fraud technology.

In some cases, developers harvest personally identifiable information from app users to share with advertisers, which advertisers might find useful but also represents a violation of GDPR.

If an app doesn’t care about draining a user’s battery or slurping up their data plan, “it’s safe to assume that data protection is low down on their list,” said Greiner, noting that most ad fraud is uncovered because of the bite it takes out of advertising budgets, while the privacy violation aspects “remain under the radar.”

Protected Media is regularly approached by companies offering to sell data or social graphs. Greiner always makes a point of asking the salesperson how the data they’re peddling was obtained and what’s in it. “Invariably, they can never answer me,” Greiner said, “which leaves me to believe that they’re very rarely asked where they get the data from.”

GDPR doesn’t touch the digital ad ecosystem’s “chain of custody issue,” Simmons said.

“Bad information is collected and syndicated at scale through ad networks,” he said. “It’s like data laundering – ad networks as willful clearing houses for nefarious publishers.”

An intractable problem

There’s no easy way to end illicit data sharing by apps because the ecosystem is so murky.

“Not a single regulator understands this, and there aren’t even laws [against ad fraud] yet for them to use to go after bad actors,” said independent ad fraud researcher Augustine Fou.

Then again, there’s no reason European regulators can’t at least use their new powers to shine a light on companies that aren’t making an effort to comply with GDPR, if not the unabashed criminal element.

“GDPR introduced a very clear accountability duty for businesses, and regulators can perform ad hoc audits when they like,” said Enza Iannopollo, a senior analyst covering security and risk at Forrester. “The barrier, in my opinion, is not GDPR, but a shortage of resources.”

Be that as it may, the industry only really has a shot at cutting down on bad acting apps with ulterior motives if there’s “a significant amount of collaboration” between regulatory watchdogs, the government and the app store providers themselves, said Gabe Morazan, director of product and digital governance at Evidon parent company Crownpeak.

Because even if good actors try to stay clean, fishy apps – and apps with fishy SDKs – will keep harvesting data and pumping it out into the mobile ecosystem if there’s a buck to be made.

This post was syndicated from Ad Exchanger.