-
From Ad Identifiers to Global Privacy Control: The Status Quo and Future of Opting Out of Ad Tracking on Android
Authors:
Sebastian Zimmeck,
Nishant Aggarwal,
Zachary Liu,
Konrad Kollnig
Abstract:
Apps and their integrated third party libraries often collect a variety of data from people to show them personalized ads. This practice is often privacy-invasive. Since 2013, Google has therefore allowed users to limit ad tracking on Android via system settings. Further, under the 2018 California Consumer Privacy Act (CCPA), apps must honor opt-outs from ad tracking under the Global Privacy Contr…
▽ More
Apps and their integrated third party libraries often collect a variety of data from people to show them personalized ads. This practice is often privacy-invasive. Since 2013, Google has therefore allowed users to limit ad tracking on Android via system settings. Further, under the 2018 California Consumer Privacy Act (CCPA), apps must honor opt-outs from ad tracking under the Global Privacy Control (GPC). The efficacy of these two methods to limit ad tracking has not been studied in prior work. Our legal and technical analysis details how the GPC applies to mobile apps and how it could be integrated directly into Android, thereby developing a reference design for GPC on Android. Our empirical analysis of 1,896 top-ranked Android apps shows that both the Android system-level opt-out and the GPC signal rarely restrict ad tracking. In our view, deleting the AdID and opting out under the CCPA has the same meaning. Thus, the current AdID setting and APIs should be evolved towards GPC and integrated into Android's Privacy Sandbox.
△ Less
Submitted 20 July, 2024;
originally announced July 2024.
-
Google's Chrome Antitrust Paradox
Authors:
Shaoor Munir,
Konrad Kollnig,
Anastasia Shuba,
Zubair Shafiq
Abstract:
This article delves into Google's dominance of the browser market, highlighting how Google's Chrome browser is playing a critical role in asserting Google's dominance in other markets. While Google perpetuates the perception that Google Chrome is a neutral platform built on open-source technologies, we argue that Chrome is instrumental in Google's strategy to reinforce its dominance in online adve…
▽ More
This article delves into Google's dominance of the browser market, highlighting how Google's Chrome browser is playing a critical role in asserting Google's dominance in other markets. While Google perpetuates the perception that Google Chrome is a neutral platform built on open-source technologies, we argue that Chrome is instrumental in Google's strategy to reinforce its dominance in online advertising, publishing, and the browser market itself. Our examination of Google's strategic acquisitions, anti-competitive practices, and the implementation of so-called "privacy controls," shows that Chrome is far from a neutral gateway to the web. Rather, it serves as a key tool for Google to maintain and extend its market power, often to the detriment of competition and innovation.
We examine how Chrome not only bolsters Google's position in advertising and publishing through practices such as coercion, and self-preferencing, it also helps leverage its advertising clout to engage in a "pay-to-play" paradigm, which serves as a cornerstone in Google's larger strategy of market control. We also discuss potential regulatory interventions and remedies, drawing on historical antitrust precedents. We propose a triad of solutions motivated from our analysis of Google's abuse of Chrome: behavioral remedies targeting specific anti-competitive practices, structural remedies involving an internal separation of Google's divisions, and divestment of Chrome from Google.
Despite Chrome's dominance and its critical role in Google's ecosystem, it has escaped antitrust scrutiny -- a gap our article aims to bridge. Addressing this gap is instrumental to solve current market imbalances and future challenges brought on by increasingly hegemonizing technology firms, ensuring a competitive digital environment that nurtures innovation and safeguards consumer interests.
△ Less
Submitted 26 June, 2024; v1 submitted 4 April, 2024;
originally announced June 2024.
-
Exploring Antitrust and Platform Power in Generative AI
Authors:
Konrad Kollnig,
Qian Li
Abstract:
The concentration of power in a few digital technology companies has become a subject of increasing interest in both academic and non-academic discussions. One of the most noteworthy contributions to the debate is Lina Khan's Amazon's Antitrust Paradox. In this work, Khan contends that Amazon has systematically exerted its dominance in online retail to eliminate competitors and subsequently charge…
▽ More
The concentration of power in a few digital technology companies has become a subject of increasing interest in both academic and non-academic discussions. One of the most noteworthy contributions to the debate is Lina Khan's Amazon's Antitrust Paradox. In this work, Khan contends that Amazon has systematically exerted its dominance in online retail to eliminate competitors and subsequently charge above-market prices. This work contributed to Khan's appointment as the chair of the US Federal Trade Commission (FTC), one of the most influential antitrust organisations. Today, several ongoing antitrust lawsuits in the US and Europe involve major technology companies like Apple, Google/Alphabet, and Facebook/Meta. In the realm of generative AI, we are once again witnessing the same companies taking the lead in technological advancements, leaving little room for others to compete. This article examines the market dominance of these corporations in the technology stack behind generative AI from an antitrust law perspective.
△ Less
Submitted 10 July, 2023; v1 submitted 20 June, 2023;
originally announced June 2023.
-
We Are Not There Yet: The Implications of Insufficient Knowledge Management for Organisational Compliance
Authors:
Thomas Şerban von Davier,
Konrad Kollnig,
Reuben Binns,
Max Van Kleek,
Nigel Shadbolt
Abstract:
Since GDPR went into effect in 2018, many other data protection and privacy regulations have been released. With the new regulation, there has been an associated increase in industry professionals focused on data protection and privacy. Building on related work showing the potential benefits of knowledge management in organisational compliance and privacy engineering, this paper presents the findi…
▽ More
Since GDPR went into effect in 2018, many other data protection and privacy regulations have been released. With the new regulation, there has been an associated increase in industry professionals focused on data protection and privacy. Building on related work showing the potential benefits of knowledge management in organisational compliance and privacy engineering, this paper presents the findings of an exploratory qualitative study with data protection officers and other privacy professionals. We found issues with knowledge management to be the underlying challenge of our participants' feedback. Our participants noted four categories of feedback: (1) a perceived disconnect between regulation and practice, (2) a general lack of clear job description, (3) the need for data protection and privacy to be involved at every level of an organisation, (4) knowledge management tools exist but are not used effectively. This paper questions what knowledge management or automation solutions may prove to be effective in establishing better computer-supported work environments.
△ Less
Submitted 6 May, 2023;
originally announced May 2023.
-
Priorities for more effective tech regulation
Authors:
Konrad Kollnig
Abstract:
Ample research has demonstrated that compliance with data protection principles remains limited on the web and mobile. For example, almost none of the apps on the Google Play Store fulfil the minimum requirements regarding consent under EU and UK law, while most of them share tracking data with companies like Google/Alphabet and Facebook/Meta and would likely need to seek consent from their users.…
▽ More
Ample research has demonstrated that compliance with data protection principles remains limited on the web and mobile. For example, almost none of the apps on the Google Play Store fulfil the minimum requirements regarding consent under EU and UK law, while most of them share tracking data with companies like Google/Alphabet and Facebook/Meta and would likely need to seek consent from their users. Indeed, recent privacy efforts and enforcement by Apple have had - in some regards - a more pronounced effect on apps' data practices than the EU's ambitious General Data Protection Regulation (GDPR). Given the current mismatch between the law on the books and data practices in reality, iterative changes to current legal practice will not be enough to meaningfully tame egregious data practices. Hence, this technical report proposes a range of priorities for academia, regulators and the interested public in order to move beyond the status quo.
△ Less
Submitted 27 February, 2023;
originally announced February 2023.
-
Before and after China's new Data Laws: Privacy in Apps
Authors:
Konrad Kollnig,
Lu Zhang,
Jun Zhao,
Nigel Shadbolt
Abstract:
Privacy in apps is a topic of widespread interest because many apps collect and share large amounts of highly sensitive information. In response, China introduced a range of new data protection laws over recent years, notably the Personal Information Protection Law (PIPL) in 2021. So far, there exists limited research on the impacts of these new laws on apps' privacy practices. To address this gap…
▽ More
Privacy in apps is a topic of widespread interest because many apps collect and share large amounts of highly sensitive information. In response, China introduced a range of new data protection laws over recent years, notably the Personal Information Protection Law (PIPL) in 2021. So far, there exists limited research on the impacts of these new laws on apps' privacy practices. To address this gap, this paper analyses data collection in pairs of 634 Chinese iOS apps, one version from early 2020 and one from late 2021. Our work finds that many more apps now implement consent. Yet, those end-users that decline consent will often be forced to exit the app. Fewer apps now collect data without consent but many still integrate tracking libraries. We see our findings as characteristic of a first iteration at Chinese data regulation with room for improvement.
△ Less
Submitted 2 March, 2023; v1 submitted 27 February, 2023;
originally announced February 2023.
-
The Cost of the GDPR for Apps? Nearly Impossible to Study without Platform Data
Authors:
Konrad Kollnig,
Reuben Binns
Abstract:
A recently published pre-print titled 'GDPR and the Lost Generation of Innovative Apps' by Janßen et al. observes that a third of apps on the Google Play Store disappeared from this app store around the introduction of the GDPR in May 2018. The authors deduce 'that GDPR is the cause'. The effects of the GDPR on the app economy are an important field to study. Unfortunately, the paper currently lac…
▽ More
A recently published pre-print titled 'GDPR and the Lost Generation of Innovative Apps' by Janßen et al. observes that a third of apps on the Google Play Store disappeared from this app store around the introduction of the GDPR in May 2018. The authors deduce 'that GDPR is the cause'. The effects of the GDPR on the app economy are an important field to study. Unfortunately, the paper currently lacks a control condition and a key variable. As a result, the effects on app exits reported in the paper are likely overestimated, as we will discuss. We believe there are other factors which may better explain these changes in the Play Store aside from the GDPR.
△ Less
Submitted 20 June, 2022;
originally announced June 2022.
-
Imagining, Studying and Realising A Less Harmful App Ecosystem
Authors:
Konrad Kollnig,
Siddhartha Datta,
Nigel Shadbolt
Abstract:
Desktop browser extensions have long allowed users to improve their experience online and tackle widespread harms on websites. So far, no equivalent solution exists for mobile apps, despite the fact that individuals now spend significantly more time on mobile than on desktop, and arguably face similarly widespread harms.
In this work, we investigate mobile app extensions, a previously underexplo…
▽ More
Desktop browser extensions have long allowed users to improve their experience online and tackle widespread harms on websites. So far, no equivalent solution exists for mobile apps, despite the fact that individuals now spend significantly more time on mobile than on desktop, and arguably face similarly widespread harms.
In this work, we investigate mobile app extensions, a previously underexplored concept to study and address digital harms within mobile apps in a decentralised, community-driven way. We analyse challenges to adoption of this approach so far, and present a ready-to-use implementation for Android as a result of significant and careful system development. Through a range of case studies, we demonstrate that our implementation can already reduce (though not completely eliminate) a wide range of harms - similarly as browser extensions do on desktops.
Our method provides a versatile foundation for a range of follow-up research into digital harms in mobile apps that has not previously been possible, given that browser extensions have long been a fruitful foundation for research studies on desktops. In other words, our system tries to address the gap of a focus on desktop interventions in previous research.
△ Less
Submitted 24 February, 2023; v1 submitted 2 May, 2022;
originally announced May 2022.
-
GreaseVision: Rewriting the Rules of the Interface
Authors:
Siddhartha Datta,
Konrad Kollnig,
Nigel Shadbolt
Abstract:
Digital harms can manifest across any interface. Key problems in addressing these harms include the high individuality of harms and the fast-changing nature of digital systems. As a result, we still lack a systematic approach to study harms and produce interventions for end-users. We put forward GreaseVision, a new framework that enables end-users to collaboratively develop interventions against h…
▽ More
Digital harms can manifest across any interface. Key problems in addressing these harms include the high individuality of harms and the fast-changing nature of digital systems. As a result, we still lack a systematic approach to study harms and produce interventions for end-users. We put forward GreaseVision, a new framework that enables end-users to collaboratively develop interventions against harms in software using a no-code approach and recent advances in few-shot machine learning. The contribution of the framework and tool allow individual end-users to study their usage history and create personalized interventions. Our contribution also enables researchers to study the distribution of harms and interventions at scale.
△ Less
Submitted 7 April, 2022;
originally announced April 2022.
-
Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels
Authors:
Konrad Kollnig,
Anastasia Shuba,
Max Van Kleek,
Reuben Binns,
Nigel Shadbolt
Abstract:
Tracking is a highly privacy-invasive data collection practice that has been ubiquitous in mobile apps for many years due to its role in supporting advertising-based revenue models. In response, Apple introduced two significant changes with iOS 14: App Tracking Transparency (ATT), a mandatory opt-in system for enabling tracking on iOS, and Privacy Nutrition Labels, which disclose what kinds of dat…
▽ More
Tracking is a highly privacy-invasive data collection practice that has been ubiquitous in mobile apps for many years due to its role in supporting advertising-based revenue models. In response, Apple introduced two significant changes with iOS 14: App Tracking Transparency (ATT), a mandatory opt-in system for enabling tracking on iOS, and Privacy Nutrition Labels, which disclose what kinds of data each app processes. So far, the impact of these changes on individual privacy and control has not been well understood. This paper addresses this gap by analysing two versions of 1,759 iOS apps from the UK App Store: one version from before iOS 14 and one that has been updated to comply with the new rules.
We find that Apple's new policies, as promised, prevent the collection of the Identifier for Advertisers (IDFA), an identifier for cross-app tracking. Smaller data brokers that engage in invasive data practices will now face higher challenges in tracking users - a positive development for privacy. However, the number of tracking libraries has roughly stayed the same in the studied apps. Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting). We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple's policies. We find that Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring. We also find that the new Privacy Nutrition Labels are sometimes inaccurate and misleading.
Overall, our findings suggest that, while tracking individual users is more difficult now, the changes reinforce existing market power of gatekeeper companies with access to large troves of first-party data and motivate a countermovement.
△ Less
Submitted 7 May, 2022; v1 submitted 7 April, 2022;
originally announced April 2022.
-
Before and after GDPR: tracking in mobile apps
Authors:
Konrad Kollnig,
Reuben Binns,
Max Van Kleek,
Ulrik Lyngs,
Jun Zhao,
Claudine Tinsman,
Nigel Shadbolt
Abstract:
Third-party tracking, the collection and sharing of behavioural data about individuals, is a significant and ubiquitous privacy threat in mobile apps. The EU General Data Protection Regulation (GDPR) was introduced in 2018 to protect personal data better, but there exists, thus far, limited empirical evidence about its efficacy. This paper studies tracking in nearly two million Android apps from b…
▽ More
Third-party tracking, the collection and sharing of behavioural data about individuals, is a significant and ubiquitous privacy threat in mobile apps. The EU General Data Protection Regulation (GDPR) was introduced in 2018 to protect personal data better, but there exists, thus far, limited empirical evidence about its efficacy. This paper studies tracking in nearly two million Android apps from before and after the introduction of the GDPR. Our analysis suggests that there has been limited change in the presence of third-party tracking in apps, and that the concentration of tracking capabilities among a few large gatekeeper companies persists. However, change might be imminent.
△ Less
Submitted 21 December, 2021;
originally announced December 2021.
-
Mind-proofing Your Phone: Navigating the Digital Minefield with GreaseTerminator
Authors:
Siddhartha Datta,
Konrad Kollnig,
Nigel Shadbolt
Abstract:
Digital harms are widespread in the mobile ecosystem. As these devices gain ever more prominence in our daily lives, so too increases the potential for malicious attacks against individuals. The last line of defense against a range of digital harms - including digital distraction, political polarisation through hate speech, and children being exposed to damaging material - is the user interface. T…
▽ More
Digital harms are widespread in the mobile ecosystem. As these devices gain ever more prominence in our daily lives, so too increases the potential for malicious attacks against individuals. The last line of defense against a range of digital harms - including digital distraction, political polarisation through hate speech, and children being exposed to damaging material - is the user interface. This work introduces GreaseTerminator to enable researchers to develop, deploy, and test interventions against these harms with end-users. We demonstrate the ease of intervention development and deployment, as well as the broad range of harms potentially covered with GreaseTerminator in five in-depth case studies.
△ Less
Submitted 1 February, 2022; v1 submitted 20 December, 2021;
originally announced December 2021.
-
Tracking in apps' privacy policies
Authors:
Konrad Kollnig
Abstract:
Data protection law, including the General Data Protection Regulation (GDPR), usually requires a privacy policy before data can be collected from individuals. We analysed 15,145 privacy policies from 26,910 mobile apps in May 2019 (about one year after the GDPR came into force), finding that only opening the policy webpages shares data with third-parties for 48.5% of policies, potentially violatin…
▽ More
Data protection law, including the General Data Protection Regulation (GDPR), usually requires a privacy policy before data can be collected from individuals. We analysed 15,145 privacy policies from 26,910 mobile apps in May 2019 (about one year after the GDPR came into force), finding that only opening the policy webpages shares data with third-parties for 48.5% of policies, potentially violating the GDPR. We compare this data sharing across countries, payment models (free, in-app-purchases, paid) and platforms (Google Play Store, Apple App Store). We further contacted 52 developers of apps, which did not provide a privacy policy, and asked them about their data practices. Despite being legally required to answer such queries, 12 developers (23%) failed to respond.
△ Less
Submitted 26 November, 2021; v1 submitted 15 November, 2021;
originally announced November 2021.
-
Are iPhones Really Better for Privacy? Comparative Study of iOS and Android Apps
Authors:
Konrad Kollnig,
Anastasia Shuba,
Reuben Binns,
Max Van Kleek,
Nigel Shadbolt
Abstract:
While many studies have looked at privacy properties of the Android and Google Play app ecosystem, comparatively much less is known about iOS and the Apple App Store, the most widely used ecosystem in the US. At the same time, there is increasing competition around privacy between these smartphone operating system providers. In this paper, we present a study of 24k Android and iOS apps from 2020 a…
▽ More
While many studies have looked at privacy properties of the Android and Google Play app ecosystem, comparatively much less is known about iOS and the Apple App Store, the most widely used ecosystem in the US. At the same time, there is increasing competition around privacy between these smartphone operating system providers. In this paper, we present a study of 24k Android and iOS apps from 2020 along several dimensions relating to user privacy. We find that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children. In the children's category, iOS apps tended to use fewer advertising-related tracking than their Android counterparts, but could more often access children's location. Across all studied apps, our study highlights widespread potential violations of US, EU and UK privacy law, including 1) the use of third-party tracking without user consent, 2) the lack of parental consent before sharing personally identifiable information (PII) with third-parties in children's apps, 3) the non-data-minimising configuration of tracking libraries, 4) the sending of personal data to countries without an adequate level of data protection, and 5) the continued absence of transparency around tracking, partly due to design decisions by Apple and Google. Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied.
△ Less
Submitted 19 December, 2021; v1 submitted 28 September, 2021;
originally announced September 2021.
-
A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps
Authors:
Konrad Kollnig,
Reuben Binns,
Pierre Dewitte,
Max Van Kleek,
Ge Wang,
Daniel Omeiza,
Helena Webb,
Nigel Shadbolt
Abstract:
Third-party tracking allows companies to collect users' behavioural data and track their activity across digital devices. This can put deep insights into users' private lives into the hands of strangers, and often happens without users' awareness or explicit consent. EU and UK data protection law, however, requires consent, both 1) to access and store information on users' devices and 2) to legiti…
▽ More
Third-party tracking allows companies to collect users' behavioural data and track their activity across digital devices. This can put deep insights into users' private lives into the hands of strangers, and often happens without users' awareness or explicit consent. EU and UK data protection law, however, requires consent, both 1) to access and store information on users' devices and 2) to legitimate the processing of personal data as part of third-party tracking, as we analyse in this paper.
This paper further investigates whether and to what extent consent is implemented in mobile apps. First, we analyse a representative sample of apps from the Google Play Store. We find that most apps engage in third-party tracking, but few obtained consent before doing so, indicating potentially widespread violations of EU and UK privacy law. Second, we examine the most common third-party tracking libraries in detail. While most acknowledge that they rely on app developers to obtain consent on their behalf, they typically fail to put in place robust measures to ensure this: disclosure of consent requirements is limited; default consent implementations are lacking; and compliance guidance is difficult to find, hard to read, and poorly maintained.
△ Less
Submitted 18 June, 2021; v1 submitted 17 June, 2021;
originally announced June 2021.
-
I Want My App That Way: Reclaiming Sovereignty Over Personal Devices
Authors:
Konrad Kollnig,
Siddhartha Datta,
Max Van Kleek
Abstract:
Dark patterns in mobile apps take advantage of cognitive biases of end-users and can have detrimental effects on people's lives. Despite growing research in identifying remedies for dark patterns and established solutions for desktop browsers, there exists no established methodology to reduce dark patterns in mobile apps. Our work introduces GreaseDroid, a community-driven app modification framewo…
▽ More
Dark patterns in mobile apps take advantage of cognitive biases of end-users and can have detrimental effects on people's lives. Despite growing research in identifying remedies for dark patterns and established solutions for desktop browsers, there exists no established methodology to reduce dark patterns in mobile apps. Our work introduces GreaseDroid, a community-driven app modification framework enabling non-expert users to disable dark patterns in apps selectively.
△ Less
Submitted 23 February, 2021;
originally announced February 2021.
-
Perceptions of YouTube's political influence
Authors:
Yury Kolotaev,
Konrad Kollnig
Abstract:
YouTube plays an ever more important role as a political medium. Yet, the implications are to-date not well understood and difficult to analyse, since access to YouTube's statistics is limited. To address this gap, we surveyed 124 people about their views and experiences around YouTube's political influence. Our results revealed diverse, sometimes conflicting views on YouTube's growing political r…
▽ More
YouTube plays an ever more important role as a political medium. Yet, the implications are to-date not well understood and difficult to analyse, since access to YouTube's statistics is limited. To address this gap, we surveyed 124 people about their views and experiences around YouTube's political influence. Our results revealed diverse, sometimes conflicting views on YouTube's growing political role, and highlight the need for more research, discussion and possibly regulation.
△ Less
Submitted 9 December, 2020;
originally announced December 2020.
