People start to wake up to the pervasive third-party tracking that comes with 90% of Android apps

It will hardly be news to readers of this site that mobile apps are tracking us on a massive scale. And yet a story in the New York Times last month about how apps are routinely monitoring users and their geographical position seems to have shocked many.

Indeed, Los Angeles prosecutors were moved by the news to sue the operators of the Weather Channel app, which is owned by IBM:

The operator of the Weather Channel mobile app misled users who agreed to share their location information in exchange for personalized forecasts and alerts, and they instead unwittingly surrendered personal privacy when the company sold their data to third parties, the city attorney, Michael Feuer, said.

According to Feuer, 80% of users agreed to allow access to their locations because details about how the app uses geolocation data were buried within a 10,000-word privacy policy that few read, and that was not made explicit when they downloaded the app. Despite the outrage, the report in the New York Times is only the tip of the iceberg. Back in October, a group of researchers found that 90% of the 959,000 apps from the US and UK Google Play stores that they studied had at least one tracker; 170,000 apps had more than twenty trackers.

Apps aimed at children were particularly bad from this point of view. Although troubling, it’s hard to tell how serious that tracking is from raw numbers alone – it might be quite harmless. That makes new research from Privacy International welcome.

It looks in greater detail at the 400,000 apps on the Google Play store that researchers found could share data with Facebook. Facebook is the second most important tracking company after Google, which itself is able to track users of some 800,000 apps. Privacy International found that 61% of those 400,000 apps automatically transfer data to Facebook the moment a user opens them.

This happens whether or not people have a Facebook account, and regardless of whether they are logged into Facebook or not. In addition, those apps send a unique identifier, the Google advertising ID, to Facebook. This is extremely problematic, because it renders data aggregation and the construction of data profiles much easier.

By drawing on the particularities of each app, and bringing in other information, for example from data brokers, it is possible to create an extremely revealing picture of the person with that identifier. In addition, Privacy International wrote:

We also found that some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive. Again, this concerns data of people who are either logged out of Facebook or who do not have a Facebook account.

A prime example is the travel search and price comparison app “KAYAK”, which sends detailed information about people’s flight searches to Facebook, including: departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class).

Privacy International is a UK-based organization, and is therefore naturally interested in the extent to which this tracking activity complies with the EU’s General Data Protection Regulations (GDPR), which came into force last year. A section of its report examines the ways in which the information shared by apps with Facebook and other third parties is problematic, and may be illegal. It is likely that cases will be brought to EU courts to clarify this aspect, building on earlier national investigations into Facebook’s practices, reported previously here on Privacy News Online.

Of more general interest is what can be done to minimize tracking by third-party Android apps. Here’s one problem that Privacy International identified:

Facebook’s Cookies Policy describes two ways in which people who do not have a Facebook account can control Facebook’s use of cookies to show them ads. Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report.

Given that Facebook’s “official” tips on how to turn off tracking seem not to work, it’s helpful that Privacy International includes others that are more effective:

Reset your advertising ID regularly – this won’t stop you from being tracked and profiled, but it can nonetheless temporarily limit the invasiveness of your profile.

This can be found on most Android devices under, Settings > Google > Ads > Reset Advertising ID. Limit ad personalization by opting out of ad personalization in the Android settings. This can be found on most Android devices under, Settings > Google > Ads > Opt out of personalized Advertising.

The first of these is particularly important.

The global reach of Google means that its advertising ID is widely used. By resetting it regularly, it is possible to fragment the databases that are being built up about individuals. One of the biggest threats to privacy is the creation of unified databases that aggregate myriad kinds of information.

For example, linking data together in this way is one of the easiest techniques for de-anonymizing supposedly anonymous datasets. Fragmentation makes that harder. Privacy International’s suggestions aren’t perfect solutions to the pervasive tracking by third-party Android apps, but are worth using until better solutions come along.

After all, it’s going to be a while before this issue is resolved. At least people are finally waking up to the problem on Android. As far as the iPhone is concerned, detailed analysis of the kind carried out for the Android ecosystem is lacking.

The researchers who produced the main work on the Google Play Stores last year wrote in their paper: “We did not study the Apple iOS App Store because there are no equivalently scalable iOS app collection and analysis methods”. Despite this paucity of data, it’s unlikely that the situation is much better with Apple given the ad industry’s dependence on tracking. This isn’t about which operating system you use, but about the entire mobile app ecosystem – and the deeply troubling fact that its main business model is based on undermining our privacy.

That needs to change. Featured image by Bruce.

About Glyn Moody

Glyn Moody is a freelance journalist who writes and speaks about privacy, surveillance, digital rights, open source, copyright, patents and general policy issues involving digital technology. He started covering the business use of the Internet in 1994, and wrote the first mainstream feature about Linux, which appeared in Wired in August 1997.

His book, “Rebel Code,” is the first and only detailed history of the rise of open source, while his subsequent work, “The Digital Code of Life,” explores bioinformatics – the intersection of computing with genomics.

You may also like...