Your Data is Shared Through Apps with the Ad Industry More Than You May Think
The GDPR and CCPA are ineffective in safeguarding individuals from the practices of the digital marketing and ad tech industry, as per a recent report by the Norwegian Consumer Council (NCC).
The NCC refers to a clandestine web of businesses, which are relatively unfamiliar to consumers.
These well-known apps are divulging extremely personal information about our behavior, interests, activities, and habits, which include details about our religious beliefs, menstrual cycles, location data, sexual orientation, political opinions, drug usage, birth date, unique identifiers linked to our smartphones, and other personal data.
According to a recent report by the Norwegian Consumer Council (NCC), the GDPR and CCPA are ineffective in protecting individuals from the practices of the digital marketing and ad tech industry.
The NCC identifies a hidden network of businesses that are mostly unknown to consumers.
Popular applications are sharing intimate details about our behavior, interests, activities, and habits, such as our religious beliefs, menstrual cycles, location data, sexual orientation, political views, drug use, birth date, unique identifiers associated with our smartphones, and other sensitive personal information.
Out of Control
The Norwegian Consumer Council (NCC) collaborated with cybersecurity firm Mnemonic to publish an in-depth report titled “Out of Control,” which aimed to expose the workings of the vast digital marketing/ad tech industry.
The report analyzed data traffic from ten popular Android apps (also available on iPhones) chosen by Mnemonic for their potential access to highly personal information.
The selected apps included popular names such as Grindr, OkCupid, Tinder, Clue, MyDays, Perfect365, My Talking Tom 2, Qibla Finder, Happn, and Wave Keyboard.
According to the NCC, these findings represent widespread practices in the adtech industry due to the apps’ popularity.
Some of the key findings about the traffic coming from those apps:
- All of the tested apps share user data with multiple third parties, and all but one share data beyond the device advertising ID, including a user’s IP address and GPS position; personal attributes such as gender and age; and app activities such as GUI events. The report says that information can often be used to infer things such as sexual orientation or religious belief.
- Grindr, a gay dating app, shares detailed user data with any third parties, including IP address, GPS location, age, and gender. Such sharing is tucked away where we can’t see it: by using the MoPub monetization platform (owned by Twitter) as a mediator, the data sharing is “highly opaque,” the report says, given that neither the third parties nor the information transmitted is known in advance. The investigators also found that MoPub can dynamically enrich the data shared with other parties.
- Perfect365 also shares user data with “a very large number” of third parties, including advertising ID, IP address, and GPS position. The report says that it’s as if the app had been built “to collect and share as much user data as possible.”
- MyDays shares a user’s GPS location with multiple parties, and OkCupid shares users’ detailed personal questions and answers with Braze, a mobile marketing automation, and customer “engagement” platform: this kind of platform is part of the industry that creates profiles that get the “right message” to the consumer at their “most receptive” moment.
Cumulatively, the ten analyzed apps were observed transmitting user data to at least 135 different third parties involved in advertising and/or behavioral profiling.
The adtech industry uses the information to track us over time and across devices, in order to stitch together comprehensive profiles about individual consumers.
They use those profiles and groups to target marketing, but the NCC points out that such profiles can also be used to discriminate, manipulate and exploit people.
It goes well beyond mobile apps
The adtech industry extends across different media, including websites, smart devices, and mobile apps, but the NCC chose to focus on how the industry works when it comes to mobile apps.
Beyond the apps themselves are the scores of tributaries to which flow the data the apps collect and share.
These are the third parties that the report traced in its analysis of data flow from those ten apps:
Location data brokers: Fysical, Safegraph, Fluxloop, Unacast, Placer, Placed/Foursquare. Never heard of them? If not, you likely don’t work in the adtech industry.
Plain old consumers aren’t even aware the system exists, let alone who the players are. They may have thousands of points of data on us, but we’ve been kept in the dark, walled off by lengthy, legalistic privacy policies, middleman companies, plus the fact that most of us don’t know how to perform a technical analysis of app traffic.
Behavioral personalization and targeting companies: Another group that’s below the radar: Mnemonic traced data flowing to the companies Receptiv/Verve, Neura, Braze, and LeanPlum.
Systemic oversharing. There’s systemic over-collecting and oversharing throughout the industry, the NCC says.
Though not all of the data transmissions Mnemonic analyzed included excessive personal data such as GPS location, put all of the data together, and you can create detailed pictures of individuals.
That’s the nature of Big Data: even purportedly “anonymized” data points can be strung together to figure out exactly who we are.
In regards to device information and metadata, adtech companies have the ability to fingerprint devices since this information is freely shared.
Information like phone model, battery level, screen resolution, screen metadata, and mobile carrier is shared, which allows companies to create a detailed picture of individuals.
Apps like OkCupid, Grindr, and My Talking Tom 2 all shared Android Advertising ID and metadata with AppsFlyer, a company that leverages insights from billions of connected devices.
Dating apps for those looking for love like Tinder sent even more personal data like GPS coordinates, birthdays, gender, and sexual orientation.
Despite attempts to opt-out of personalized ads, Grindr still sent advertising IDs and IP addresses.
OKCupid went as far as to send detailed sensor data from a device’s magnetometer, gyroscope, and accelerometer.
While there are many unknown companies in the adtech industry, Google and Facebook are the two biggest players.
All apps except Clue and Grindr were observed interacting with Google’s advertising service DoubleClick, and each app had integrated various Google SDKs.
All apps except MyDays sent the Advertising ID to Facebook’s graph API, and each app except Clue had integrated a Facebook SDK. This allows Facebook to track consumers through the apps, even if they don’t have a Facebook account.
The report by the NCC stated that it was challenging to distinguish between Google’s service-provider and advertising service.
What about Data Privacy Laws?
How are these data-sharing processes legal? According to the EU’s General Data Protection Regulation (GDPR), organizations must ensure that they only process personal data that is necessary for specific purposes, and that data protection is integrated into the design and default settings of their services.
However, the NCC’s analysis found that many apps were engaging in systematic and pervasive background profiling of their users, with some apps sharing personal data by default and requiring users to hunt for a hidden setting to prevent tracking and profiling.
This raises questions about whether these practices comply with the GDPR’s requirements. The regulation stipulates that user consent must be informed, freely given, and specific and that users must have granular choices about the use of their data.
Yet the analyzed apps were not meeting these standards, with users not being fully informed about how their personal data was being shared and used, and no granular choices being offered for data that was not necessary for the app’s functionality.
While the adtech industry may argue that its practices are justified by “legitimate interests,” the NCC maintains that app users cannot reasonably expect the level of data sharing and variety of purposes that their personal data is being used for in these cases.
These practices, therefore, conflict with fundamental rights and freedoms.
Besides this, the report pointed out, there are other ways to do digital advertising that doesn’t rely on third parties getting users’ personal data, such as contextual advertising.
Even if advertising is necessary to provide services free of charge, these violations of privacy are not strictly necessary in order to provide digital ads.
Consequently, it seems unlikely that the legitimate interests that these companies may claim to have can be demonstrated to override the fundamental rights and freedoms of the data subject.
According to the report, many third parties involved in collecting consumer data for behavioral profiling, targeted advertising, and real-time bidding may be violating GDPR regulations.
TechCrunch contacted Ireland’s Data Protection Commission and the UK’s Information Commissioner’s Office for their comments on the report.
While the DPC did not respond, the ICO’s executive director for technology and innovation, Simon McDougall, issued a statement acknowledging the ICO’s focus on examining the ad tech industry’s use of personal data.
However, the statement did not mention any enforcement actions being taken.
The NCC’s report suggests that numerous third-party entities collecting consumer data for behavioral profiling, targeted advertising, and real-time bidding might be breaching GDPR regulations.
TechCrunch reached out to Ireland’s Data Protection Commission and the UK’s Information Commissioner’s Office for their responses. The DPC did not reply, while the ICO’s executive director for technology and innovation, Simon McDougall, issued a statement acknowledging the ICO’s prioritization of scrutinizing the ad tech industry’s use of personal data.
However, the statement did not reference any enforcement measures being implemented.