Jacob Leon Kröger
ABSTRACT
EU data protection laws grant consumers the right to access the personal data that companies hold about them. In a first-of-its-kind longitudinal study, we examine how service providers have complied with subject access requests over four years. In three iterations between 2015 and 2019, we sent subject access requests to vendors of 225 mobile apps popular in Germany. Throughout the iterations, 19 to 26% of the vendors were unreachable or did not reply at all. Our subject access requests were fulfilled in 15 to 53% of the cases, with an unexpected decline between the GDPR enforcement date and the end of our study. The remaining responses exhibit a long list of shortcomings, including severe violations of information security and data protection principles. Some responses even contained deceptive and misleading statements (7 to 13%). Further, 9% of the apps were discontinued and 27% of the user accounts vanished during our study, mostly without proper notification about the consequences for our personal data. While we observe improvements for selected aspects over time, the results indicate that subject access request handling will be unsatisfactory as long as vendors accept such requests via email and process them manually.
- Association Française des Correspondants à la protection des Données à caractère Personnel. 2020. Données personnelles - Index AFCDP 2020 du Droit d'accès. https://afcdp.net/index-du-droit-d-acces/Google Scholar
- Jef Ausloos and Pierre Dewitte. 2018. Shattering One-Way Mirrors. Data Subject Access Rights in Practice. Data Subject Access Rights in Practice (January 20, 2018). International Data Privacy Law 8, 1 (2018), 4--28.Google Scholar
- Reuben Binns, Ulrik Lyngs, Max Van Kleek, Jun Zhao, Timothy Libert, and Nigel Shadbolt. 2018. Third party tracking in the mobile ecosystem. In Proceedings of the 10th ACM Conference on Web Science. 23--31.Google ScholarDigital Library
- Coline Boniface, Imane Fouad, Nataliia Bielova, Cédric Lauradoux, and Cristiana Santos. 2019. Security Analysis of Subject Access Request Procedures. In Annual Privacy Forum. Springer, 182--209.Google Scholar
- Christina Bröhl, Peter Rasche, Janina Jablonski, Sabine Theis, Matthias Wille, and Alexander Mertens. 2018. Desktop PC, tablet PC, or smartphone? An analysis of use preferences in daily activities for different technology generations of a worldwide sample. In International Conference on Human Aspects of IT for the Aged Population. Springer, 3--20.Google ScholarCross Ref
- Catalin Cimpanu. 2019. Another Facebook privacy scandal, this time involving its mobile analytics SDK. ZDNet (Feb. 2019). https://www.zdnet.com/article/another-facebook-privacy-scandal-this-time-involving-its-mobile-analytics-sdk/Google Scholar
- Mariano Di Martino, Pieter Robyns, Winnie Weyts, Peter Quax, Wim Lamotte, and Ken Andries. 2019. Personal Information Leakage by Abusing the GDPR "Right of Access". In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security (SOUPS'19). USENIX Association, USA, 371--386.Google Scholar
- Majid Hatamian. 2020. Engineering Privacy in Smartphone Apps: A Technical Guideline Catalog for App Developers. IEEE Access 8 (2020), 35429--35445.Google ScholarCross Ref
- Alex Hern. 2018. What is GDPR and how will it affect you? The Guardian (May 2018). https://www.theguardian.com/technology/2018/may/21/what-is-gdpr-and-how-will-it-affect-youGoogle Scholar
- Dominik Herrmann and Jens Lindemann. 2016. Obtaining personal data and asking for erasure: do app vendors and website owners honour your privacy rights?. In GI Sicherheit 2016. Gesellschaft für Informatik e.V., Bonn, 149--160. arXiv:1602.01804Google Scholar
- Andrei P. Kirilenko and Svetlana Stepchenkova. 2016. Inter-Coder Agreement in One-to-Many Classification: Fuzzy Kappa. PLOS ONE 11, 3 (03 2016), 1--14.Google Scholar
- Jacob Leon Kröger, Jens Lindemann, and Dominik Herrmann. 2020. Subject Access Request response data - 105 iOS and 120 Android apps. Google ScholarCross Ref
- Jacob Leon Kröger, Otto Hans-Martin Lutz, and Florian Müller. 2020. What does your gaze reveal about you? On the privacy implications of eye tracking. In Privacy and Identity Management. Springer, 226--241.Google Scholar
- Jacob Leon Kröger, Otto Hans-Martin Lutz, and Philip Raschke. 2020. Privacy Implications of Voice and Speech Analysis-Information Disclosure by Inference. In Privacy and Identity Management. Springer, 242--258.Google Scholar
- Jacob Leon Kröger and Philip Raschke. 2019. Is My Phone Listening in? On the Feasibility and Detectability of Mobile Eavesdropping. In Data and Applications Security and Privacy XXXIII. Springer International Publishing, Cham, 102--120.Google Scholar
- Jacob Leon Kröger, Philip Raschke, and Towhidur Rahman Bhuiyan. 2019. Privacy implications of accelerometer data: a review of possible inferences. In Proceedings of the 3rd International Conference on Cryptography, Security and Privacy. 81--87.Google ScholarDigital Library
- Xavier Duncan L'Hoiry and Clive Norris. 2015. The honest data protection officer's guide to enable citizens to exercise their subject access rights: lessons from a ten-country European study. International Data Privacy Law 5, 3 (2015), 190--204.Google ScholarCross Ref
- Xavier L'Hoiry and Clive Norris. 2017. Exercising Access Rights in the United Kingdom. In The Unaccountable State of Surveillance. Springer, 359--404.Google Scholar
- René Mahieu, Hadi Asghari, and Michel van Eeten. 2018. Collectively exercising the right of access: individual effort, societal effect. Internet Policy Review 7, 3 (2018).Google ScholarCross Ref
- Jim McCambridge, John Witton, and Diana R Elbourne. 2014. Systematic review of the Hawthorne effect: new concepts are needed to study research participation effects. Journal of Clinical Epidemiology 67, 3 (2014), 267--277.Google ScholarCross Ref
- Nurul Momen, Majid Hatamian, and Lothar Fritsch. 2019. Did App Privacy Improve After the GDPR? IEEE Security & Privacy 17, 6 (2019), 10--20.Google ScholarDigital Library
- Rudi Müller-Glöge, Ulrich Preis, and Ingrid Schmidt (Eds.). 2016. Erfurter Kommentar zum Arbeitsrecht (ErfKoArbR) (16 ed.). Beck, München.Google Scholar
- David Nield. 2019. How To Clear Out Your Zombie Apps and Online Accounts. Wired (May 2019). https://www.wired.com/story/delete-old-apps-accounts-online/Google Scholar
- Clive Norris and Xavier L'Hoiry. 2017. Exercising Citizen Rights Under Surveillance Regimes in Europe-Meta-analysis of a Ten Country Study. In The Unaccountable State of Surveillance. Springer, 405--455.Google Scholar
- Chris Norval, Heleen Janssen, Jennifer Cobbe, and Jatinder Singh. 2018. Reclaiming data: Overcoming app identification barriers for exercising data protection rights. In ACM International Joint Conference and International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers. 921--930.Google ScholarDigital Library
- German Federal Office of Justice. 2019. Federal Data Protection Act (BDSG). https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0014Google Scholar
- Kate O'Flaherty. 2019. Huawei Security Scandal: Everything You Need to Know. Forbes (Feb. 2019). https://www.forbes.com/sites/kateoflahertyuk/2019/02/26/huawei-security-scandal-everything-you-need-to-know/Google Scholar
- European Parliament and Council of the European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENGGoogle Scholar
- Article 29 Data Protection Working Party. 2010. Opinion 8/2010 on applicable law (0836--02/10/EN). WP 179 (2010).Google Scholar
- Anthony Quattrone, Lars Kulik, Egemen Tanin, Kotagiri Ramamohanarao, and Tao Gu. 2015. PrivacyPalisade: Evaluating app permissions and building privacy into smartphones. In 2015 10th International Conference on Information, Communications and Signal Processing(ICICS). IEEE.Google ScholarCross Ref
- Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. 2018. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Proceedings 2018 Network and Distributed System Security Symposium. Internet Society, San Diego, CA.Google ScholarCross Ref
- Adam Satariano. 2018. G.D.P.R., a New Privacy Law, Makes Europe World's Leading Tech Watchdog. The New York Times (May 2018). https://www.nytimes.com/2018/05/24/technology/europe-gdpr-privacy.htmlGoogle Scholar
- Adam Satariano. 2020. Europe's Privacy Law Hasn't Shown Its Teeth, Frustrating Advocates. New York Times (April 2020). https://www.nytimes.com/2020/04/27/technology/GDPR-privacy-law-europe.htmlGoogle Scholar
- Keith Spiller. 2016. Experiences of accessing CCTV data: The urban topologies of subject access requests. Urban Studies 53, 13 (2016), 2885--2900.Google ScholarCross Ref
- Anselm Strauss and Juliet Corbin. 1990. Basics of Qualitative Research. Sage Publications.Google Scholar
- Jörg Thoma. 2014. Datenschutzbeauftragter mahnt mangelnde Verschlüsselung an. Golem (Sept. 2014). https://www.golem.de/news/bayern-datenschutzbeauftragter-mahnt-mangelnde-verschluesselung-an-1409--109260.htmlGoogle Scholar
- Tobias Urban, Dennis Tatang, Martin Degeling, Thorsten Holz, and Norbert Pohlmann. 2019. A Study on Subject Data Access in Online Advertising after the GDPR. In Data Privacy Management, Cryptocurrencies and Blockchain Technology. Springer, 61--79.Google Scholar
- Siddharth Venkataramakrishnan. 2020. GDPR accused of being toothless because of lack of resources. Financial Times (April 2020). https://www.ft.com/content/a915ae62-034e-4b13-b787-4b0ac2aaff7eGoogle Scholar
- Nicholas Vinocur. 2019. 'We have a huge problem': European tech regulator despairs over lack of enforcement. Politico (Dec. 2019). https://www.politico.com/news/2019/12/27/europe-gdpr-technology-regulation-089605Google Scholar
- Paul Voigt and Axel von dem Bussche. 2017. Scope of Application of the GDPR. In The EU General Data Protection Regulation (GDPR). Springer, 9--30.Google Scholar
- Heinrich Amadeus Wolff and Stefan Brink (Eds.). 2018. Datenschutzrecht in Bund und Ländern (23 ed.). Beck, München.Google Scholar
- Janis Wong and Tristan Henderson. 2019. The right to data portability in practice: exploring the implications of the technologically neutral GDPR. International Data Privacy Law 9, 3 (2019), 173--191.Google ScholarCross Ref
- Nils Zurawski. 2017. Exercising Access Rights in Germany. In The Unaccountable State of Surveillance. Springer, 109--133.Google Scholar
Index Terms
How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps
Recommendations
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big DataMobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...
A Longitudinal Study of Removed Apps in iOS App Store
WWW '21: Proceedings of the Web Conference 2021To improve app quality and nip the potential threats in the bud, modern app markets have released strict guidelines along with app vetting process before app publishing. However, there has been growing evidence showing the ineffectiveness of app vetting,...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and SystemsCommunications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Comments