Did App Privacy Improve After the GDPR?

Momen, Nurul; Hatamian, Majid; Fritsch, Lothar

doi:10.1109/msec.2019.2938445

Cited by 40 publications

(21 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…While privacy and security aspects of mobile apps have received a lot of research attention in recent years [3,15,21,30,31], little is yet known about the behavior of app vendors when it comes to fulfilling data subject requests, especially not with the GDPR being in effect.…”

Section: Related Workmentioning

confidence: 99%

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

Kröger

Lindemann

Herrmann

2020

Proceedings of the 15th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

EU data protection laws grant consumers the right to access the personal data that companies hold about them. In a first-of-itskind longitudinal study, we examine how service providers have complied with subject access requests over four years. In three iterations between 2015 and 2019, we sent subject access requests to vendors of 225 mobile apps popular in Germany. Throughout the iterations, 19 to 26 % of the vendors were unreachable or did not reply at all. Our subject access requests were fulfilled in 15 to 53 % of the cases, with an unexpected decline between the GDPR enforcement date and the end of our study. The remaining responses exhibit a long list of shortcomings, including severe violations of information security and data protection principles. Some responses even contained deceptive and misleading statements (7 to 13 %). Further, 9 % of the apps were discontinued and 27 % of the user accounts vanished during our study, mostly without proper notification about the consequences for our personal data. While we observe improvements for selected aspects over time, the results indicate that subject access request handling will be unsatisfactory as long as vendors accept such requests via email and process them manually. CCS CONCEPTS • Security and privacy → Social aspects of security and privacy; Privacy protections; • Social and professional topics → Privacy policies.

show abstract

Section: Related Workmentioning

confidence: 99%

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

Kröger

Lindemann

Herrmann

2020

Proceedings of the 15th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…15), the right to rectification and erasure (Art. 16,17), the right to restrict processing (Art. 18), the right to data portability (Art.…”

Section: ) User's Rightsmentioning

confidence: 99%

“…Regulations such as the European Union General Data Protection Regulation (EU GDPR), ePrivacy Directive and Regulation are already calling for actions to somehow revamp this situation. But there is still a huge gap between the legal nature of privacy and security principles (in the context of smartphone apps) and the technical implementation of those principles [17]. In other words, a privacy engineering perspective is needed to fill the gap between secure mobile app development and legal privacy principles needed to be followed by developers.…”

Section: Introductionmentioning

confidence: 99%

Engineering Privacy in Smartphone Apps: A Technical Guideline Catalog for App Developers

Hatamian

2020

IEEE Access

Self Cite

View full text Add to dashboard Cite

With the rapid growth of technology in recent years, we are surrounded by or even dependent on the use of technological devices such as smartphones as they are now an indispensable part of our life. Smartphone applications (apps) provide a wide range of utilities such as navigation, entertainment, fitness, etc. To provide such context-sensitive services to users, apps need to access users' data including sensitive ones, which in turn, can potentially lead to privacy invasions. To protect users against potential privacy invasions in such a vulnerable ecosystem, legislation such as the European Union General Data Protection Regulation (EU GDPR) demands best privacy practices. Therefore, app developers are required to make their apps compatible with legal privacy principles enforced by law. However, this is not an easy task for app developers to comprehend purely legal principles to understand what needs to be implemented. Similarly, bridging the gap between legal principles and technical implementations to understand how legal principles need to be implemented is another barrier to develop privacy-friendly apps. To this end, this paper proposes a privacy and security design guide catalog for app developers to assist them in understanding and adopting the most relevant privacy and security principles in the context of smartphone apps. The presented catalog is aimed at mapping the identified legal principles to practical privacy and security solutions that can be implemented by developers to ensure enhanced privacy aligned with existing legislation. Through conducting a case study, it is confirmed that there is a significant gap between what developers are doing in reality and what they promise to do. This paper provides researchers and developers of privacy-related technicalities an overview of the characteristics of existing privacy requirements needed to be implemented in smartphone ecosystems, on which they can base their work.

show abstract

“…Several prior works pointed out this problem that mostly put emphasis on apps' data access potential, frequency, consequences and privacy implications which can be identified as parameters to define apps' privacy-friendliness [16,17,20,22,35,[37][38][39]50].…”

Section: App Behavior and Privacy Friendlinessmentioning

confidence: 99%

Nudging the User with Privacy Indicator: A Study on the App Selection Behavior of the User

Bock

Momen

2020

Proceedings of the 11th Nordic Conference on Human-Computer Interaction: Shaping Experiences, Shaping Society

Self Cite

View full text Add to dashboard Cite

This paper presents an empirical study on user behavior, decision making, and perception about privacy concern while selecting apps. An app store demo was presented to the user with a minor modification-a privacy indicator for each app. After carrying out several tasks using this modified mobile interface, participants were interviewed to document reasons behind their decisions, thought process, and perception regarding individual privacy. A total of 82 adults volunteered under the pretext of a usability study. A significant influence of the privacy indicator on their app selection behavior was observed, although this influence decreased in case of familiar apps. Furthermore, responses from questionnaires, data from eye-tracking device and documented interviews, with video confrontation showed coherence with respect to the corresponding app selection behavior.CCS Concepts: • Security and privacy → Privacy protections; Usability in security and privacy; • Human-centered computing → Empirical studies in ubiquitous and mobile computing.

show abstract

Did App Privacy Improve After the GDPR?

Abstract: This is the accepted version of a paper published in IEEE Security and Privacy. This paper has been peer-reviewed but does not include the final publisher proof-corrections or journal pagination.

Cited by 40 publications

References 9 publications

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

Engineering Privacy in Smartphone Apps: A Technical Guideline Catalog for App Developers

Nudging the User with Privacy Indicator: A Study on the App Selection Behavior of the User

Contact Info

Product

Resources

About