Apple’s app tracking transparency should make it easier for Apple users to see which apps are collecting personal data. That’s because Apple introduced accompanying charts in which developers have to indicate what kind of data they collect. However, a German researcher’s analysis now shows that many of these disclosures are misleading. However, according to researcher Kollnig, the problem lies neither with Apple nor with developers.
- Analysis shows: 80% of the apps studied that claimed not to pass on personal data did so after all.
- According to researcher Konrad Kollnig, the problem is app libraries that automatically forward user data.
- Responsibility, therefore, lies with large corporations such as Google.
- This may cause problems with existing data protection laws in Europe.
Along with app tracking transparency, Apple launched an attempt to make the collection of personal data more transparent in 2021. Since then, if developers want to make their apps available for download in the AppStore for iPhones and iPads, they must state whether the app collects or forwards user data. However, the analysis by researcher Konrad Kollnig for Netzpolitik shows that the calculation does not add up in the end.
As part of his doctoral thesis, Kollnig examined 1,682 randomly selected apps, 373 of which claimed not to collect any personal data. The researcher launched the apps in his experimental setup and then examined traffic through a man-in-the-middle proxy. So he inserted himself between an iPhone 8 running iOS 15.2 and the servers to see where his usage data ended up. The result: 80% of the apps that said they didn’t forward personal data did.
The problem is app libraries – and the GDPR.
According to Kollnig however, the responsibility does not necessarily lie with the app developers. According to Netzpolitik, they rely on app libraries – comparable to prefabricated building blocks for construction – for development, which they can’t really view themselves. And the tracking code is hidden in these libraries, says Alexander Fanta for Netzpolitik. In return for using these libraries, developers receive revenue, which companies like Google, in turn, utilize for personalized advertising.
So while developers are in a bit of a vulnerable position and Apple relies on their information, the need for action lies with the corporations that offer app libraries in a non-transparent manner.
In Europe, such business practices violate the GDPR (General Data Protection Regulation), a set of laws and regulations that protect the privacy rights of users. Kollnig sees an opportunity here to improve data protection for individuals. For a change, “existing EU data protection law must be consistently implemented in practice,” Netzpolitik quotes Kollnig at the end of the report.
What do you think about the results of the analysis? Does it worry you? Would you like to see something similar to the GDPR in the US?