Abstract:
Under the General Data Protection Regulation (GDPR), mobile app developers are required to inform users of necessary information at the time when user data is collected (called users’ “Right-to-be-Informed”). This is typically done by app developers via providing runtime privacy notices (RPNs for short). However, given the heterogeneous privacy data types and data access patterns in modern apps, it is not clear to what extent apps (app developers) effectively fulfill this compliance requirement in practice.
In this paper, we perform the first systematic study of current RPN practices in mobile apps. Our research endeavors to comprehend (1) the ecosystem of RPN, (2) potential gaps between legal requirements and RPN practices, and (3) the underlying reasons for such gaps. To achieve this, we design an automated pipeline - RENO that can effectively identify, extract, and analyze RPN at a large scale. With the help of RENO, we investigated 4,656 mobile apps selected from 19 European Union countries. Our analysis reveals a number of interesting findings. For example, 77.10% of user data collection behaviors lack RPNs. Among those provided RPNs, 86.35% of them have no more than three required notice elements when GDPR requires seven. In addition, to further understand the reasons behind such gaps, we perform a notification campaign and ask for feedback from the app developers. Indeed, the collected responses highlighted several critical reasons. For instance, a substantial proportion of app developers regard RPN as an optional complement to their privacy policies as RPNs are not strictly enforced by app stores. Our study shows the pressing need for better transparency in user data collection delivered by RPN.