Carnegie Mellon University
April 07, 2017

Many apps fail to disclose the collection and sharing of sensitive data

By Daniel Tkacik

If you use an Android phone and its apps, a coin-flip can likely tell you whether your location is being tracked without disclosing the practice in the app’s privacy policy, if it even has one.

Many apps do not have a privacy policy, even though 71% of those apps appear to collect sensitive data that requires having a policy under regulations such as the California Online Privacy Protection Act. These findings were reported last month by a team of researchers from Carnegie Mellon University’s Institute for Software Research (ISR) and CyLab Security and Privacy Institute.

“We found that 49 percent of apps that seem to track users’ location do not have a privacy policy and 41% of apps that have a policy either did not disclose that activity or the privacy policy said the app did not do so,” said Sebastian Zimmeck, a post-doctoral researcher in CyLab and ISR in Carnegie Mellon’s School of Computer Science (SCS).

Zimmeck presented the study at the Network & Distributed System Security Symposium in San Diego, California. The study was conducted along with SCS Prof. Norman Sadeh and several other researchers working in Sadeh’s research group.

To conduct the study, the team of researchers developed an automated analysis system that compared text from an app’s privacy policy with the app’s source code. The automated system then looks for discrepancies between what was claimed in the app’s privacy policy and what the code of the app suggests it is actually doing.

“Of the 17,991 apps we looked at, we found that one third of them didn’t have a privacy policy to begin with, and that they would need one because they are processing personally identifiable information that requires them to have a policy according to certain laws,” Zimmeck said.

 To ensure accuracy, the team did a manual analysis of 40 pairs of apps and their policies, and found that the automatic process performed found very similar discrepancies. The authors note that since the automatic analysis depends on the particular jurisdiction under which it is conducted, interpretation could vary.

Zimmeck said he was “surprised” by the number discrepancies between apps’ privacy policies and their actual behavior.

“In general, these discrepancies do not appear to be intentional or malicious,” said Zimmeck.

Sadeh, who also directs the Mobile Commerce Lab at Carnegie Mellon and teaches Mobile and IoT has supervised several hundred teams of app developers over the years.

“The discrepancies reflect a lack of sophistication among developers when it comes to understanding legal requirements associated with privacy policies,” Sadeh said. “To many developers, Android looks like a monolithic framework. They do not realize that when they use third party libraries such as Google Maps, they are actually sharing sensitive data with third parties.”

Sadeh further argues that the App Store model empowers a large number of people to develop apps, but lacks tools to help developers, especially when it comes to helping them comply with privacy requirements.

“The onus should be on the Android and iOS platforms to make such tools available to developers,” Sadeh said.

This research was funded by the National Science Foundation under the Usable Privacy Policy Project and the DARPA Brandeis project on “Personalized Privacy Assistants,” both led by Sadeh.

[Original Article]