Apps are sharing more of your data with ad industry than you may think

GDPR? The California Consumer Privacy Act (CCPA)?
HA!
Those laws aren’t doing squat to protect us from the digital marketing and adtech industry, according to a new report from the Norwegian Consumer Council (NCC).
What chance do laws stand against policing what the NCC describes as a shadowy network of companies, “virtually unknown to consumers,” with which popular apps are sharing exquisitely personal behavior/interest/activities/habits data, including our religious preference, menstruation cycle, location data, sexual orientation, political views, drug use, birthday, the unique IDs associated with our smartphones, and more?
The current situation is “completely out of control, harming consumers, societies, and businesses,” the NCC writes, as evidence continues to mount against what it calls “the commercial surveillance systems” at the heart of online advertising.
There’s little restraining the industry from bombarding us with constant, mostly unavoidable privacy invasion, the Commission says:

The multitude of violations of fundamental rights are happening at a rate of billions of times per second, all in the name of profiling and targeting advertising. It is time for a serious debate about whether the surveillance-driven advertising systems that have taken over the internet, and which are economic drivers of misinformation online, is a fair trade-off for the possibility of showing slightly more relevant ads.
The comprehensive digital surveillance happening across the ad tech industry may lead to harm to both individuals, to trust in the digital economy, and to democratic institutions.

Out of control

The purpose of the in-depth report – titled “Out of Control” – was to expose how large parts of the vast digital marketing/adtech industry works. To do so, the NCC collaborated with the cybersecurity company Mnemonic, which analyzed data traffic from ten popular Android apps (which are also all available on iPhones) that they chose because the apps were likely to have access to highly personal information.
There are big names in the chosen crop of apps. Given the apps’ popularity, NCC says that it regards the findings to be representative of widespread practices in the adtech industry. The apps:

• Grindr (dating)
• OkCupid (dating)
• Tinder (dating)
• Clue (period tracking)
• MyDays (period tracking)
• Perfect365 (virtual makeup)
• My Talking Tom 2 (children’s game)
• Qibla Finder (app that shows Muslims where to face while praying)
• Happn (dating)
• Wave Keyboard (keyboard themes)

Some of the key findings about the traffic coming from those apps:

1. All of the tested apps share user data with multiple third parties, and all but one share data beyond the device advertising ID, including a user’s IP address and GPS position; personal attributes such as gender and age; and app activities such as GUI events. The report says that that information can often be used to infer things such as sexual orientation or religious belief.
2. Grindr, a gay dating app, shares detailed user data with many third parties, including IP address, GPS location, age, and gender. Such sharing is tucked away where we can’t see it: by using the MoPub monetization platform (owned by Twitter) as a mediator, the data sharing is “highly opaque,” the report says, given that neither the third parties nor the information transmitted are known in advance. The investigators also found that MoPub can dynamically enrich the data shared with other parties.
3. Perfect365 also shares user data with “a very large number” of third parties, including advertising ID, IP address, and GPS position. The report says that it’s as if the app had been built “to collect and share as much user data as possible.”
4. MyDays shares a user’s GPS location with multiple parties, and OkCupid shares users’ detailed personal questions and answers with Braze, a mobile marketing automation and customer “engagement” platform: this kind of platform is part of the industry that creates profiles that get the “right message” to the consumer at their “most receptive” moment.

Cumulatively, the ten analyzed apps were observed transmitting user data to at least 135 different third parties involved in advertising and/or behavioral profiling. The adtech industry uses the information to track us over time and across devices, in order to stitch together comprehensive profiles about individual consumers. They use those profiles and groups to target marketing, but the NCC points out that such profiles can also be used to discriminate, manipulate and exploit people.

It goes well beyond mobile apps

The adtech industry extends across different media, including websites, smart devices and mobile apps, but the NCC chose to focus on how the industry works when it comes to mobile apps.
Beyond the apps themselves are the scores of tributaries to which flows the data the apps collect and share. These are the third parties that the report traced in its analysis of data flow from those ten apps:
Location data brokers: Fysical, Safegraph, Fluxloop, Unacast, Placer, Placed/Foursquare. Never heard of them? If not, you likely don’t work in the adtech industry. Plain old consumers aren’t even aware the system exists, let alone who the players are. They may have thousands of points of data on us, but we’re kept in the dark, walled off by lengthy, legalistic privacy policies, middleman companies, plus the fact that most of us don’t know how to perform a technical analysis of app traffic.
Behavioral personalization and targeting companies: Another group that’s below the radar: Mnemonic traced data flowing to the companies Receptiv/Verve, Neura, Braze, and LeanPlum.
Systemic oversharing. There’s systemic over-collecting and oversharing throughout the industry, the NCC says. Though not all of the data transmissions Mnemonic analyzed included excessive personal data such as GPS location, put all of the data together, and you can create detailed pictures of individuals. That’s the nature of Big Data: even purportedly “anonymized” data points can be strung together to figure out exactly who we are.
You can also fingerprint devices, given that adtech liberally shares device information and metadata, such as phone model, current battery level, screen resolution and screen metadata, and information about the consumer’s mobile carrier. Examples are the dating apps OkCupid and Grindr and the kids’ game My Talking Tom 2, which all transmitted the Android Advertising ID and various metadata to AppsFlyer. a company that claims to leverage insights from “8.4 billion of the world’s connected devices”.
AppsFlyer also picked up data from Tinder on users’ Advertising ID, GPS coordinates, birthday, gender, and “target gender” – i.e., data on sexual orientation.
Good luck opting out: even after Grindr users opted out of personalized ads, the app still sent their advertising IDs, combined with their devices’ IP addresses. OKCupid also sent AppsFlyer detailed sensor data from a device’s magnetometer, gyroscope and accelerometer.
Google and Facebook. Though the industry is packed with companies that are virtually unknown to consumers, by far the biggest actors are these two household names.
Their penetration of adtech is beyond the scope of the NCC’s report, it said, but Mnemonic couldn’t help but observe the floods of data the mobile apps sent these voracious data collectors. All of the apps except Clue and Grindr were observed interacting with Google’s advertising service DoubleClick. Every app transmitted data to various parts of the Google system, and all of them had integrated various Google SDKs, including Google Ads, Google Crashlytics, and Google Firebase. Some of that data transfer may be due to the Android operating system being a Google service, but it’s tough to know “where Google as a service-provider ends and where Google as an advertising service begins,” the report said.
All of the apps except MyDays sent the Advertising ID to Facebook’s graph API, and every app except Clue had integrated a Facebook SDK. That means that Facebook can potentially track consumers through the apps, even if the consumer doesn’t have a Facebook account.

What about data privacy laws?

How are these data-sharing processes legal? Under the EU’s General Data Protection Regulation (GDPR), organizations are required to ensure that only personal data that are necessary for each specific purpose of the processing are processed, and that personal data must only be processed for specified, explicit, and legitimate purposes. In other words, data protection has to be baked in, by design and default.
How does the GDPR’s requirements jibe with the systematic, pervasive background profiling of app users the NCC’s analysis found, where, for example, some apps were found to be sharing personal data by default, requiring users to actively hunt for a tucked-away setting to try to prevent tracking and profiling?
From the report:

The extent of tracking and complexity of the ad tech industry is incomprehensible to consumers, meaning that individuals cannot make informed choices about how their personal data is collected, shared and used. Consequently, the massive commercial surveillance going on throughout the ad tech industry is systematically at odds with our fundamental rights and freedoms.

The GDPR states that where user consent is required to process personal data, it has to be informed, freely given and specific. The analyzed apps weren’t doing that, the report found:

In the cases described in this report, none of the apps or third parties appear to fulfill the legal conditions for collecting valid consent. Data subjects are not informed of how their personal data is shared and used in a clear and understandable way, and there are no granular choices regarding use of data that is not necessary for the functionality of the consumer-facing services.

The industry may well defend its practices on the basis of “legitimate interests,” but the NCC argues that app users “cannot have a reasonable expectation for the amount of data sharing and the variety of purposes their personal data is used for in these cases.”
Besides which, the report pointed out, there are other ways to do digital advertising that don’t rely on third parties getting users’ personal data, such as contextual advertising.

Even if advertising is necessary to provide services free of charge, these violations of privacy are not strictly necessary in order to provide digital ads. Consequently, it seems unlikely that the legitimate interests that these companies may claim to have can be demonstrated to override the fundamental rights and freedoms of the data subject.

Thus, the report suggests, many of the third parties that collect consumer data for things such as behavioral profiling, targeted advertising and real-time bidding may be in breach of the GDPR.
TechCrunch reached out to Ireland’s Data Protection Commission (DPC) and the UK’s Information Commissioner’s Office (ICO) for comment on the NCC’s report. The DPC didn’t reply – perhaps because it’s got a backlog of pending investigations into GDPR violations, including a probe into whether Google’s processing of personal data as part of its Ad Exchange is breaching GDPR rules.
As for the ICO, a spokeswoman sent TechCrunch the statement below, from Simon McDougall, its executive director for technology and innovation. McDougall says that the ICO is prioritizing its scrutiny of the adtech industry’s use of personal data, but as TechCrunch points out, nowhere will you find the word “enforcement.”
Still, keep your eyes out for “next steps,” to be discussed soon, the ICO says:

Over the past year we have prioritised engagement with the adtech industry on the use of personal data in programmatic advertising and real-time bidding.
Along the way we have seen increased debate and discussion, including reports like these, which factor into our approach where appropriate. We have also seen a general acknowledgment that things can’t continue as they have been.
Our 2019 update report into adtech highlights our concerns, and our revised guidance on the use of cookies gives greater clarity over what good looks like in this area.
Whilst industry has welcomed our report and recognises change is needed, there remains much more to be done to address the issues. Our engagement has substantiated many of the concerns we raised and, at the same time, we have also made some real progress.
Throughout the last year we have been clear that if change does not happen we would consider taking action. We will be saying more about our next steps soon – but as is the case with all of our powers, any future action will be proportionate and risk-based.