datarequests.orgSep 20, 2022

Google recently introduced data safety labels for #Android on the #PlayStore, meant to allow users to look at the data that an app collects and shares before installing it. #privacy

We took a closer look at what 43,927 popular apps say in their labels and whether their declarations are true.

https://www.datarequests.org/blog/android-data-safety-labels-analysis/

Worrying confessions: A look at data safety labels on Android · datarequests.org

We analyzed the new data safety section on the Google Play Store and found popular apps admitting to collecting and sharing highly sensitive data for advertising and tracking. More than one quarter of apps transmitted tracking data not declared in their data safety label.

datarequests.org
Show threaddatarequests.org

First, some good news: 29.8 % of the apps with a label say they neither share nor collect any data, and 57.2 % claim to at least not share any data with third parties.

Unfortunately, the situation looks less privacy-friendly for the apps that do process data. Here’s a graph of the most commonly declared data types: #Tracking data is most prevalent by far. Almost all apps that don’t claim not to process any data self-declare to collect or share at least one data type only useful for tracking.

Sep 20, 2022 at 9:58amWeb
Show threaddatarequests.orgSep 20, 2022

And then, we were genuinely shocked: Worryingly many apps self-declare that they collect or even share highly sensitive data like the sexual orientation, political or religious beliefs, and health info for tracking or advertising purposes. This includes typical suspects like Facebook and Amazon, but also SoundCloud, Zalando, momox, nebenan.de and many more.

Some of those apps are even explicitly targeted at children, like Roblox, My Little Pony, and FarmVille.

That is completely unacceptable!

Show threaddatarequests.orgSep 20, 2022

Finally, we ran a traffic analysis on the top 500 apps to check the labels’ truthfulness.

Here’s a graph of the results. We didn’t interact with the apps, so we can only check a few data types. And we can only definitively say when data is collected but can’t confirm that it is never collected.

Most of the declarations were correct. But more than one quarter of apps transmitted tracking data that they didn’t declare. A handful of apps transmitted the user’s location without declaring that.

Show threaddatarequests.orgSep 20, 2022

What does that tell us? These labels can be a helpful tool for making data collection practices more transparent to users. But if they are only unchecked self-declarations, they can also be dangerous and mislead users.

But more importantly, they highlight the ubiquitous and vast collection of tracking and advertising data that sometimes concerns data that is completely inappropriate to collect. Disclosing these practices is not enough. Tracking practices need to be significantly dialed back.