IMDEA Networks Institute Publications Repository

On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies

Okoyomon, Ehimare and Samarin, Nikita and Wijesekera, Primal and Elazari Bar On, Amit and Vallina-Rodriguez, Narseo and Reyes, Irwin and Feal, Álvaro and Egelman, Serge (2019) On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies. In: Workshop on Technology and Consumer Protection (ConPro 2019), in conjunction with the 39th IEEE Symposium on Security and Privacy, 23 May 2019, San Francisco, CA, USA.

[img] PDF (On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies) - Published Version
Download (148Kb)

Abstract

The dominant privacy framework of the information age relies on notions of “notice and consent.” That is, service providers will disclose, often through privacy policies, their data collection practices, and users can then consent to their terms. However, it is unlikely that most users comprehend these disclosures, which is due in no small part to ambiguous, deceptive, and misleading statements. By comparing actual collection and sharing practices to disclosures in privacy policies, we demonstrate the scope of the problem. Through analysis of 68,051 apps from the Google Play Store, their corresponding privacy policies, and observed data transmissions, we investigated the potential misrepresentations of apps in the Designed For Families (DFF) program, inconsistencies in disclosures regarding third-party data sharing, as well as contradictory disclosures about secure data transmissions. We find that of the 8,030 DFF apps (i.e., apps directed at children), 9.1% claim that their apps are not directed at children, while 30.6% claim to have no knowledge that the received data comes from children. In addition, we observe that 10.5% of 68,051 apps share personal identifiers with third-party service providers, yet do not declare any in their privacy policies, and only 22.2% of the apps explicitly name third parties. This ultimately makes it not only difficult, but in most cases impossible, for users to establish where their personal data is being processed. Furthermore, we find that 9,424 apps do not use TLS when transmitting personal identifiers, yet 28.4% of these apps claim to take measures to secure data transfer. Ultimately, these divergences between disclosures and actual app behaviors illustrate the ridiculousness of the notice and consent framework.

Item Type: Conference or Workshop Papers (Paper)
Subjects: UNSPECIFIED
Divisions: UNSPECIFIED
Depositing User: �lvaro Feal
Date Deposited: 15 Mar 2019 13:11
Last Modified: 05 Apr 2019 12:33
URI: http://eprints.networks.imdea.org/id/eprint/1967

Actions (login required)

View Item View Item