All posts by Abbas Razaghpanah

Invisible Eyes

Smartphone apps are playing an increasingly central role in our lives. They are ubiquitous, as we carry them nearly everywhere, and entrust them with sensitive and sometimes deeply-personal information. We use them to carry out day-to-day tasks from communicating with friends and socializing on social media apps to tracking our health and taking care of our finances on banking apps. Developers of these apps and services invest lots of time and effort into developing, running, and maintaining them, yet despite all of that, we use the vast majority of them for free. So you might wonder how the people who create and maintain these apps make money.

How do apps make money?

The answer is simple: in-app advertising and user tracking data collection. To display ads inside an app, you need to know the different types of audiences who use your app and be able to distinguish between them by collecting information about them when they use your app, know the businesses who are interested in advertising their services to the different user demographics, and be able to match the right ads with the right audiences.

While this is certainly possible, it is especially difficult to manage for small-time app developers who will have to do this while also staying on top of maintaining their apps, developing new features, and various other developer-related tasks.

To make this easier, developers use third-party services who know other businesses interested in mobile advertising and mediate between them and the app developers who want to monetize their apps through ads. Developers embed pieces of software developed by these services inside their apps which allows them to collect information about the users and use it to display targeted advertisements.

They need to make money, what’s wrong with that?

The idea of data collection for in-app advertising is a controversial one. App creators need to make money. After all, we are getting free utility from their apps and services. However, users are largely unaware of which third-party services they use in their apps to do so, who owns and operates those services, and what their policies are regarding how tracking data is collected and how it is treated after it has been collected.

App stores do not require developers to disclose their use of third-party advertising and tracking services, and users are in the dark about their presence in their apps. As such, apps do not tell us which of these services they use, and their privacy policy statements are often vague about use of such services. Moreover, apps, even ones that do not have in-app ads, track their users for other purposes such as analytics and crash reporting, and there are third-party services that facilitate those types functions as well that are virtually invisible to the users. This lack of transparency is not helped by the fact that they regularly end up in the news for sharing or selling large amounts of mobile tracking data.

Data Exchange Data Demo Page

Data exchange website purporting to have tracking data from over 90 million mobile users, presumably collected by 3rd-party services inside different apps.

How do I know if my apps are using these services?

Lumen helps users identify these third party services in their apps by monitoring network activities of the apps that are running on your phone. It also tells you what kind of data is collected by them and organization is collecting the data. Lumen brings the much-needed transparency into the equation and having this information is half the battle, but users need to have some sort of control over this behaviour.

Lumen Showing PII Leaks

Lumen showing information collected by different services in the AccuWeather app. Advertising and tracking services are denoted by an eye next to their name.

 

Where’s all my tracking data going?

It’s hard to say where exactly all of this tracking data ends up. After all, business transactions between the organizations buying and selling this kind of data happen in private. What we can do, however, is look at what these organizations allow themselves to do with the data by looking at their public privacy policy documents. We looked at the privacy policies of the top 10 parent organizations of these services to find out what their policies are regarding data sharing, and found that, perhaps unsurprisingly, 8 out of 10 of them reserve the right to share the data with their “partners”. This means that even if you know which third-party service is tracking you inside your apps (using Lumen, for example), and you somehow know which organization ultimately owns the data, you might not know what other companies partner with that organization or which of those partners also have access to your tracking data.

Furthermore, some of the organizations who own analytics and crash reporting services also own advertising services, and most of them reserve the right to share tracking data collected by those services (e.g. ones that are not advertising-related) with their advertising subsidiaries. This means that even if you don’t mind being tracked by an analytics service inside an app as long as it doesn’t include targeted ads, you can’t guarantee that the data collected by it will not be ultimately used for targeted advertising.

How do I opt out of tracking?

We also looked at what the policies of the top 10 parent organizations are regarding opting out, and were surprised to see that they do not make it easy to opt out. In fact, none of the top 10 parent organizations who run these services allow users to completely opt out of being tracked by their services in the first place, and while they all more or less do let users opt of out having their tracking data used for targeted advertising, the process is not straightforward or uniform across different organizations. Some ask users to send them an email asking to be excluded from targeted ads or disable targeted ads and reset their advertising IDs from Android settings, while others suggest using different websites created by advertising alliances (e.g. from Digital Advertising Alliance and Network Advertising Initiative) to opt out. Keep in mind that this is assuming that users do know the parent organizations that run the tracking services inside their apps, which is generally not the case.

Privacy policy highlights of the top 10 parent organizations of mobile ATSes

Is there an alternative to opting out?

In addition to helping users to see which third-party and advertising services are present in apps, what pieces of information they collect, and where they send it to, Lumen now also gives them the option to block those flows. This feature gives the users granular control over the network communications of their apps, and helps them prevent unwanted tracking by third-party services.

Lumen allows users to block flows

Lumen provides users with granular control over third-party advertising and tracking services.

To learn more about the complicated world of mobile advertising and tracking, check out our paper titled “Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem”, published in proceedings of Information Society’s Networked and Distributed Systems Security Symposium, 2018.