Smartphone apps are playing an increasingly central role in our lives. They are ubiquitous, as we carry them nearly everywhere, and entrust them with sensitive and sometimes deeply-personal information. We use them to carry out day-to-day tasks from communicating with friends and socializing on social media apps to tracking our health and taking care of our finances on banking apps. Developers of these apps and services invest lots of time and effort into developing, running, and maintaining them, yet despite all of that, we use the vast majority of them for free. So you might wonder how the people who create and maintain these apps make money.
How do apps make money?
The answer is simple: in-app advertising and user tracking data collection. To display ads inside an app, you need to know the different types of audiences who use your app and be able to distinguish between them by collecting information about them when they use your app, know the businesses who are interested in advertising their services to the different user demographics, and be able to match the right ads with the right audiences.
While this is certainly possible, it is especially difficult to manage for small-time app developers who will have to do this while also staying on top of maintaining their apps, developing new features, and various other developer-related tasks.
To make this easier, developers use third-party services who know other businesses interested in mobile advertising and mediate between them and the app developers who want to monetize their apps through ads. Developers embed pieces of software developed by these services inside their apps which allows them to collect information about the users and use it to display targeted advertisements.
They need to make money, what’s wrong with that?
The idea of data collection for in-app advertising is a controversial one. App creators need to make money. After all, we are getting free utility from their apps and services. However, users are largely unaware of which third-party services they use in their apps to do so, who owns and operates those services, and what their policies are regarding how tracking data is collected and how it is treated after it has been collected.
Data exchange website purporting to have tracking data from over 90 million mobile users, presumably collected by 3rd-party services inside different apps.
How do I know if my apps are using these services?
Lumen helps users identify these third party services in their apps by monitoring network activities of the apps that are running on your phone. It also tells you what kind of data is collected by them and organization is collecting the data. Lumen brings the much-needed transparency into the equation and having this information is half the battle, but users need to have some sort of control over this behaviour.
Lumen showing information collected by different services in the AccuWeather app. Advertising and tracking services are denoted by an eye next to their name.
Where’s all my tracking data going?
Furthermore, some of the organizations who own analytics and crash reporting services also own advertising services, and most of them reserve the right to share tracking data collected by those services (e.g. ones that are not advertising-related) with their advertising subsidiaries. This means that even if you don’t mind being tracked by an analytics service inside an app as long as it doesn’t include targeted ads, you can’t guarantee that the data collected by it will not be ultimately used for targeted advertising.
How do I opt out of tracking?
We also looked at what the policies of the top 10 parent organizations are regarding opting out, and were surprised to see that they do not make it easy to opt out. In fact, none of the top 10 parent organizations who run these services allow users to completely opt out of being tracked by their services in the first place, and while they all more or less do let users opt of out having their tracking data used for targeted advertising, the process is not straightforward or uniform across different organizations. Some ask users to send them an email asking to be excluded from targeted ads or disable targeted ads and reset their advertising IDs from Android settings, while others suggest using different websites created by advertising alliances (e.g. from Digital Advertising Alliance and Network Advertising Initiative) to opt out. Keep in mind that this is assuming that users do know the parent organizations that run the tracking services inside their apps, which is generally not the case.
Is there an alternative to opting out?
In addition to helping users to see which third-party and advertising services are present in apps, what pieces of information they collect, and where they send it to, Lumen now also gives them the option to block those flows. This feature gives the users granular control over the network communications of their apps, and helps them prevent unwanted tracking by third-party services.
Lumen provides users with granular control over third-party advertising and tracking services.
To learn more about the complicated world of mobile advertising and tracking, check out our paper titled “Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem”, published in proceedings of Information Society’s Networked and Distributed Systems Security Symposium, 2018.