How mobile apps illegally share your personal data

• Example complaint against Fnac (FR)
• English auto-translation of the example complaint
• Methodology and technical specifications for the network traffic capturing and analysis

Transmission by default. The complainant installed the popular apps MyFitnessPal, Fnac and SeLoger on their Android smartphone. Once opened, the applications immediately began to collect and share personal data, including Google’s unique Advertising ID (AdID), the model and brand of their device and local IP address with third parties. Such extensive data collection allows the profiling of users in order to show them personalized ads and marketing campaigns to increase the revenue for the mentioned companies.

No Consent. Under the ePrivacy Directive, the mere access or storage of data on the user’s terminal device is only allowed if users give their free, informed, specific and unambiguous consent. Two out of the three mobile apps did not display a consent banner when launching the app. The third app presented a banner that theoretically gave the complainant the choice of giving or withholding their consent. In reality, the transmission of their personal data began without any interaction on their part – and before they even had a chance to think about consent.

Ala Krinickytė, Data Protection Lawyer at noyb: “Every app needs consent to track you. Instead, they use “data collection and tracking by default”. In contrast to tracking on websites, mobile apps have seen almost no enforcement so far.”

Detailed tracking. Information such as the AdID is unique and linked to a specific person’s device. This allows advertisers and other third parties to single out users and allows them to target users in the future. Some app providers even track the user behavior outside their applications. This allows them to enrich the collected data with even more information about the user’s life.

First result of a wider investigation. The way these apps handle their users’ data is symptomatic of a wider problem in the mobile apps environment. Although these applications often have millions of users, they don’t bother to comply with EU privacy laws – but share private data with third parties (including ad brokers) in order to monetize the data of their users. According to research by Konrad Kollnig and others, only 3.5 % of all apps gave users a real choice to decline consent.

Ala Krinickytė, Data Protection Lawyer at noyb: “The illegal collection and sharing of users' personal data is a widespread problem in the mobile apps environment. It is key that the supervisory authorities now take appropriate action to put an end to this practice.”

Analysis of mobile app privacy violations. In order to obtain evidence for the above-mentioned violations, a technical analysis of the smartphone apps’ network traffic was required. The network traffic capturing and analysis were conducted using the PiRogue Tool Suite developed by the Defensive Lab Agency. You can find the detailed methodology here.

Deletion of data and a possible fine. noyb requests the CNIL to order MyFitnessPal, Fnac and SeLoger to delete all data that has been unlawfully processed. In addition, all recipients of the complainant’s data must be informed that the complainant has requested the deletion of any links, copies or replications of their personal data. Given the seriousness of the allegations and the potentially large number of individuals affected, noyb also suggests that the competent authority should impose a fine. These complaints are just the beginning: noyb is planning to file more complaints against mobile app companies in the future in order to stop the illegal sharing of user data.

Acknowledgements

• The capture and analysis of the network traffic were carried out using the PiRogue Tool Suite developed by the Defensive Lab Agency
• Dr. Konrad Kollnig provided his extensive knowledge and expertise on the topic of tracking in mobile apps
• Tracking Weasel contributed valuable insights into the subject of tracker libraries and tracking in mobile apps.