Researchers at ý have studied how apps’ access to our personal data has changed since the EU General Data Protection Regulation (GDPR) was introduced in May 2018. The study shows that apps practice less access to personal data today, although many apps still have access to more functions than the ones described in their privacy policy.
“We have seen changes in app behaviour that indicate a positive effect of GDPR,” says Lothar Fritsch, Associate Professor of Computer Science at ý. “Many suppliers have made an effort to make their apps more compatible with GDPR.”
Many insecurities remain
The study shows, however, that many insecurities remain when it comes to privacy of personal data on smartphones and tablets. Many apps have access to the camera, the microphone, and the list of contacts, for instance, despite the fact that they do not actually need that information in order to fulfil their purpose. Lothar Fritsch says that there is too little transparency regarding the kind of data that is accessed, when it is accessed, and for what purpose.
“Today, individuals have no or very little control over the information that is collected. We have seen that apps are increasingly interested in mapping who we meet or where we are. But do we really want our fitness app to accompany us to the doctor, to the therapist, or to an intimate date? Why would an app have the privilege to collect data just because it can? Both consumers and supervisory authorities need to set stricter rules on app suppliers and digital services in order to reclaim control over the dissemination of information about ourselves.”
Surveys done before and after the introduction of GDPR
Together with Majid Hatamian at Goethe University in Frankfurt, the researchers Lothar Fritsch and Nurul Momen at ý conducted a survey of 50 popular apps in November 2017; that is before the introduction of GDPR in May 2018. In December 2018 to spring 2019, they repeated the survey to find out if the apps had changed after the introduction of GDPR. The researchers looked at the data access authorization (so-called permissions) coded into the apps. Then they installed and ran the apps while they monitored what data the apps actually used.
The results of the study have been published in the latest issue of IEEE Security & Privacy Magazine (6/2019), a prominent international scientific data security and privacy journal.
Read more about the study .
