RADS-Checker: Measuring Compliance with Right of Access by the Data Subject in Android Markets
Zhenhua Li, Zhanpeng Liang, Congcong Yao, Jingyu Hua, Sheng Zhong
TL;DR
This study tackles the gap between data protection law and practice by measuring Right of Access by the Data Subject (RADS) compliance in Android apps. The authors propose RADS-Checker, a three-stage framework that (i) automatically identifies RADS declarations and implementations in app privacy policies using NLP and GPT-4, (ii) evaluates the practicality of these implementations through authenticity and usability tests, and (iii) verifies data-copy completeness with a Frida-based dynamic analysis of runtime data collection. Across 1,631 apps in two major markets, results show that only about half of apps declare RADS (DCAR) and fewer than 20% can actually provide data copies; completeness is especially poor, with only 2.94% in one market meeting completeness criteria and none in the other. These findings underscore a substantial gap between RADS regulatory intent and real-world app practices, highlighting the need for clearer guidance, streamlined data-access workflows, and better data-copy standardization to protect user privacy in practice.
Abstract
The latest data protection regulations worldwide, such as the General Data Protection Regulation (GDPR), have established the Right of Access by the Data Subject (RADS), granting users the right to access and obtain a copy of their personal data from the data controllers. This clause can effectively compel data controllers to handle user personal data more cautiously, which is of significant importance for protecting user privacy. However, there is currently no research systematically examining whether RADS has been effectively implemented in mobile apps, which are the most common personal data controllers. In this study, we propose a compliance measurement framework for RADS in apps. In our framework, we first analyze an app's privacy policy text using NLP techniques such as GPT-4 to verify whether it clearly declares offering RADS to users and provides specific details on how the right can be exercised. Next, we assess the authenticity and usability of the identified implementation methods by submitting data access requests to the app. Finally, for the obtained data copies, we further verify their completeness by comparing them with the user personal data actually collected by the app during runtime, as captured by Frida Hook. We analyzed a total of 1,631 apps in the American app market G and the Chinese app market H. The results show that less than 54.50% and 37.05% of apps in G and H, respectively, explicitly state in their privacy policies that they can provide users with copies of their personal data. Additionally, in both app markets, less than 20% of apps could truly provide users with their data copies. Finally, among the obtained data copies, only about 2.94% from G pass the completeness verification.