Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The TCF doesn't really A(A)ID -- Automatic Privacy Analysis and Legal Compliance of TCF-based Android Applications

Victor Morel, Cristiana Santos, Pontus Carlsson, Joel Ahlinder, Romaric Duvignau

TL;DR

This work investigates the prevalence of the Transparency and Consent Framework in popular Android apps from the Google Play Store, and assesses whether these apps respect users' consent banner choices.

Abstract

The Transparency and Consent Framework (TCF), developed by the Interactive Advertising Bureau (IAB) Europe, provides a de facto standard for requesting, recording, and managing user consent from European end-users. This framework has previously been found to infringe European data protection law and has subsequently been regularly updated. Previous research on the TCF focused exclusively on web contexts, with no attention given to its implementation in mobile applications. No work has systematically studied the privacy implications of the TCF on Android apps. To address this gap, we investigate the prevalence of the TCF in popular Android apps from the Google Play Store, and assess whether these apps respect users' consent banner choices. By scraping and downloading 4482 of the most popular Google Play Store apps on an emulated Android device, we automatically determine which apps use the TCF, automatically interact with consent banners, and analyze the apps' traffic in two different stages, passive (post choices) and active (during banner interaction and post choices). We found that 576 (12.85%) of the 4482 downloadable apps in our dataset implemented the TCF, and we identified potential privacy violations within this subset. In 15 (2.6%) of these apps, users' choices are stored only when consent is granted. Users who refuse consent are shown the consent banner again each time they launch the app. Network traffic analysis conducted during the passive stage reveals that 66.2% of the analyzed TCF-based apps share personal data, through the Android Advertising ID (AAID), in the absence of a lawful basis for processing. 55.3% of apps analyzed during the active stage share AAID before users interact with the apps' consent banners, violating the prior consent requirement.

The TCF doesn't really A(A)ID -- Automatic Privacy Analysis and Legal Compliance of TCF-based Android Applications

TL;DR

This work investigates the prevalence of the Transparency and Consent Framework in popular Android apps from the Google Play Store, and assesses whether these apps respect users' consent banner choices.

Abstract

The Transparency and Consent Framework (TCF), developed by the Interactive Advertising Bureau (IAB) Europe, provides a de facto standard for requesting, recording, and managing user consent from European end-users. This framework has previously been found to infringe European data protection law and has subsequently been regularly updated. Previous research on the TCF focused exclusively on web contexts, with no attention given to its implementation in mobile applications. No work has systematically studied the privacy implications of the TCF on Android apps. To address this gap, we investigate the prevalence of the TCF in popular Android apps from the Google Play Store, and assess whether these apps respect users' consent banner choices. By scraping and downloading 4482 of the most popular Google Play Store apps on an emulated Android device, we automatically determine which apps use the TCF, automatically interact with consent banners, and analyze the apps' traffic in two different stages, passive (post choices) and active (during banner interaction and post choices). We found that 576 (12.85%) of the 4482 downloadable apps in our dataset implemented the TCF, and we identified potential privacy violations within this subset. In 15 (2.6%) of these apps, users' choices are stored only when consent is granted. Users who refuse consent are shown the consent banner again each time they launch the app. Network traffic analysis conducted during the passive stage reveals that 66.2% of the analyzed TCF-based apps share personal data, through the Android Advertising ID (AAID), in the absence of a lawful basis for processing. 55.3% of apps analyzed during the active stage share AAID before users interact with the apps' consent banners, violating the prior consent requirement.
Paper Structure (60 sections, 3 figures, 15 tables)

This paper contains 60 sections, 3 figures, 15 tables.

Table of Contents

  1. Introduction
  2. Background knowledge
  3. EU Data Protection Law
  4. Google Advertising ID (AAID) as personal data
  5. IAB's Transparency and Consent Framework and Compliance
  6. Related Work
  7. Potential GDPR Violations in TCF Research
  8. Potential Privacy Violations in Mobile Apps
  9. Methodology
  10. Quantifying the Presence of the TCF
  11. Scraping Apps
  12. Downloading Apps
  13. Determining Apps' TCF Usage
  14. Dynamic Analysis
  15. Determining CMPs
  16. ...and 45 more sections

Figures (3)

  • Figure 1: Schematic overview of the three steps of the methodology. First, we quantify the TCF in a dataset of 4482 apps scraped on the Play Store (Section \ref{['subsec:quantification']}). Second, we automate the interaction with consent banners on 576 apps according to three approaches (Section \ref{['subsec:dynamic_analysis']}). Third, we analyze network traffic of up to 550 apps in two stages (Section \ref{['subsec:traffic-analysis']}).
  • Figure 2: Consent banner settings for Google LLC (CMP 300), from the application Geometry Dash Lite (com.robtopx.geometryjumplite). The two screenshots show default interfaces.
  • Figure 3: Distribution of popular domains (minimum 10 apps) receiving personal data.