Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PrivPRISM: Automatically Detecting Discrepancies Between Google Play Data Safety Declarations and Developer Privacy Policies

Bhanuka Silva, Dishanika Denipitiyage, Anirban Mahanti, Aruna Seneviratne, Suranga Seneviratne

TL;DR

PrivPRISM is introduced, a robust framework that combines encoder and decoder language models to systematically extract and compare fine-grained data practices from privacy policies and to compare against data safety declarations, enabling scalable detection of non-compliance.

Abstract

End-users seldom read verbose privacy policies, leading app stores like Google Play to mandate simplified data safety declarations as a user-friendly alternative. However, these self-declared disclosures often contradict the full privacy policies, deceiving users about actual data practices and violating regulatory requirements for consistency. To address this, we introduce PrivPRISM, a robust framework that combines encoder and decoder language models to systematically extract and compare fine-grained data practices from privacy policies and to compare against data safety declarations, enabling scalable detection of non-compliance. Evaluating 7,770 popular mobile games uncovers discrepancies in nearly 53% of cases, rising to 61% among 1,711 widely used generic apps. Additionally, static code analysis reveals possible under-disclosures, with privacy policies disclosing just 66.8% of potential accesses to sensitive data like location and financial information, versus only 36.4% in data safety declarations of mobile games. Our findings expose systemic issues, including widespread reuse of generic privacy policies, vague / contradictory statements, and hidden risks in high-profile apps with 100M+ downloads, underscoring the urgent need for automated enforcement to protect platform integrity and for end-users to be vigilant about sensitive data they disclose via popular apps.

PrivPRISM: Automatically Detecting Discrepancies Between Google Play Data Safety Declarations and Developer Privacy Policies

TL;DR

PrivPRISM is introduced, a robust framework that combines encoder and decoder language models to systematically extract and compare fine-grained data practices from privacy policies and to compare against data safety declarations, enabling scalable detection of non-compliance.

Abstract

End-users seldom read verbose privacy policies, leading app stores like Google Play to mandate simplified data safety declarations as a user-friendly alternative. However, these self-declared disclosures often contradict the full privacy policies, deceiving users about actual data practices and violating regulatory requirements for consistency. To address this, we introduce PrivPRISM, a robust framework that combines encoder and decoder language models to systematically extract and compare fine-grained data practices from privacy policies and to compare against data safety declarations, enabling scalable detection of non-compliance. Evaluating 7,770 popular mobile games uncovers discrepancies in nearly 53% of cases, rising to 61% among 1,711 widely used generic apps. Additionally, static code analysis reveals possible under-disclosures, with privacy policies disclosing just 66.8% of potential accesses to sensitive data like location and financial information, versus only 36.4% in data safety declarations of mobile games. Our findings expose systemic issues, including widespread reuse of generic privacy policies, vague / contradictory statements, and hidden risks in high-profile apps with 100M+ downloads, underscoring the urgent need for automated enforcement to protect platform integrity and for end-users to be vigilant about sensitive data they disclose via popular apps.
Paper Structure (42 sections, 5 equations, 18 figures, 6 tables)

This paper contains 42 sections, 5 equations, 18 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Privacy Labels in App Markets
  4. NLP for Policy Understanding
  5. PrivPRISM Framework
  6. Heading and Paragraph Extraction
  7. Explained Data Practice Classification
  8. Fine Granular Data Practice Decoding
  9. Data Item/Purpose Keyword Mapping
  10. Dataset
  11. Metrics for Compliance Quantification
  12. Data Practice Compliance
  13. Data Purpose Compliance
  14. Benchmarking PrivPRISM
  15. Explainable High-level Paragraph Classification
  16. ...and 27 more sections

Figures (18)

  • Figure 1: Top: Data safety declarations of three games by Spider Solitaire Card Games and bottom: corresponding privacy policy highlighting inconsistencies. Data safety labels only report collecting and sharing device identifiers for analytics and ads, yet their privacy policy omit ad-related details and instead disclose access to more sensitive data such as GPS location, user accounts, and app activity. Identified via PrivPRISM framework deployment to mobile games.
  • Figure 2: Terminology used in PrivPRISM
  • Figure 3: End-to-end pipeline of our framework (top) and a walkthrough example (bottom)
  • Figure 4: Data item mapping verifier embedding alignment and transferability
  • Figure 5: Structural composition of a privacy policy - A column represents the data practice category distribution of the policy dataset at a given normalised length.
  • ...and 13 more figures