Go to content Go to navigation

“Out of control”: Advertisers receive large amounts of personal data from popular mobile apps

As part of an ongoing collaboration with the digital consumer rights team at the Norwegian Consumer Council, two researchers from mnemonic have carried out an in-depth investigation into how mobile applications share data with third parties for advertising purposes. The results show that personal data is shared widely within the advertising ecosystem.

mnemonic has carried out an in-depth investigation of 10 well-known and widely used mobile apps on the Android platform, which were selected for analysis by the Norwegian Consumer Council. The apps cover several highly personal topics, such as dating, religion, and health.

The research has aimed to document current practices and increase the understanding of how user data is collected and shared within the mobile advertising industry. There are significant differences between mobile ads and traditional web advertising due to the way that apps are built and run, and the availability of sensors such as GPS. The use of a specific app, including how often and for how long it is used, can in itself give significant information about the end user.

Our test results document that a significant amount of user data is being shared by the apps with third parties in the advertising industry. Key findings include:

  • The ten apps were observed communicating with at least 135 distinct third-party companies involved in advertising and/or behavioural profiling
  • The Android advertising ID, which allows advertisers to track a specific device across different services, was transferred to at least 45 different third parties involved in advertising and/or behavioural profiling. All of the apps shared the advertising ID with multiple third parties, and all except one shared additional data.
  • Additional data sharing included elements such as exact GPS location, IP address, device information, and personal attributes including gender and age.
  • Amongst the apps tested, Grindr and Perfect365 particularly stood out for sharing significant amounts of data with a large number of advertising partners.

The extensive data collection documented, in combination with the use of persistent identifiers, enables the creation of comprehensive profiles on individual consumers. In many cases, the information shared by the apps can be used to infer attributes such as sexual orientation and religious belief.

“The purpose of the testing has been to increase our understanding of the mobile advertising ecosystem. In particular, we have aimed to identify some of the main actors collecting user data from our sample set of apps, understand the type and frequency of data flows, and examine the specific information that is being transmitted”, says Andreas Claesson, lead researcher on the project.

“We were quite surprised by the amount of data sharing occurring”, his project partner Tor E. Bjørstad adds. “A key motivation for this project has been that data collection, sharing, and processing within the advertising industry on mobile platforms is poorly understood. We hope that this work documenting the current industry practices will help start a debate on how user data is collected and used for mobile advertising”.

Download the Norwegian Consumer Council’s report “Out of Control – How consumers are exploited by the online advertising industry” and mnemonic’s technical report describing our main findings here.

For questions or media requests, please contact

Read more about “Out of control” here:

The New York Times

Norwegian Consumer Councils press release

Finn Myrstads Twitter Thread

Forbes

CBS News

TechCrunch

NRK Dagsrevyen 13.01.2020 (Norwegian only)

NRK Beta (Norwegian only)

Dinside (Norwegian only)

NRK BETA (Norwegian only)