Credit: CC0 Public Domain

Researchers have studied how apps' access to our personal data has changed since the EU General Data Protection Regulation (GDPR) was introduced in May 2018. The study shows that apps practice less access to personal data today, although many apps still have access to more functions than the ones described in their privacy policy.

"We have seen changes in app behavior that indicate a positive effect of GDPR," says Lothar Fritsch, Associate Professor of Computer Science at Karlstad University. "Many suppliers have made an effort to make their apps more compatible with GDPR."

Many insecurities remain

The study shows, however, that many insecurities remain when it comes to privacy of on smartphones and tablets. Many apps have access to the camera, the microphone, and the list of contacts, for instance, despite the fact that they do not actually need that information in order to fulfill their purpose. Lothar Fritsch says that there is too little transparency regarding the kind of data that is accessed, when it is accessed, and for what purpose.

"Today, individuals have no or very little control over the information that is collected. We have seen that apps are increasingly interested in mapping who we meet or where we are. But do we really want our fitness app to accompany us to the doctor, to the therapist, or to an intimate date? Why would an app have the privilege to collect data just because it can? Both consumers and supervisory authorities need to set stricter rules on app suppliers and digital services in order to reclaim control over the dissemination of information about ourselves."

Surveys done before and after the introduction of GDPR

Together with Majid Hatamian at Goethe University in Frankfurt, Germany, the researchers Lothar Fritsch and Nurul Momen at Karlstad University conducted a survey of 50 popular apps in November 2017; that is before the introduction of GDPR in May 2018. In December 2018 to Spring 2019, they repeated the survey to find out if the apps had changed after the introduction of GDPR. The researchers looked at the data access authorization (so-called permissions) coded into the apps. Then they installed and ran the apps while they monitored what data the apps actually used.

The results of the study have been published in the latest issue of IEEE Security & Privacy Magazine.

More information: Nurul Momen et al. Did App Privacy Improve After the GDPR?, IEEE Security & Privacy (2019). DOI: 10.1109/MSEC.2019.2938445

Provided by Karlstad University