In September Dutch NGO SDBN proposed a class action against XCorp (formerly Twitter) for unlawfully tracking its users and collecting personal data for advertising.
The action also involves MoPub, a mobile advertising platform formerly owned by Twitter and later sold to AppLovin. The involvement of MoPub is a big deal because its trackers are found in thousands of apps, including popular services such as Shazam and Duolingo.
Around the same time, privacy NGO noyb filed complaints against three mobile apps with the French privacy authority, claiming the apps track users illegally. More information on the complaints can be found on the organization’s website.
EU regulators are finally called to enforce the law against mobile apps. But what is the issue with trackers and mobile apps, and why do these cases matter?
- An overlooked issue
- How does mobile tracking work?
- Is mobile tracking concerning?
- What does the GDPR say about mobile tracking?
- What is there to know about the cases?
- Why are these cases important?
- Will things change for the better?
An overlooked issue
Tracking and behavioral advertising have been a hot topic in the privacy community for a while now. This is no surprise, as countless companies rely on tools such as Meta’s Pixels or Google Analytics.
There has been plenty of news on the topic, from Meta’s €400M fine for the unlawful tracking and profiling of Facebook and Instagram users, to the Belgian DPA’s ongoing procedure on IAB Europe’s Transparency and Consent Framework.
Mobile apps do not get the same degree of attention as traditional, cookie-based tracking technology. So, let’s take a closer look at how apps track their users, and see why app surveillance is a huge threat to privacy.
How does mobile tracking work?
You are probably familiar with cookie-based tracking on the Internet. Companies want to identify visitors in order to evaluate the performance of their websites and their marketing campaigns. More often than not, they also want to track their visitors around the Web in order to display personalized advertising based on personal data such as interests, location, demographic, and so on.
Most websites do this by placing cookies in the user’s browser- which can only be done with the user’s consent under EU law (the general rules are a little more complicated than that, but that’s how it works for web analytics in a nutshell).
Mobile tracking is different: apps extract data directly from the user's device and send it to the mother company of the software development kits (SDKs) embedded in the apps.
SDKs are “building blocks” of sorts that make it easier for software developers to create an app. An SDK is essentially a pre-made bundle of code that allows apps to perform tasks such as authenticating users, retrieving information from an API, sharing data, and so on. Companies can save a lot of development time by including an SDK in their app instead of programming complex features from scratch.
SKDs are very useful for software developers. In the fast-paced, highly competitive mobile app market, companies constantly race each other in order to occupy a niche before the competition beats them to it. It is essential for devs to get the product out fast, and SDKs are the easiest way to do so. Using SDKs is pretty much standard practice in the industry, and we all have several on our smartphones.
But there is a catch. SDKs are typically made available for free, but include code that extracts information from end users and provides it to the company that developed the kit. So, developers get SDKs for free, and you pay for them with your data when you download the app.
Is mobile tracking concerning?
If you follow our blog, you probably know we are not the biggest fans of cookies. Tracking via mobile apps is even worse, for several reasons.
First of all, apps are sneaky. You can check your cookies with just a few clicks on through your browser, but it takes a lot of work and know-how to figure out what data your apps are collecting from your phone.
Noyb's complaints are a great example. The organization's website explains in detail how noyb found what personal data were being collected and shared. noyb first rooted a device, then used third-party software to capture and decrypt outgoing traffic. Not terribly user-friendly.
Furthermore, browsers give users control over cookies, as they can be cleared with just a few clicks. Users have no such control over mobile apps.
The access authorizations systems found in most OSs allow for some degree of user control over data collection- for instance, by allowing users to deny access to location data or the device’s microphone. However, other personal data are not locked behind the authorization system. Additionally, some apps will simply require the data in order to run- essentially blackmailing the user into providing unnecessary data.
Cross-device tracking is also trivial for mobile apps because many users install the same apps on different devices and log in with the same profile.
Finally, many apps use the same SDKs and feed data to the same companies, including usual suspects such as Google and Meta. This centralization is a significant privacy risk: the data collected by certain apps may appear innocuous, but can be very revealing when combined with data from other apps.
Let’s say you use a mental health app and a calorie tracking app. You frequently use them together because you tend to seek comfort in food when you feel sad or anxious. If the apps are powered by the same SDKs, you may see ads for food delivery whenever you visit a website after using the mental health app. Combining data from your apps allows the SDK’s developer to capitalize on your comfort-seeking behaviors.
This is just an example of the unethical and predatory advertising strategies made possible by the centralization of personal data on the mobile advertising market. Imagine what companies can do with a few more apps on your phone.
What does the GDPR say about mobile tracking?
We already have rules to ensure that mobile apps respect user privacy- we just haven’t enforced them enough.
Under the ePrivacy Directive, consent is required for reading and writing any data on the user’s device. This includes the tracking IDs that SDKs typically write on mobile devices, as well as other economically valuable data such as location data. In practice, many apps either ignore this requirement entirely, or extort consent by refusing to work unless the user gives them the data they want (which is not allowed under the GDPR).
(To be clear, it is fine for apps to ask for data they really need. Google Maps needs your location, Tinder does not!)
Transparency is also quite problematic for apps. Under the GDPR, whenever someone collects your data, they are under an obligation to provide you with some essential information: what data is being collected, by whom, for what purpose, whether it will be shared with third parties, and so on. But most apps provide incomplete privacy policies because companies themselves often have no idea what data their apps collect through SDKs.
What is there to know about the cases?
Noyb’s complaints target three popular mobile apps available on the French market: FNAC, Se Loger, and MyFitnessPal (which coincidentally uses MoPub’s SDKs). As explained in this example complaint, noyb claims the apps unlawfully process data without user consent, which is against the ePrivacy Directive of the EU and the French laws that implement it. Noyb also claims that the apps violate the GDPR’s principle of data protection by design and default by collecting unnecessary data.
It is worth noting that the French data protection authority (CNIL) recently issued some big fines over illegal tracking (which we wrote about). We believe that noyb has a strong case and that the CNIL will take the matter quite seriously. Of course, only time will tell.
As for the class action against X Corp, the SDBN’s website claims that thousands of apps collected personal data without consent through MoPub’s trackers. We don’t know much aside from that, as the organization’s press release only describes the lawsuit in broad strokes.
It is worth noting that the organization is acting on behalf of millions of people, which could result in substantial damages being awarded by Dutch courts.
Why are these cases important?
As we explained, the privacy issues raised by mobile apps do not get the attention they deserve, and there has been little law enforcement against mobile app publishers and SDK distributors so far.
The legal actions from SDBN and noyb will hopefully change this. Noyb is a well known organization in the privacy community, and the CNIL is an influential authority. Noyb’s complaints are sure to draw some attention if they go well for the NGO.
As for SDBN, its lawsuit could cost X Corp a lot of money. But most importantly, it indirectly involves thousands of apps, including popular services such as Shazam and MyFitnessPal. So, this legal action could impact the trackers found in countless services.
Will things change for the better?
We sure hope so, and there are reasons to be optimistic.
Centralization makes the mobile advertising market profitable, but may also make the business model vulnerable to litigation. Successful legal action against the owners of ubiquitous SDKs may impact thousands of apps and send waves across the entire market- especially if a case were to make its way to the EU Court of Justice or the European Data Protection Board.
Furthermore, future complaints against mobile tracking will likely fall under the ePrivacy Directive and bypass the GDPR’s notoriously inefficient system for handling cross-border cases. This could lead to faster procedures because complaints would be decided in the State where they are filed instead of bouncing back and forth between different Member States.
Mobile apps have been looming in the background of our phones for years now, quietly hoarding personal data on a massive scale. Hopefully these legal actions will draw some attention on the issue of mobile tracking, and nudge regulators toward stricter enforcement in the long run.
As you have probably figured out, we do not like tracking. We believe it is irresponsible, dangerous, and unethical. This is why we created Simple Analytics to provide our customers with all the insights they need- without collecting personal data from the end user. If this sounds good to you, feel free to give us a try!