14% of Android app privacy policies contain contradictions about data collection

An analysis of 11,430 Play Store apps found that 14.2% used a privacy policy with contradicting statements about user data collection practices.

gp-policies.png

CNET

Best Phones for 2019

Our editors hand-picked these products based on our tests and reviews.

Read More

A large number of Android mobile apps listed on the official Google Play Store contain self-contradictory language in their privacy policies in regards to data collection practices.

In an academic study published last year, researchers created a tool named PolicyLint that analyzed the language used in the privacy policies of 11,430 Play Store apps.

They found that 14.2% (1,618 apps) contained a privacy policy with logical contradicting statements about data collection.

Examples include privacy policies that stated in one section that they do not collect personal data, only to contradict themselves in subsequent sections, where they state they collect emails or customer names -- which are clearly personally-idenfiable information.

In some cases, templates are to blame

While the research team could not determine the app maker's intent in using contradicting statements in their privacy policy, researchers feel the primary purpose was to mislead users if they ever took the time to read the policies.

However, they also discovered evidence of the contrary. For example, the research team found 59 apps that used online services to auto-generate a privacy policy. A deeper look at the online services revealed that the self-contradicting statements were part of the template itself, and not the app maker's addition.

"I think we found four-five different templates," said Benjamin Andow, of IBM Research, and one of the study's authors.

However, the vast majority of other privacy policies were unique to each app, and did not appear to be the result of an accident. In these cases, the research team says these app makers are susceptible to fines from EU and US privacy watchdogs.

"Self-contradictions can lead to the identification of deceptive statements, which are enforceable by the FTC and the DPAs (data protection authorities) of the EU," Andow said, suggesting that their research could be used to track down GDPR abusers.

Notifying vendors

Furthermore, part of the process of verifying the accuracy of the PolicyLint tool, the research team also took a sample of 510 privacy policies with contradicting statements and manually verified their correctness.

Since this process involved a careful analysis of the entire app's policy, the research team also took to notifying the app maker about its inaccurate privacy policy.

From the 510 apps, the research team found contact emails for 260 developers, which they notified via email. Of the 260, 244 received the email, as 16 of the public contact email addresses ended up being either invalid or unreachable.

Of the 244 emails they send, researchers said they only received 11 replies, following which, only three developers corrected their policies.

gp-notification.png

More details are available in the team's white paper, entitled "PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play," available for download in PDF format from here or here.

The team includes researchers and academics from North Carolina State University, University of Illinois at Urbana-Champaign, and IBM Research.

Below is a video of Andow's presentation at a security conference in 2019.

The paper's findings are somewhat consistent to another 2019 study named "On The Ridiculousness of Notice and Consent:Contradictions in App Privacy Policies."

This separate study analyzed a bigger sample of Play Store apps for inconsistencies between data collection practices and what was explicitly disclosed in privacy policies.

The research team found out that 10.5% of 68,051 apps they analyzed shared personal data with third-party services, yet they did not declare it in their privacy policies. Further, only 22.2% of the 68,051 apps explicitly named third-party partners or affiliates in their privacy policies, with the vast majority of apps hiding where collected user data ends up.