A large number of Android mobile apps listed on the official Google Play Store contain self-contradictory language in their privacy policies in regards to data collection practices.
In an academic study published last year, researchers created a tool named PolicyLint that analyzed the language used in the privacy policies of 11,430 Play Store apps.
Examples include privacy policies that stated in one section that they do not collect personal data, only to contradict themselves in subsequent sections, where they state they collect emails or customer names -- which are clearly personally-idenfiable information.
In some cases, templates are to blame
"I think we found four-five different templates," said Benjamin Andow, of IBM Research, and one of the study's authors.
However, the vast majority of other privacy policies were unique to each app, and did not appear to be the result of an accident. In these cases, the research team says these app makers are susceptible to fines from EU and US privacy watchdogs.
"Self-contradictions can lead to the identification of deceptive statements, which are enforceable by the FTC and the DPAs (data protection authorities) of the EU," Andow said, suggesting that their research could be used to track down GDPR abusers.
Furthermore, part of the process of verifying the accuracy of the PolicyLint tool, the research team also took a sample of 510 privacy policies with contradicting statements and manually verified their correctness.
From the 510 apps, the research team found contact emails for 260 developers, which they notified via email. Of the 260, 244 received the email, as 16 of the public contact email addresses ended up being either invalid or unreachable.
Of the 244 emails they send, researchers said they only received 11 replies, following which, only three developers corrected their policies.
The team includes researchers and academics from North Carolina State University, University of Illinois at Urbana-Champaign, and IBM Research.
Below is a video of Andow's presentation at a security conference in 2019.
The paper's findings are somewhat consistent to another 2019 study named "On The Ridiculousness of Notice and Consent:Contradictions in App Privacy Policies."
This separate study analyzed a bigger sample of Play Store apps for inconsistencies between data collection practices and what was explicitly disclosed in privacy policies.
The research team found out that 10.5% of 68,051 apps they analyzed shared personal data with third-party services, yet they did not declare it in their privacy policies. Further, only 22.2% of the 68,051 apps explicitly named third-party partners or affiliates in their privacy policies, with the vast majority of apps hiding where collected user data ends up.