80% of Android applications (apps) downloaded to mobile phones may be violating European data protection regulations because they share users' personal information without their knowledge or consent.
This is clear from a study carried out by researchers from the Polytechnic University of Madrid (UPM), together with experts from Carnegie Mellon University (CMU), which also shows that more than 70% of the personal data that is shared ends up in the hands of only ten companies, and Google and Meta are the two that receive the most data, which allows them a great capacity for surveillance and profiling of users without those affected being aware of it.
Researchers from the UPM group Real-Time Systems and Telematic Services Architecture (STRAST) have obtained these results after comparing the information from thousands of privacy policies with ChatGPT to find out if it is transparently mentioned which companies the data are shared with. data and apply cybersecurity techniques to observe what personal data mobile applications collect and with whom it is shared.
"By crossing this information we have managed to know if the person responsible for the application is not complying with the legislation by not mentioning it transparently in their privacy policy, as required by law," comments David Rodríguez Torrado, one of the UPM researchers in the statement in which they have made known the results of their work.
In it they detail practical examples of apps that would be breaking the law. This is the case of a file transfer application with more than one billion downloads that sends a user identifier to three different companies, data that is linked to the identity of a specific user and is generally used to know their tastes and behaviors. For commercial purposes. However, the researchers explain, the privacy policy of that app does not clearly mention who this data will be shared with, a requirement required by law.
"By committing this breach of the data protection law, the creators of the applications could be sanctioned with million-dollar fines, such as those that Google and Meta have already faced in the past, as they are responsible for protecting the right to privacy of its users and ensure adequate protection of their personal data," warns José María del Álamo, the researcher who led the study.
However, he adds that, often, "developers are not aware that their applications break the law because they are unaware of the behavior of some of the commonly used and free components in the development of mobile applications."
The authors of the study show their concern that non-compliance with the transparency requirements established by European data protection law is so widespread given that millions of people use mobile apps daily for all types of functions, from communication and entertainment to financial and health management, for which special protection data is shared. And they point out that these practices put the privacy and security of users at risk by exposing them to possible misuse of their personal information.
"The results of the study highlight the urgent need for greater oversight and control of the privacy practices of mobile apps," the researchers indicate. And they express their confidence that their work also serves as a wake-up call for the developers of these apps and encourages them to adopt more transparent and respectful practices with the privacy of users "ensuring that privacy policies are not only respected but communicated." clearly".
