While app developers sometimes acknowledge the fact that a great number of their users do not want to be tracked, and offer them a way to disable targeted advertisements by purchasing paid versions of the same apps, many paid apps still include third-party services such as analytics services that collect unique identifiers, and many developers do not provide any form of control or transparency over how user data is collected, stored and shared with third party services.
This report by the Haystack Project, an academic initiative led by independent academic researchers, draws a chillingly precise picture of the data sharing that takes place in the entirely opaque depths of the mobile app ecosystem. Figure 4 in the report highlights the prevalence of trackers by the organisation behind; e.g.:
Alphabet has penetration in over 73% of all our measured apps with ownership of only 3.6% of all ATS and ATS-C services.
What I find particularly relevant for the discussion of designing for privacy beyond formal compliance with regulations (ref. my recent post on ethical design and human rights), is the "ATS-C" category the authors introduce: while ATS are defined as "Advertising and Tracking Services", ATS-C is a category for "ATS-capable services: third-party services whose primary purpose is not tracking but that may process unique identifiers. Examples stated in the report (figure 3) include:
With the leaking of identifiers to these services commonly covered in "Terms and Conditions" of the app platforms or apps, users are not aware of being tracked this way.
This leads back to general considerations whether any third-party resources can be trusted when designing for privacy - in particular those maintained by the big players in the tracking business like Google, Facebook, etc. (ref. also my earlier post on this topic, building on work by Joel Purra: Tracking is so much more than just cookies).
The bookmarked research paper is not an easy read, but the issues raised deserve a broad public debate ...and it remains interesting to observe how these practices are going to change in the months to come, as many of these are likely to be in massive conflict with GDPR rules.