Workshopbeitrag
“Data Protection Can Sometimes Be a Nuisance” A Notification Study on Data Sharing Practices in City Apps
Vorschaubild nicht verfügbar
Volltext URI
Dokumententyp
Text/Workshop Paper
Zusatzinformation
Datum
2024
Zeitschriftentitel
ISSN der Zeitschrift
Bandtitel
Verlag
Gesellschaft für Informatik e.V.
Zusammenfassung
Despite the strict requirements regarding the justification of data sharing imposed by the General Data Protection Regulation (GDPR), many mobile apps, even those provided by European states, share user data with third parties without justification or consent. To assess data sharing of city apps, we analyzed 138 apps from German cities for non-compliance with the GDPR. We found that 70 of these apps contacted third-party services outside the European Union without user consent, making them potentially non-compliant with current European privacy regulations. To investigate what information helps app vendors to remediate the issue, we sent three types of notifications to potentially non-compliant vendors: A generic one, one with detailed technical guidance to achieve compliance, and one with a detailed legal explanation. We observed a response rate of 37% and fix rates of approximately 17% for the two groups that received detailed notifications. Thereby, we found that both technical guidance and legal explanations significantly increase the number of fixed apps, compared to just sending generic notifications. While the response rate was higher than during comparable studies, we observed high distrust in our messages, similar to related work. Surprisingly, we found that many of the app vendors who promised to remediate the issue, did not do so successfully, while others silently patched their app.