RADS-Checker: Measuring Compliance with Right of Access by the Data Subject in Android Markets

TL;DR

This study develops a framework to measure how well mobile apps comply with the GDPR's Right of Access, revealing significant gaps between policy declarations and actual data provision to users.

Contribution

It introduces a novel, comprehensive framework combining NLP analysis and runtime testing to evaluate RADS compliance in mobile apps.

Findings

Less than 55% of apps declare offering data access in policies.

Fewer than 20% of apps actually provide user data upon request.

Only about 3% of data copies are complete and verified.

Abstract

The latest data protection regulations worldwide, such as the General Data Protection Regulation (GDPR), have established the Right of Access by the Data Subject (RADS), granting users the right to access and obtain a copy of their personal data from the data controllers. This clause can effectively compel data controllers to handle user personal data more cautiously, which is of significant importance for protecting user privacy. However, there is currently no research systematically examining whether RADS has been effectively implemented in mobile apps, which are the most common personal data controllers. In this study, we propose a compliance measurement framework for RADS in apps. In our framework, we first analyze an app's privacy policy text using NLP techniques such as GPT-4 to verify whether it clearly declares offering RADS to users and provides specific details on how the right can be exercised. Next, we assess the authenticity and usability of the identified implementation methods by submitting data access requests to the app. Finally, for the obtained data copies, we further verify their completeness by comparing them with the user personal data actually collected by the app during runtime, as captured by Frida Hook. We analyzed a total of 1,631 apps in the American app market G and the Chinese app market H. The results show that less than 54.50% and 37.05% of apps in G and H, respectively, explicitly state in their privacy policies that they can provide users with copies of their personal data. Additionally, in both app markets, less than 20% of apps could truly provide users with their data copies. Finally, among the obtained data copies, only about 2.94% from G pass the completeness verification.