The TCF doesn't really A(A)ID -- Automatic Privacy Analysis and Legal Compliance of TCF-based Android Applications
- URL: http://arxiv.org/abs/2602.20222v2
- Date: Fri, 27 Feb 2026 13:44:43 GMT
- Title: The TCF doesn't really A(A)ID -- Automatic Privacy Analysis and Legal Compliance of TCF-based Android Applications
- Authors: Victor Morel, Cristiana Santos, Pontus Carlsson, Joel Ahlinder, Romaric Duvignau,
- Abstract summary: The Transparency and Consent Framework (TCF) provides a de facto standard for requesting, recording, and managing user consent from European end-users.<n>Previous research on the TCF focused exclusively on web contexts.<n>No work has systematically studied the privacy implications of the TCF on Android apps.
- Score: 0.1522374059398944
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: The Transparency and Consent Framework (TCF), developed by the Interactive Advertising Bureau (IAB) Europe, provides a de facto standard for requesting, recording, and managing user consent from European end-users. This framework has previously been found to infringe European data protection law and has subsequently been regularly updated. Previous research on the TCF focused exclusively on web contexts, with no attention given to its implementation in mobile applications. No work has systematically studied the privacy implications of the TCF on Android apps. To address this gap, we investigate the prevalence of the TCF in popular Android apps from the Google Play Store, and assess whether these apps respect users' consent banner choices. By scraping and downloading 4482 of the most popular Google Play Store apps on an emulated Android device, we automatically determine which apps use the TCF, automatically interact with consent banners, and analyze the apps' traffic in two different stages, passive (post choices) and active (during banner interaction and post choices). We found that 576 (12.85%) of the 4482 downloadable apps in our dataset implemented the TCF, and we identified potential privacy violations within this subset. In 15 (2.6%) of these apps, users' choices are stored only when consent is granted. Users who refuse consent are shown the consent banner again each time they launch the app. Network traffic analysis conducted during the passive stage reveals that 66.2% of the analyzed TCF-based apps share personal data, through the Android Advertising ID (AAID), in the absence of a lawful basis for processing. 55.3% of apps analyzed during the active stage share AAID before users interact with the apps' consent banners, violating the prior consent requirement.
Related papers
- On the Differential Privacy and Interactivity of Privacy Sandbox Reports [78.85958224681858]
The Privacy Sandbox initiative from Google includes APIs for enabling privacy-preserving advertising functionalities.<n>We provide an abstract model for analyzing the privacy of these APIs and show that they satisfy a formal DP guarantee.
arXiv Detail & Related papers (2024-12-22T08:22:57Z) - What If We Had Used a Different App? Reliable Counterfactual KPI Analysis in Wireless Systems [52.499838151272016]
This paper addresses the problem of estimating the values of traffic that would have been obtained if a different app had been implemented by the RAN.<n>We propose a conformal-prediction-based counterfactual analysis method for wireless systems.
arXiv Detail & Related papers (2024-09-30T18:47:26Z) - Exercising the CCPA Opt-out Right on Android: Legally Mandated but Practically Challenging [1.4703337216541843]
The California Consumer Privacy Act (CCPA) gives consumers a right to opt out of the selling and sharing of their personal information.<n>We evaluate to which extent popular apps on the Android platform enable users to exercise their CCPA opt-out right.
arXiv Detail & Related papers (2024-07-20T17:06:23Z) - Lessons in VCR Repair: Compliance of Android App Developers with the
California Consumer Privacy Act (CCPA) [4.429726534947266]
The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights.
Our research investigated the extent to which Android app developers comply with the provisions of the CCPA.
We compare the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies.
arXiv Detail & Related papers (2023-04-03T13:02:49Z) - Analysis of Longitudinal Changes in Privacy Behavior of Android
Applications [79.71330613821037]
In this paper, we examine the trends in how Android apps have changed over time with respect to privacy.
We examine the adoption of HTTPS, whether apps scan the device for other installed apps, the use of permissions for privacy-sensitive data, and the use of unique identifiers.
We find that privacy-related behavior has improved with time as apps continue to receive updates, and that the third-party libraries used by apps are responsible for more issues with privacy.
arXiv Detail & Related papers (2021-12-28T16:21:31Z) - A Fait Accompli? An Empirical Study into the Absence of Consent to
Third-Party Tracking in Android Apps [27.58278290929534]
Third-party tracking allows companies to collect users' behavioural data and track their activity across digital devices.
This can put deep insights into users' private lives into the hands of strangers, and often happens without users' awareness or explicit consent.
This paper investigates whether and to what extent consent is implemented in mobile apps.
arXiv Detail & Related papers (2021-06-17T11:44:49Z) - An Empirical Study on User Reviews Targeting Mobile Apps' Security &
Privacy [1.8033500402815792]
This study examines the privacy and security concerns of users using reviews in the Google Play Store.
We analyzed 2.2M reviews from the top 539 apps of this Android market.
It was evident from the results that the number of permissions that the apps request plays a dominant role in this matter.
arXiv Detail & Related papers (2020-10-11T02:00:36Z) - Emerging App Issue Identification via Online Joint Sentiment-Topic
Tracing [66.57888248681303]
We propose a novel emerging issue detection approach named MERIT.
Based on the AOBST model, we infer the topics negatively reflected in user reviews for one app version.
Experiments on popular apps from Google Play and Apple's App Store demonstrate the effectiveness of MERIT.
arXiv Detail & Related papers (2020-08-23T06:34:05Z) - Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy.
We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
arXiv Detail & Related papers (2020-06-10T16:05:05Z) - Decentralized Privacy-Preserving Proximity Tracing [50.27258414960402]
DP3T provides a technological foundation to help slow the spread of SARS-CoV-2.
System aims to minimise privacy and security risks for individuals and communities.
arXiv Detail & Related papers (2020-05-25T12:32:02Z) - Decentralized is not risk-free: Understanding public perceptions of
privacy-utility trade-offs in COVID-19 contact-tracing apps [13.240901989243104]
We present a survey study that examined people's willingness to install six different contact-tracing apps.
We found that the majority of people in our sample preferred to install apps that use a centralized server for contact tracing.
We also found that the majority of our sample preferred to install apps that share diagnosed users' recent locations in public places to show hotspots of infection.
arXiv Detail & Related papers (2020-05-25T07:50:51Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.