Exploring Personal Data Processing in Video Conferencing Apps
Abstract
:1. Introduction
- Libraries can abuse the privileges granted to the host applications.
- Libraries can track users.
- Libraries can aggregate multiple signals for detailed user profiling, even from different host apps that are installed on the user’s device (known as the intra-library collusion problem [10]).
2. Preliminaries
2.1. The Notions of Privacy and Personal Data Protection
- The Android ID, which is a permanent 64-bit randomly generated number.
- The Google Advertising ID (GAID), which is a 32-digit alphanumeric identifier that can be reset at any time by the user.
2.2. Privacy and Data Protection Issues in Android Applications
- Normal permissions: these cover areas where an application needs to access data or resources outside its sandbox but there is a low risk to the user’s privacy or the operation of other applications.
- Signature permissions: these are granted only if the application that requests the permission is signed by the same certificate as the application that requests the permission.
- Dangerous permissions: these cover areas where an application requests access to data or resources that involve the user’s private information and could potentially affect the user’s stored data or the operation of other applications.
- The processing of personal data should not be limited to the bare minimum. For example, app providers should allow an app to access a phone’s sensors (location, camera, microphone, etc.) and the data stored on the user’s device (pictures, contacts, etc.) when it is relevant for the proper functioning of the app, e.g., it is acceptable for a weather app to request permission to access a device’s location but access to the exact location seems unnecessary.
- Confidentiality of personal data is insufficient. For example, encrypting all communications should be a prerequisite (which is not always the case); however, this may not always be sufficient. An app should at least use certificate pinning or preinstalled keys to prevent man-in-the-middle attacks on encrypted sessions (see, e.g., [20]). Moreover, users should be fully aware of what encryption means, for example, if an end-to-end encryption scheme is not used, this means that the app provider is technically able to decrypt and read the data. Additionally, it should also be made clear whether or not metadata are encrypted.
- There are insufficient mechanisms to allow users to control their data processing. Apart from the aforementioned intra-library collusion issue, users should have clear free choices when providing consent, for example, deceptive designs and manipulative patterns that “force” users to provide consent (such as pre-checked boxes) are highly problematic. Moreover, when an app requests permission to access a device’s sensors (location, camera, microphone, etc.) and/or locally stored data, the app should still work even when the user does not agree to this access, with possibly limited functionality.
3. Previous Work
4. Research Methodology
4.1. Contribution of This Work
4.2. Research Questions
- Do these applications collect only data that are absolutely necessary? Are any required permissions fully justified?
- What types of data are being leaked to third parties through the use of these apps?
- Are all these processes fully transparent to the users, i.e., is clear and comprehensive information provided about the underlying processing of personal data?
4.3. The Testing Environment
- Exodus, which is supported by a French non-profit organization, can statically analyze Android applications by looking for embedded trackers and listing them as an output report. In addition, this tool presents the permissions that are being requested by an app and highlights the dangerous permissions.
- Lumen is at the core of the ICSI Haystack project and is an initiative of independent academic researchers. After its installation, the = Lumen app uses VPN installation permissions on Android to analyze the outgoing traffic from the applications installed on the device. Therefore, the VPN acts as middleware between the applications and the packets they send by identifying their endpoints. In order for the application to be able to read and analyze the outgoing encrypted data through the TLS and traffic from the applications, the installation of a TLS certificate is required. Through the analysis, users can see the personal data that an application collects, block unwanted flows, and configure the application permissions so that they have better control over their personal data. This tool has been used in several studies to analyze smart apps with respect to privacy issues (see, e.g., [38,39]).
5. Results
5.1. Permissions Analysis of the Video Conferencing Apps
5.2. Trackers Analysis of the Video Conferencing Apps
Relationships with Other Apps
5.3. Analyzing the Data Flow from the Video Conferencing Apps
5.4. Transparency of the Processing
- Discord: The privacy policy (https://discord.com/privacy (accessed on 28 December 2022)) classifies the personal data that the app processes into two main categories:
- (a)
- Data provided by the user to the company such as account information, content created by the user, etc.
- (b)
- Data automatically collected by the company such as information about the user’s device (e.g., the IP address, operating system information, browser information, device settings related to the microphone and/or camera, and information about the use of the app or website when the user utilizes one of the company’s services. Additionally, there may be other cases, for example, when the user clicks on an ad on a third-party platform on which the company advertises for Discord, the company may receive information about which ad the user saw and on which platform.
The Discord privacy policy also describes all the purposes of the data processes that take place and the legal basis for each purpose; however, there is no explicit mapping of each purpose to the exact user data processed.Moreover, although Discord’s privacy policy states that the user may be able to configure their privacy settings, it seems that the data protection by default principle may not be always present, for example, the privacy policy states that “If you turn off the “Use data to improve Discord” setting, we will stop collecting and using certain event and log information to help us understand how users use our services, what features or products they may want, or to otherwise improve our services”, which implies that this option is activated by default.Regarding third-party trackers, the relevant information in Discord’s privacy policy states that “We may share information with vendors we hire to carry out specific work for us (...) We may also share limited information with advertising platforms to help us reach people that we think will like our product and to measure the performance of our ads shown on those platforms. We do this to help bring more users to Discord, and provide only the information required to facilitate these services. This may include information like the fact that you installed our app or registered to use Discord.”. Given the number of embedded trackers found in the dynamic analysis, it is unclear exactly which user information is being sent to which third parties. - Element: The privacy policy (https://element.io/privacy (accessed on 28 December 2022)) states that the company collects information when the user registers for an account, including their email address, an identified authentication (which is further explained in the policy), their password (stored in a salted hashed form with a server-side pepper secret), their Twitter id, and their Google id. Additionally, the company may collect the user’s location data if the user chooses to use static or live location-sharing features within the app. Moreover, the company collects the user’s IP address to support operational maintenance and protect against malicious actions against its infrastructure. The company also uses analytics services that are hosted entirely within the company’s network and states explicitly that the company does not share any analytics data with third parties.In principle, Element’s privacy policy and the app itself are consistent with the findings of our dynamic analysis of the app, that is, it does not contain any trackers.
- KakaoTalk: The privacy policy (https://www.kakao.com/policy/privacy (accessed on 28 December 2022)) defines some data that are always collected, including basic personal information such as the user’s email address, password, name (nickname), profile picture, list of friends, contacts, and history of service usage, among others. The purposes of the data processes are explicitly stated and include a description of each process involving personal data.The policy also states that some other information may be collected during the use of the provided services such as the operating system, screen size, device ID, and IP address, among others.According to the policy, the company does not provide personal information to any third party without the user’s consent or unless demanded by law. However, there is a reference to pseudonymized data that cannot identify an individual, which may be used for archiving, scientific research, or statistical purposes. According to the findings of our dynamic analysis, the app sends data to the crashlytics tracker, which is an analytics service. However, it is unclear whether the data that are sent to this tracker are indeed pseudonymous or the level of pseudonymization applied to them.
- Line: The privacy policy (https://line.me/en/terms/policy/ (accessed on 28 December 2022)) classifies the data processing with respect to data that are automatically collected by the app provider (such as information provided during the user’s registration process, e.g., the user’s phone number, as well as information collected externally, e.g., information collected by an app plug-in installed in a third-party app such as “Like”) and data that are optionally provided by the user, such as those in the context of the “Auto Add Friends” feature, which automatically adds friends to the app’s services when the user uploads information about their friends to their device’s address book.An interesting point in Line’s privacy policy is that the app provider may disclose public information containing personal data in news published on the Internet. The purpose of this processing is not clearly stated in the policy.Additionally, according to the policy, the app may collect the location information of the user’s device when the user shares their location information with friends in order to provide optimized search results or customized content or ads. If the user does not agree to share their location information, the app’s policy states that the app may approximate the user’s location from network information such as their IP address.With regard to the use of third-party modules, the policy states that the app may use modules from a third-party software development kit (SDK) in its services to analyze the usage of its services or distribute ads and measure their effectiveness. Moreover, the policy states that in cases where data are being processed by a third party through a module provided by that third party, the privacy policy of that third party applies. A list of these third parties is provided, which includes, among others, companies such as Google, Firebase, and Facebook. Interestingly, the exact data collected by each of them and the purpose of the processing are not clearly stated.
- Messenger: The privacy policy (https://www.facebook.com/policy.php (accessed on 28 December 2022)) contains text that is common to all apps provided by Meta, which could be considered a possible weak point since the user may not have a clear understanding of the personal data processed by each app. In any case, this general privacy policy classifies the personal data that are collected into four main categories:
- (a)
- The user’s activity and the information provided by the user (with an emphasis on the fact that the company cannot see the content of end-to-end encrypted messages). Metadata are also included in this category.
- (b)
- The user’s friends, followers, and other connections. In this regard, the policy states that the company also collects information on the user’s contacts, whereas, interestingly, this information may be collected even if the user’s contacts do not use Meta products.
- (c)
- The app, browser, and device information, including the type of device, details about its operating system, the battery level, identifiers that can distinguish the user’s device from other users’ devices, the IP address, and device signals such as GPS, Bluetooth, and nearby Wi-Fi access points.
- (d)
- Information from partners, vendors, and third parties.
The policy states that the user’s data are used to provide, personalize, and improve the company’s products. These goals are further classified into sub-goals, including the provision of measurements, analytics, and business services. Moreover, the policy has a separate section on partners, which are classified as advertisers and audience network publishers, partners who use the company’s analytics services, partners who offer goods or services on the company’s commercial platforms, and integrated partners.The policy also explains, in detail, the relevant legal basis for each type of data processing; however, a detailed description of which personal data are used for each purpose is unavailable. - Phoenix: The Phoenix app is a Facebook wrapper that shows Facebook and Messenger in a mobile-friendly web interface. It offers in-app messages, calls, and video calls, providing the user with the same aesthetics as the original Facebook app.The privacy policy of Phoenix was available during the time of our initial dynamic analysis at privacy.unimania.xyz/privacy_policy_pnx.html (accessed on 12 February 2022); however, by November 2022 when we re-examined the privacy policies, this link had become inactive. We later found the app’s privacy policy at https://www.apkmirror.com/apk/unimania/phoenix-facebook-messenger/ (accessed on 4 January 2023), which states that the company collects anonymous, non-personal user demographics and ad data for market research purposes only to gain special advertising-related insights and conduct analyses for brands that work with the company. The company does not collect, store, use, share, or sell any of the user’s personal information. However, it appears that this policy is not fully consistent with our findings since the app includes third-party trackers and collects the build fingerprint of the device, but neither of these can directly identify the user and they are not considered high-risk processes. However, this information can still be considered personal and not anonymous data.
- Session: The privacy policy (https://getsession.org/privacy-policy (accessed on 28 December 2022)) is very brief and states that the app does not know who the user is, who they are talking to, or the contents of messages as it does not collect or share any personal information. The policy also states that the app does not store any identifying information about the user’s device, such as the IP address or the user agent, or any personal data such as the user’s phone number, e-mail address, or any information tied to the user’s real identity when they create a Session account.The above points are consistent with our findings that Session does not use any trackers.
- Signal: The privacy policy (https://signal.org/legal/#privacy-policy (accessed on 28 December 2022)) begins by stating that “Signal is designed to never collect or store any sensitive information. Signal messages and calls cannot be accessed by the company or other third parties because they are always end-to-end encrypted, private, and secure”. The policy, which is quite brief, also states that a user’s phone number is needed when they create an account and additional optional data such as the user’s photo may be also processed.Moreover, Signal’s policy states that the app can optionally determine which contacts in the user’s address book are Signal users by using a service designed to protect the privacy of the contacts based on cryptographic hashes. Specifically, as stated on a dedicated web page (https://signal.org/blog/contact-discovery/ (accessed on 28 December 2022)), Signal overcomes this problem by utilizing Bloom filters to explore contacts lists to identify users that also Signal while preserving users’ privacy.There is also a reference to third parties and the policy states that the company works with third parties to provide some of its services. For example, these third-party providers send a verification code to the user’s phone number when they register. These providers are bound by their privacy policies to safeguard that information. No other information is provided about third parties, which is consistent with our findings that the app contained no trackers.
- Skype and Teams: These are two Microsoft apps and although they are intended for different uses (Teams is geared toward professional/academic activities), they share the same privacy policy (https://privacy.microsoft.com/en-us/privacystatement (accessed on 28 December 2022)). As in the case of Meta’s general privacy policy, this could be considered a weak point with respect to the clarity of the information provided to users.According to the policy, the company collects data from users by interacting with them and through the company’s products. The data collected by the company depends on the context of the user’s interactions with the company and their choices, including the privacy settings, products, and features used. The company also obtains user data from third parties. Moreover, the policy describes a list of purposes for data processing (including targeted advertising, among others) and states that to carry out these purposes, it combines data from different contexts (for example, when a user uses two Microsoft products) or obtains data from third parties to provide the user with “a more seamless, consistent, and personalized experience in order to make informed business decisions, as well as for other legitimate purposes”. There is also a reference to automated processes based on artificial intelligence techniques.The policy includes several other sections such as “cookies and similar technologies” and “Microsoft account”. However, as stated above, the policy is generic and does not explicitly state which personal data are used by each app and for what purpose or the legal basis on which personal data are processed. Thus, despite the generic statement in the policy that the user has control over their data usage, it is uncertain whether the apps meet the data protection by design and default principles.
- Telegram: The app’s privacy policy (https://telegram.org/privacy (accessed on 28 December 2022)) begins by stating two privacy principles: (1) the company does not use the user’s data to customize ads, and (2) the company only stores the data that Telegram needs to function as a secure and feature-rich messaging service.According to the policy, the personal data used by the app includes the basic account details (telephone number, e-mail address, account name, etc.), messages exchanged through the cloud chat (which are stored on its servers and are encrypted using cryptographic keys stored in separate data centers) or secret chats (which use end-to-end encryption, and thus, there is no way for the company or anybody else without direct access to the user’s device to discover the content of those messages; the company does not store secret chats or store the logs for messages sent in secret chats), and the user’s contacts where consent is requested before synchronization. Moreover, if the user shares their location in a chat, this location data is treated the same as the content of other messages in cloud or secret chats.The policy also provides a list of the purposes for which the user’s data are processed and explicitly states that the company does not use the user’s data for ad targeting or other commercial purposes. However, as described above, our experiments illustrated that there is a tracker in the app, that is Google Firebase Analytics, which is not explicitly stated in the app’s privacy policy.
- Viber: The app’s privacy policy (https://www.viber.com/en/terms/viber-privacy-policy/ (accessed on 28 December 2022)) presents a list of all personal data that are collected by the company, including several types of identifiers (such as device and network identifiers) and GPS-based location depending on the user’s agreement. The policy explicitly states that some personal data are collected automatically from the user’s device through device-identifying technologies. To this end, the policy clarifies that cookies and tracking technologies are used for advertising and marketing purposes and provides a list of all third parties that are involved in the data processing; however, they are mainly presented in the ’cookies section’ of the privacy policy, thus implying that they are related to third-party cookies rather than other tracking mechanisms.Moreover, the policy describes the purposes of all the data processes and, interestingly, for each purpose, there is a description of the types of personal data that are needed (a feature that is not common in other policies). However, these descriptions are somewhat generic. For example, with respect to the advertising purpose, the policy states that the company shares different types of personal data, which may include a device identifier and the user’s age range, inferred gender, and reduced IP address (or GPS location data if the user allows this) with third-party advertising partners for the purpose of presenting personalized ads. However, an exact reference to the processing of the BSSID that was captured by our dynamic analysis is missing from the information provided to users.
- Webex Meet: A generic privacy policy (https://www.cisco.com/c/en/us/about/legal/privacy.html (accessed on 28 December 2022)) is provided by the company (Cisco). In this generic policy, the description of the user’s personal data that is processed by the company is also quite generic. The policy states that “We collect personal information for a variety of reasons, which may include processing your order, providing our various websites and other products and services (“Solutions”), providing you with a newsletter subscription, sending business and marketing communications, personalizing your experience, and processing job applications” and “We may also collect information relating to your use of our websites and web-based Solutions through the use of various technologies, including cookies”.However, in the generic policy are links to more specific privacy policies, where a privacy datasheet is available (https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/collaboration/cisco-webex-meetings-privacy-data-sheet.pdf (accessed on 28 December 2022)), which describes the processing of personal data by Webex Meet. This datasheet contains a detailed description, along with the purposes, of the personal data that are processed. There is also an explicit reference to the sub-processors, i.e., service providers, contractors, or authorized third parties that assist in providing and improving the services. The datasheet also contains a detailed description of all the third parties, the personal data that are processed by each of them, and for what purposes. Moreover, for each case, information is also provided about the location where the data are stored.
- WeChat: There are two privacy policies for this app—one for users whose phone numbers are not the China country code and another for China-based users. Here, we focus on the first privacy policy, which is available at https://www.wechat.com/mobile/htdocs/en/privacy_policy.html#pp_how (accessed on 28 December 2022). This policy is quite detailed with respect to the personal data that are collected and further processed, as well as for what purposes and on which legal basis the data are used. Additionally, the data retention period is also provided. However, there may be some concerns with respect to data protection by design and by principle. For example, regarding location data, the policy defines that “location data is information that is derived from your GPS (GPS coordinates), WiFi (approximate city location), IP address (country location), or public posts that contain location information (the location you geo-tag)”, while the legal basis for processing these data is that it is necessary to fulfill the contract; however, the policy also states that the user may disable the collection and use of their location data through device-level settings, thus rendering the necessity of collecting such data questionable.With respect to data transfers to third parties, the policy states that the company engages with service providers to supply services to support or improve the app and that the company may share with advertising partners reports about the trends and performance of their advertisements to help them better understand their audience. To this end, the policy states that the company does not share information that personally identifies the user, such as their name or email address unless the user consents to this. Along the same line, the policy also states that the company may also pseudonymize or aggregate personal information for analytical purposes to provide to third-party service providers. There is no explicit reference to the names of these providers (our analysis found, for example, the existence of the Google Firebase Analytics tracker) and there is also no explicit information about the types of pseudonymized/aggregated information provided to them.Finally, our analysis illustrated that the app requests the permission (it is the only app requiring this access), and this data process is not explained in the app’s privacy policy.
- Whatsapp: The app’s privacy policy (https://www.whatsapp.com/legal/privacy-policy-eea (accessed on 28 December 2022)), which begins with a generic statement that the app provides end-to-end encryption and that this will never change, is quite detailed in a structured way, presenting the purposes for which data are being processed and the types of personal data that are processed for each purpose, as well as the relevant legal basis. Interestingly, apart from this detailed description, there is also a more general section of the policy that explains in simple words what personal data the company generally collects and why. This generalized text identifies the following cases with respect to personal data collection:
- Information that the user provides. This includes account information and user content, as well as the user’s connections (if the user makes use of the contact upload feature, whereas the policy states that if any of the user’s contacts are not yet using the service, the company will manage this information in a way that is designed to ensure that those contacts cannot be identified).
- Automatically collected information: This includes device and connection information (whereas, as a special case, it is explicitly mentioned that this includes identifiers unique to Meta products associated with the same device or account) and general location information (for precise location information, the user must provide consent).
- Information that third parties provide about the user. This includes data processed by the company through the aforementioned upload contacts feature, as well as cases where users report other users (e.g., for violation of terms).
- Information shared by the user and by WhatsApp with third parties. This includes third-party service providers, but these third parties, as described in the app’s privacy policy, do not include advertising or analytics companies. In terms of the latter, the policy states that the company works with other Meta companies in the UK, Israel, and the United States that provide business analytics services.
The above points are consistent with our findings. Of course, in such a complex data processing framework with the many services provided, the fulfillment of data protection by design and default principles needs to be very cautiously assessed. In any case, the privacy policy seems to present all the necessary information. - Wire: The app’s privacy policy (https://wire.com/en/legal/ (accessed on 28 December 2022)) is very different from the other privacy policies since it does not contain detailed information about which personal data are processed or for what purposes. However, the app’s provider presents the characteristics of the app that make it privacy friendly, and the policy states that there is always end-to-end encryption, meaning that each device and user access request is fully authenticated, authorized, and encrypted before granting access. In addition, the policy states that there are no ads, and thus, the user’s personal data and the content of their conversations will never be sold or shared with anyone and nor will they ever be used by any third-party advertiser.The above points are generally consistent with our findings since no tracker was found through our analysis and Wire requests a relatively small number of high-risk permissions. In any case, even if the data processing is generally privacy friendly—and it is also highly possible that the data minimization principle is fulfilled—sufficient information should be provided to users.
- Zalo: Zalo’s privacy policy (https://zalo.me/zalo/policy/ (accessed on 28 December 2022)) is the briefest of all the privacy policies we examined in this work. It consists of three very compact sections. The first briefly describes the information the company collects, that is, information about the user’s account, device information such as the hardware model, location information, and information about the user’s contacts (address book). The latter is stored on the company’s servers to optimize the app experience. The second section briefly described how the collected information is used (no advertising or statistics purposes are given therein). The third section concerns how the company shares the information and it is simply stated that encryption is used and that the information is not shared with any third parties.The privacy policy is so compact that it is very difficult to claim that sufficient information is provided to users. It is unclear exactly which personal data are collected and on what legal basis (e.g., whether some data are collected only after the user provides consent). Moreover, our analysis found that this app contained five trackers and this is not reflected in the privacy policy. In addition, the fact that the contact list is, by default, stored on the company’s servers raises some concerns regarding the fulfillment of the data protection by default principle.
- Zoom: The app’s privacy policy (https://explore.zoom.us/en/privacy/ (accessed on 28 December 2022)) contains several sections. The first section describes the types of personal data that are generally collected. This includes the device information, together with a description that it is consistent with the high-risk permissions required, i.e., this device information “may include information about the speaker, microphone, camera, OS version, hard-disk ID, PC name, MAC address, IP address (which may be used to infer the general location at a city or country level), device attributes such as the operating system version and battery level, WiFi information, and other device information such as Bluetooth signals”. The second section contains a description of how the personal data are used and includes an explicit reference to marketing, promotions, and third-party advertising. However, there is no explicit mapping of the first two sections, i.e., the types of personal data that are used and for what purposes.There is another section in the policy concerning data sharing, which states that the company uses third-party marketing, advertising, and analytics providers. Moreover, there is a specific section about the cases in which European law (such as the GDPR) is applicable, including the legal basis for each data process and users’ rights). However, there is no explicit mapping of the purposes of the data processes described in the policy to the corresponding legal bases.
- Whether the privacy policy provides a detailed description of the types of personal data that are collected and further processed and for what purposes;
- Whether there is a detailed description of the third parties that collect data and which data are collected by which provider and for what purposes;
- Whether the results of our static and dynamic analysis of the apps are consistent with the app’s corresponding privacy policy.
5.5. Security Aspects
6. Discussion
- In their privacy policies, all the apps describe the types of personal data they process and the purposes of the data processes. However, in many cases, the exact types of personal data that are processed are not explicitly stated (e.g., some general information is stated in some cases such as “we process account information, device information”, etc.). Moreover, in the majority of cases, there is no explicit mapping between the personal data that are processed and the purpose of the process, i.e., the users cannot distinguish which of their data are used and for what purpose(s).
- The corresponding legal basis for each data process is not always explicitly stated (some privacy policies do provide this information but not always in a comprehensive way, e.g., by associating a specific data process with a specific legal basis. Therefore, it is not obvious whether or not some processes require the user’s consent (i.e., whether the legal basis is the user’s consent).
- Further to the previous issue, it seems that there are cases where some specific data processes are enabled by default and the user is simply informed that they can disable these processes if desired. The idea that these processes rely on the user’s consent is inaccurate since the processes are initially activated without the user providing explicit consent prior to the start of the process. Such cases also raise concerns regarding the fulfillment of the data protection by default principle.
- When permission is requested by an app, it is not always clear to the user which specific data processes are associated with which high-risk Android permissions. Although the need to grant access to these permissions is clear in many cases (e.g., access to the camera is needed for a video call), some permissions seem to be necessary only for specific processes or, even worse, their necessity is not clear at all. More generally, each of these permissions should be mapped to one or more data processes with well-determined characteristics (i.e., which personal data are needed for these processes, what are the legal bases, etc.); however, this type of mapping is not reflected in the privacy policies.
- In a few cases (see Table 4), we identified some underlying personal data processes that are not defined, either clearly or at all, in the corresponding privacy policies.
- It is not always clear who the exact third parties are that collect personal data or for what purposes. Even in the few cases where third parties are explicitly stated, it is not clear which personal data they collect, and the issue of third-party libraries inheriting the privileges of the host app is absent from all privacy policies.
- Further to the previous issue, our analysis illustrated that in a few cases, there are data leaks to third parties without providing information to the users about this.
- A few privacy policies state that when users’ data are transmitted to third parties, the relevant privacy policies of those parties apply. However, such cases should be meticulously studied; if data are transmitted to third parties by a VCA provider, it is questionable whether the VCA provider can simply refer to the privacy policies of these parties, especially if the users do not have the option to object to this transmission.
- Some privacy policies tend to define device data that do not allow for the easy identification of the user (at least, directly) as anonymous information; however, at least according to the GDPR provisions, these data are still considered personal data, and even if these processes are not high risk, it should be made clear that such types of device information are considered personal data.
- A few large companies that provide several different types of applications with different scopes adopt a unified privacy policy that covers all these applications. However, in this approach, it is difficult to ensure that users who only use a specific application provided by these companies receive the appropriate information about personal data processing.
7. Conclusions
- In all cases, there is no direct mapping of the required Android permissions to the relevant data processes. Therefore, when the user is required to grant access to permissions required by the app, they are not fully aware of whether the permissions are necessary and what happens with their personal data when granting this access. More generally, the app provider does not ensure that all data processes that are taking place by default are indeed necessary.
- There is not always accurate information about the types of data that are being sent to third parties and for what purposes. Furthermore, in a few cases, there are data leaks without any information being provided to the user. It also seems that in some cases, there are some misconceptions with respect to what constitutes anonymous data, and thus data transmitted to third parties (especially to analytics services) are characterized as anonymous, although it is questionable whether this is indeed the case.
- Some privacy policies do not provide details about the types of personal data that are being processed and for what purposes. This observation was more prevalent when data are transferred to third parties. In this context, considering the structure of the Android ecosystem, granting access to an app requiring permission is highly likely to allow access not only to the app provider but also to third parties, and this is not transparent to the users. Therefore, all relevant stakeholders must make efforts to ensure that users are fully and effectively informed about what personal data processes will occur if such access is granted.
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
ATS | Advertising and Tracking Services |
BSSID | Basic Service Set Identifier |
CVE | Common Vulnerability Exposure |
CVSS | Common Vulnerability Scoring System |
GDPR | General Data Protection Regulation |
GPS | Global Positioning System |
ICSI | International Computer Science Institute |
ID | Identifier |
IP | Internet Protocol |
MAC | Media Access Control |
OS | Operating System |
SDK | Software Development Kit |
TLS | Transport Layer Security |
VCA | Video Conferencing Application |
VPN | Virtual Private Network |
References
- Techcrunch. Videoconferencing Apps Saw a Record 62M Downloads during One Week in March. 2020. Available online: https://techcrunch.com/2020/03/30/video-conferencing-apps-saw-a-record-62m-downloads-during-one-week-in-march/ (accessed on 10 November 2022).
- Beauford, M. The State of Video Conferencing in 2022. GetVoIP. 2022. Available online: https://getvoip.com/blog/state-of-conferencing/ (accessed on 7 January 2023).
- Degirmenci, K. Mobile users’ information privacy concerns and the role of app permission requests. Int. J. Inf. Manag. 2020, 50, 261–272. [Google Scholar] [CrossRef]
- European Union Agency for Cybersecurity: Privacy and Data Protection in Mobile Applications—A Study on the App Development Ecosystem and the Technical Implementation of GDPR. 2018. Available online: https://www.enisa.europa.eu/publications/privacy-and-data-protection-in-mobile-applications (accessed on 10 December 2022).
- Wise, J. 40+ Mobile App Statistics 2023: Usage ‘I&’ Downloads Data. Earthweb. 2022. Available online: https://earthweb.com/app-statistics/ (accessed on 10 January 2023).
- Statista. Number of Smartphone Users Worldwide from 2016 to 2021. 2020. Available online: https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/ (accessed on 18 December 2022).
- Statcounter. Mobile Operating System Market Share Worldwide. 2022. Available online: https://gs.statcounter.com/os-market-share/mobile/worldwide (accessed on 20 January 2023).
- Statista. Share of Global sMartphone Shipments by Operating System from 2014 to 2023. 2019. Available online: https://www.statista.com/statistics/272307/market-share-forecast-for-smartphone-operating-systems/ (accessed on 20 January 2023).
- Binns, R.; Lyngs, U.; Van Kleek, M.; Zhao, J.; Libert, T.; Shadbolt, N. Third Party Tracking in the Mobile Ecosystem. arXiv 2018, arXiv:1804.03603v3. [Google Scholar]
- Taylor, V.F.; Beresford, A.R.; Martinovic, I. Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones. arXiv 2017, arXiv:1708.03520v1. [Google Scholar]
- Ren, J.; Lindorfer, M.; Dubois, D.J.; Rao, A.; Choffnes, D.; Vallina-Rodriguez, N. Bug Fixes, Improvements, ... and Privacy Leaks. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS 2018), San Diego, CA, USA, 18–21 February 2018. [Google Scholar]
- Article 29 Data Protection Working Party. Opinion 02/2013 on Apps on Smart Devices. 2013. Available online: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf (accessed on 1 November 2022).
- Michael, J.; Kuhn, R.; Voas, J. Security or Privacy: Can You Have Both? Computer 2020, 53, 20–30. [Google Scholar] [CrossRef]
- European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. European Union 2016, 119, 1–88. Available online: https://gdpr-info.eu/ (accessed on 1 December 2022).
- Kaminski, M. A recent renaissance in privacy law. Commun. ACM 2020, 63, 24–27. [Google Scholar] [CrossRef]
- Son, S.; Kim, D.; Shmatikov, V. What Mobile Ads Know About Mobile Users. In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA, 21–24 February 2016. [Google Scholar]
- Alshammari, M.; Simpson, A. Towards a Principled Approach for Engineering Privacy by Design. In Privacy Technologies and Policy. APF 2017, LNCS; Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K., Eds.; Springer: Heidelberg, Germany, 2017; Volume 10518, pp. 161–177. [Google Scholar]
- European Union Agency for Cybersecurity. Recommendations on Shaping Technology According to GDPR Provisions—Exploring the Notion of Data Protection by Default. 2019. Available online: https://www.enisa.europa.eu/publications/recommendations-on-shaping-technology-according-to-gdpr-provisions-part-2 (accessed on 1 December 2022).
- Grammatikakis, K.-P.; Ioannou, A.; Shiaeles, S.; Kolokotronis, N. Are cracked applications really free? An empirical analysis on Android devices. In Proceedings of the 16th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC), Athens, Greece, 12–15 August 2018; pp. 730–735. [Google Scholar]
- Moonsamy, V.; Batten, L. Mitigating man-in-the-middle attacks on smartphones—A discussion of SSL pinning and DNSSec. In Proceedings of the 12th Australian Information Security Management Conference (AISM), Perth, Australia, 1–3 December 2014; pp. 5–13. [Google Scholar]
- Stevens, R.; Gibler, C.; Crussell, J.; Erickson, J.; Chen, H. Investigating User Privacy in Android Ad Libraries. In Proceedings of the IEEE Workshop on Mobile Security Technologies (MoST), San Francisco, CA, USA, 24 May 2012. [Google Scholar]
- Barbon, G.; Cortesi, A.; Ferrara, P.; Pistoia, M.; Tripp, O. Privacy Analysis of Android Apps: Implicit Flows and Quantitative Analysis. In Computer Information Systems and Industrial Management. CISIM 2015; Lecture Notes in Computer Science; Saeed, K., Homenda, W., Eds.; Springer: Cham, Switzerland, 2015; Volume 9339. [Google Scholar]
- Bracamonte, V.; Pape, S.; Löbner, S. “All apps do this”: Comparing Privacy Concerns Towards Privacy Tools and Non-Privacy Tools for Social Media Content. Proc. Priv. Enhancing Technol. 2022, 3, 57–78. [Google Scholar] [CrossRef]
- Chatzistefanou, V.; Limniotis, K. Anonymity in social networks: The case of anonymous social media. Int. J. Electron. Gov. (IJEG) 2019, 11, 361–385. [Google Scholar] [CrossRef]
- Ioannidou, I.; Sklavos, N. On General Data Protection Regulation (GDPR) Vulnerabilities and Privacy Issues, for Wearable Devices and Fitness Tracking Applications. Cryptography 2021, 5, 29. [Google Scholar] [CrossRef]
- Monogios, S.; Magos, K.; Limniotis, K.; Kolokotronis, N.; Shiaeles, S. Privacy issues in Android applications: The cases of GPS navigators and fitness trackers. Int. J. Electron. Gov. (IJEG) 2022, 14, 83–111. [Google Scholar] [CrossRef]
- Papageorgiou, A.; Strigkos, M.; Politou, E.; Alepis, E.; Solanas, A.; Patsakis, C. Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice. IEEE Access 2018, 6, 9390–9403. [Google Scholar] [CrossRef]
- Newman, L.H. Zoom Will Fix the Flaw that Let Hackers Hijack Webcams. Wired. 2019. Available online: https://www.wired.com/story/zoom-flaw-web-server-fix/ (accessed on 18 December 2022).
- Schneier, B. Securing Internet Videoconferencing Apps: Zoom and Others. Available online: https://www.schneier.com/blog/archives/2020/04/secure_internet.html (accessed on 18 December 2022).
- Altschaffel, R.; Hielscher, J.; Kiltz, S.; Dittmann, J. Meta and Media Data Stream Forensics in the Encrypted Domain of Video Conferences. In Proceedings of the ACM Workshop on Information Hiding and Multimedia Security, Virtual Event, Belgium, 22–25 June 2021; pp. 23–33. [Google Scholar]
- Consumer Reports. It’s Not Just Zoom. Google Meet, Microsoft Teams, and Webex Have Privacy Issues, Too. 2020. Available online: https://www.consumerreports.org/video-conferencing-services/videoconferencing-privacy-issues-google-microsoft-webex-a7383469308/ (accessed on 18 December 2022).
- Kalapodi, A.; Sklavos, N. The concerns of personal data privacy, on calling and messaging, networking Applications. In Security in Computing and Communications SSCC 2020; Communications in Computer and Information Science; Thampi, S.M., Wang, G., Rawat, D.B., Ko, R., Fan, C.I., Eds.; Springer: Singapore, 2021; Volume 1364. [Google Scholar]
- Sun, Y.; Zhu, S.; Chen, Y. ZoomP3: Privacy-Preserving Publishing of Online Video Conference Recordings. Proc. Priv. Enhancing Technol. (POPETS) 2022, 3, 630–649. [Google Scholar] [CrossRef]
- Yang, Y.; West, J.; Thiruvathukal, G.K.; Fawaz, K. Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps. arXiv 2022, arXiv:2204.06128. [Google Scholar] [CrossRef]
- Kagan, D.; Alpert, G.F.; Fire, M. Zooming Into Video Conferencing Privacy. IEEE Trans. Comput. Soc. Syst. 2023. [Google Scholar] [CrossRef]
- Exodus Privacy. Available online: https://exodus-privacy.eu.org/en/ (accessed on 5 November 2022).
- International Computer Science. Lumen Privacy Monitor. 2021. Available online: https://www.icsi.berkeley.edu/icsi/projects/networking/haystack (accessed on 5 November 2022).
- Reyes, I.; Wijesekera, P.; Razaghpanah, A.; Reardon, J.; VallinaRodriguez, N.; Egelman, S.; Kreibich, C. Is our children’s apps learning? automatically detecting coppa violations. In Proceedings of the IEEE Workshop on Technology and Consumer Protection (ConPro), San Jose, CA, USA, 22–24 May 2017. [Google Scholar]
- Razaghpanah, A.; Nithyanand, R.; Vallina-Rodriguez, N.; Sundaresan, S.; Allman, M.; Kreibich, C.; Gill, P. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA, 18–21 February 2018. [Google Scholar]
- Zhou, X.; Demetriou, S.; He, D.; Naveed, M.; Pan, X.; Wang, X.; Gunter, C.A.; Nahrstedt, K. Identity, location, disease and more: Inferring your secrets from Android public resources. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, Berlin, Germany, 4–8 November 2013; pp. 1017–1028. [Google Scholar]
- MITRE. CVE List. Available online: https://cve.mitre.org/cve/ (accessed on 18 February 2023).
Permissions/VCA | Discord | Element | KakaoTalk | Line | Messenger | Phoenix | Session | Signal | Skype | Teams | Telegram | Viber | Webex Meet | Wire | Zalo | Zoom | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
× | × | × | × | × | × | × | × | × | × | × | × | × | × | |||||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | × | ||||
× | ||||||||||||||||||
× | ||||||||||||||||||
× | × | × | × | × | × | × | × | × | × | × | ||||||||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |
× | × | × | × | × | × | × | × | × | × | × | × | × | ||||||
× | × | × | × | |||||||||||||||
× | × | |||||||||||||||||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |
× | × | × | × | × | × | × | × | |||||||||||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | |||||
× | × | × | × | |||||||||||||||
× | × | × | × | |||||||||||||||
× | × | × | × | × | ||||||||||||||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |
× | × | × | × | |||||||||||||||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | |||||
× | × | × | ||||||||||||||||
× | × | × | × | × | × | × | × | × | × | × | ||||||||
× | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |
× | × | × | × | × | × | × | × | × | × | |||||||||
Total number | 7 | 7 | 19 | 17 | 18 | 8 | 5 | 19 | 13 | 12 | 13 | 15 | 12 | 13 | 14 | 7 | 14 | 13 |
App | Number of Trackers (January 2022) | Number of Trackers (November 2022) | |
---|---|---|---|
Discord | 6 | 2 | |
Element | 0 | 0 | |
KakaoTalk | 3 | 3 | |
Line | 4 | 4 | |
Messenger | 4 | 5 | |
Phoenix | 3 | 3 | |
Session | 0 | 0 | |
Signal | 0 | 0 | |
Skype | 2 | 1 | |
Teams | 3 | 3 | |
Telegram | 1 | 1 | |
Viber | 12 | 6 | |
Webex Meet | 2 | 2 | |
5 | 2 | ||
1 | 1 | ||
Wire | 1 | 0 | |
Zalo | 7 | 5 | |
Zoom | 1 | 0 |
Discord | KakaoTalk | Line | Phoenix | Viber | |
---|---|---|---|---|---|
adjust.com | × | ||||
appboy.com | × | ||||
appsflyer.com | × | ||||
collection-endpoint-prod.herokuapp.com | × | ||||
crashlytics.com | × | × | |||
line-apps.com | × | ||||
mixpanel.com | × |
App | Account | Android | Build | |||
---|---|---|---|---|---|---|
(com.facebook.messenger) | Serial | BSSID | Fingerprint | Private IP | Timezone | |
Line | × | × | ||||
Phoenix | × | |||||
Skype | × | × | × | |||
Teams | × | |||||
Viber | × | × | ||||
Webex Meet | × | × | × | |||
× |
App | Detailed Description | Detailed Description | The Privacy Policy |
---|---|---|---|
of Personal Data Collected | of Third Parties | Is Consistent with | |
(Types of Data and Purposes) | Our Findings | ||
Discord | Yes | No | Yes |
Element | Yes | No third parties | Yes |
KakaoTalk | Yes | Yes | Yes |
Line | Yes | Yes | Yes |
Messenger | Yes | Yes | Yes |
Phoenix | Only anonymous data | No | No (see Table 3 |
and Table 4) | |||
Session | Only anonymous data | No third parties | Yes |
Signal | Yes | No third parties | Yes |
Skype | No detailed description | No | No (see Table 4) |
Teams | No detailed description | No | Yes |
Telegram | Yes | No third parties | Yes |
(only payment services) | |||
Viber | Yes | Yes | No (see Table 4) |
Webex Meet | Yes | Yes | Yes |
Yes | Categories of parties | No (see Table 1 | |
and Table 2) | |||
Yes | Categories of parties | Yes | |
Wire | Yes | No third parties | Yes |
Zalo | No | No | No (see Table 2) |
Zoom | Yes | Categories of parties | Yes |
App | End-to-End | Total Number | Corresponding CVSS Scores |
---|---|---|---|
Encryption | of CVEs (2021–2022) | ||
Discord | No | 2 | , |
Element | Yes | 2 | , |
KakaoTalk | No | 0 | - |
Line | Yes | 7 | , , , , , , |
Messenger | No | 1 | |
Phoenix | No | 0 | - |
Session | Yes | 1 | |
Signal | Yes | 1 | |
Skype | No | , , , , , , , | |
Teams | No | 2 | , |
Telegram | No | 14 | , , , , , , , , , |
, , , , | |||
Viber | Yes | 0 | - |
Webex Meet | No | , , , , , , , , | |
, , , , , , , , | |||
No | 2 | , | |
Yes | 8 | , , , , , , , | |
Wire | Yes | 8 | , , , , , , , |
Zalo | Yes | 0 | - |
Zoom | Yes | 3 | , , |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Achilleos, G.; Limniotis, K.; Kolokotronis, N. Exploring Personal Data Processing in Video Conferencing Apps. Electronics 2023, 12, 1247. https://doi.org/10.3390/electronics12051247
Achilleos G, Limniotis K, Kolokotronis N. Exploring Personal Data Processing in Video Conferencing Apps. Electronics. 2023; 12(5):1247. https://doi.org/10.3390/electronics12051247
Chicago/Turabian StyleAchilleos, Georgios, Konstantinos Limniotis, and Nicholas Kolokotronis. 2023. "Exploring Personal Data Processing in Video Conferencing Apps" Electronics 12, no. 5: 1247. https://doi.org/10.3390/electronics12051247
APA StyleAchilleos, G., Limniotis, K., & Kolokotronis, N. (2023). Exploring Personal Data Processing in Video Conferencing Apps. Electronics, 12(5), 1247. https://doi.org/10.3390/electronics12051247