Just a PSA:
We've been doing a bit of work on tech issues under the GDPR and came across a potential identification issue for apps on both iOS and Android. This could cause regulatory problems under certain conditions.
In short, if your app:
We wrote this up, with some suggested fixes: https://arxiv.org/pdf/1809.05369.pdf
It's not a very complicated issue to address, and there are lots of ways around it. You could simply expose the SSAID (or whatever identifier you use) in an 'About' section of the app, or use other app functionality (e.g. 'share' URLs) to allow users to provide some kind of hook to their data (though be aware that asking people to sign up for an account or sign into a social media profile to 'link' their shadow account to an identifier they can provide may cause other regulatory issues).
Anyway, just thought it was an interesting problem that may affect some apps out there, so it might be worth thinking about. For example, we see games as particularly vulnerable to this - though they are far from the only apps out there that don't require accounts.
Feel free to get in touch with any questions if you have any.
We've been doing a bit of work on tech issues under the GDPR and came across a potential identification issue for apps on both iOS and Android. This could cause regulatory problems under certain conditions.
In short, if your app:
- does not strictly require a user logs in to use,
- collects pseudonymised "shadow profile" data (e.g. SSAID, analytics, location data), and
- operates in a country where similar data protection rights to the (EU's) GDPR exist,
We wrote this up, with some suggested fixes: https://arxiv.org/pdf/1809.05369.pdf
It's not a very complicated issue to address, and there are lots of ways around it. You could simply expose the SSAID (or whatever identifier you use) in an 'About' section of the app, or use other app functionality (e.g. 'share' URLs) to allow users to provide some kind of hook to their data (though be aware that asking people to sign up for an account or sign into a social media profile to 'link' their shadow account to an identifier they can provide may cause other regulatory issues).
Anyway, just thought it was an interesting problem that may affect some apps out there, so it might be worth thinking about. For example, we see games as particularly vulnerable to this - though they are far from the only apps out there that don't require accounts.
Feel free to get in touch with any questions if you have any.