Serge Egelman

On April 3rd 2019, the World Health Organization (WHO) published a press release announcing the results of a coordinated effort led by the WHO Digital Health Technical Advisory Group to develop technical solutions that could trace the development of the COVID-19 infection, perform population screening, and more efficiently allocate limited Read more…

The Ad ID Persistent identifiers are the bread and butter of the online tracking industry. They allow companies to learn the websites that you visit and the apps that you use, including what you do within those apps. A persistent identifier is just a unique number that is used to Read more…

In late February of this year, we received word that an advertising company, ironSource, had obtained a leaked draft of our paper on COPPA violations in Android apps. In that version of the paper, we mentioned them (and their subsidiary, Supersonic) exactly once: in a table of advertising SDKs whose Read more…

In our study of kids’ Android apps, we observed that a majority of apps specifically targeted at kids may be violating U.S. privacy law: the Children’s Online Privacy Protection Act (COPPA). In response to this revelation, many companies that we named in our paper have responded by stating that they Read more…

As a followup to my previous post, I both emailed CVS and tweeted at them to give them an opportunity to comment on their app’s location-sharing practices: I noticed that your mobile app appears to be sharing my location data with around 40 different third parties. Can you please explain Read more…

Recently, we decided to take a closer look at apps in our database that are sharing location data. This is a concern, because it could be used to track someone over time. One app in particular stood out, just based on the sheer number of data recipients. The “CVS/pharmacy” app appears to be sending the user’s GPS coordinates to over 40 different entities! Some of these include:
(more…)