Analytics for "interaction with the service": Surreptitious Collection of User Interaction Data

The rise of mobile apps has brought greater convenience and customization for users. However, many apps use analytics services to collect a wide range of user interaction data purportedly to improve their service, while presenting app users with vague or incomplete information about this collection in their privacy policies. Typically, such policies neglect to describe all types of user interaction data or how the data is collected. User interaction data is not directly regulated by privacy legislation such as the GDPR. However, the extent and hidden nature of its collection means both that apps are walking a legal tightrope and that users' trust is at risk. To facilitate transparency and comparison, and based on common phrases used in published privacy policies and Android documentation, we make a standardized collection claim template. Based on static analysis of actual data collection implementations, we compare the privacy policy claims of the top 10 apps to fact-checked collection claims. Our findings reveal that all the claims made by these apps are incomplete. By providing a standardized way of describing user interaction data collection in mobile apps and comparing actual collection practices to privacy policies, this work aims to increase transparency and establish trust between app developers and users.