Menu Close

Investigations

IDAC has conducted technical and policy investigations into web applications, third-parties, and privacy policies over time and at scale. Our investigations reveal any concerning or inappropriate behavior around the type of personal data collected, who receives collected data, permissions requested, software development kits (SDKs) present in apps and other data transmissions.

The IDAC team will open an investigation into apps when the data collected is sensitive or there are concerns around the potential misuse of user data by the sector. For example, health, education and children’s apps have been a particular focus of our investigations. We welcome relevant information from researchers about concerns with particular apps or SDKs.

To date, our investigations include almost 500 education technology (edtech) apps, more than 100 COVID-19 related apps, childrens’ apps, SDKs, and more. You can access our investigations below.

IDAC Investigations

Vaccine Passports Investigation: CommonPass Results

Today IDAC is releasing the results of its analysis of the CommonPass app. CommonPass is a free app in the Apple App Store and the Google Play Store, which was developed through a nonprofit public trust and is operated by The Commons Project. The Commons Project is working alongside the World Economic Forum and leaders from 52 countries to design a common framework for safe border reopening. To date, several major airline companies have started to use CommonPass and the app has garnered significant global media attention focused on its ease of use.

We’re Investigating Vaccine Passport Apps: Initial Findings

In the coming months, IDAC will investigate these Vaccine Passport apps as they reach the market to increase transparency about privacy practices, identify harms and practices that don’t align with app users’ reasonable expectations, and highlight best practices. Although our investigation is just beginning, we have shared the results of our investigation into the New York Excelsior Pass, the first state vaccine pass to be offered to the public.

Privacy Investigation Reveals Extensive Voter Data Collection & Data Sharing in 2020 Presidential Campaign Mobile Apps & Website

Throughout the 2020 election, campaign apps and websites transmitted extensive amounts of personal information about users to third parties, sometimes without disclosure, a new report from a nonprofit Internet watchdog reported today. The International Digital Accountability Council (IDAC) conducted a two-month investigation during the 2020 general election in the United States to evaluate the data collection and third party data-sharing practices of election apps and websites, including the apps and websites of President Trump, President-Elect Biden, and more than a hundred other leading 2020 senatorial, gubernatorial, and U.S. House of Representatives campaigns.

IDAC Researchers Alert Google to Policy-Violating Third-Party Data Practices

In response to outreach from researchers from the International Digital Accountability Council (IDAC), Google has taken corrective action in connection with three apps – Princess Salon, Number Coloring and Cats and Cosplay and data collection practices by three software development kits (SDKs) used within those apps. IDAC alerted Google that the three apps were in violation of Google’s developer policies. It also alerted Google to potential issues with three SDKs used in those apps – Unity, Umeng, and Appodeal. Google took corrective action in response, after its own investigation.

Millions of Users’ Unencrypted Location Data Being Shared with Twitter-Owned MoPub

Close to 10 million app users’ location data is exposed to an array of cyber attacks due to Twitter’s failure to protect unencrypted data transmissions, the International Digital Accountability Council revealed today. Twitter has been aware of this issue since the global cybersecurity company Kaspersky released a 2018 report detailing how over three million Android application packages were found transmitting unencrypted data over the Internet. IDAC’s technologists observed seven apps sending users’ unencrypted GPS location data to a Twitter-owned MoPub’s servers.

Privacy Considerations as Schools and Parents Expand Utilization of Ed Tech Apps During the COVID-19 Pandemic

As educators and parents struggle to adapt to social distancing requirements amid the continuing COVID-19 pandemic, education technology apps have become an increasingly popular tool to assist with remote teaching and learning. To assist in ensuring the trustworthiness of the ed tech app ecosystem, the International Digital Accountability Council (IDAC) today released the results of its investigation into the privacy practices of nearly 500 global ed tech apps spanning 22 countries.

Jiguang’s SDK Covertly Collects User Personal Information With No Clear Opt-Out

A new investigation has identified evidence of concerning behavior from Jiguang, a leading mobile developer service provider and mobile big data solutions platform based in China. The publicly traded company, also known as Aurora Mobile Ltd., is covertly collecting personal and potentially sensitive information—including precise location data and lists of all other apps installed and uninstalled.

IDAC Refers Case to FTC, Illinois AG to Investigate Popular Fertility App

The International Digital Accountability Council has referred a case to the Federal Trade Commission and the Illinois Attorney General regarding a popular fertility app that was secretly sharing vulnerable users’ personal data without disclosure and in contradiction with its own privacy policy. IDAC also brought its concerns to Google’s attention, because the findings violate Google’s Developer Policies.

Privacy in the Age of COVID: An IDAC Investigation of COVID-19 Apps

An independent investigation of worldwide COVID-19 mobile apps found that several widely-used apps pose privacy risks to worldwide users. The International Digital Accountability Council’s (IDAC) investigation, conducted over the last two months, reviewed 108 global COVID-19 mobile apps across 41 countries to understand whether consumer personal data is being used responsibly. The investigators analyzed how apps collect personal data, what data the apps collect, what third parties receive data from these apps and other data issues, to identify concerning practices with app users’ reasonable expectations, privacy laws, and platform policies.

We’re Investigating 100+ Global COVID-19 Apps: Initial Findings

As companies and governments rush to hastily develop COVID-19 apps during this pandemic, we must ensure data protection and privacy are not overlooked or compromised. As of April 27, 2020 IDAC has started to investigate 108 global COVID-19 mobile apps across 41 countries to understand whether consumer personal data is being used responsibly. These apps offer a range of services, covering everything from contact tracing, telehealthcare management, symptom assessments, and more.

Trend Reports

Trend Report: Apps Oversharing Your Advertising ID

IDAC’s team has found a concerning number of apps are sharing the Advertising ID of its users’ devices inappropriately. According to the Google Play Policy Center, the Android Advertising ID (AAID) “must only be used for advertising and user analytics.” But what exactly is the AAID, and how is it supposed to be used? The AAID is Android’s unique ID for advertising (and Apple has the same concept with its ID For Advertisers (IDFA)) which allows for the association of all of a user’s data into a unique profile of them, though users do have the ability to reset this ID if they want to.

Trend Report: Android Apps Inferring Location

The IDAC investigative team has found a prevalent and alarming trend among worldwide mobile applications: Android apps are secretly inferring users’ location without using the device’s location services. Collecting user location data raises privacy concerns, including how and why that data is used.

Trend Report: SDKs Collecting Installed App Lists

A new IDAC investigation found that several prominent Android Software Development Kits (SDKs) are collecting lists of all the apps installed on a user’s device and sending these lists to third parties — companies outside of users’ reasonable expectations — potentially exposing personal information such as a user’s religious beliefs, gender, political affiliations, hobbies, sexual orientation, relationship status, disabilities, health conditions, and more. Companies can then use this information for intrusive behavior such as unwelcome targeted advertising practices.

Trend Report: SDKs Collecting Installed App Lists
A new IDAC investigation found that several prominent Android Software Development Kits (SDKs) are collecting lists of all the apps installed on a user’s device and sending these lists to third parties — companies outside of users’ reasonable expectations — potentially exposing personal information such as a user’s religious beliefs, gender, political affiliations, hobbies, sexual orientation, relationship status, disabilities, health conditions, and more. Companies can then use this information for intrusive behavior such as unwelcome targeted advertising practices. Learn more about our investigation here.