Which Apps Have Privacy Policies?

Abstract

Smartphone app privacy policies are intended to describe smartphone apps’ data collection and use practices. However, not all apps have privacy policies. Without prominent privacy policies, it becomes more difficult for users, regulators, and privacy organizations to evaluate apps’ privacy practices. We answer the question: “Which apps have privacy policies?” by analyzing the metadata of over one million apps from the Google Play Store. Only about half of the apps we examined link to a policy from their Play Store pages. First, we conducted an exploratory data analysis of the relationship between app metadata features and whether apps link to privacy policies. Next, we trained a logistic regression model to predict the probability that individual apps will have policy links. Finally, by comparing three crawls of the Play Store, we observe an overall-increase in the percent of apps with links between September 2017 and May 2018 (from 41.7% to 51.8%).

This study was supported in part by the NSF Frontier grant on Usable Privacy Policies (CNS-1330596 and CNS-1330141) and a DARPA Brandeis grant on Personalized Privacy Assistants (FA8750-15-2-0277). The US Government is authorized to reproduce and distribute reprints for Governmental purposes not withstanding any copyright notation. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NSF, DARPA, or the US Government.

A Appendix

1.1 A.1 Odds Calculations

Here we provide additional details about how the baseline app’s odds were calculated, and how to interpret the model’s quantitative variables.

Logistic regression models operate directly in terms of log(odds). For inter-pretability, log(odds) are easily converted to odds:

$$ e^{\text{log(odds)}} = {\text{odds}} $$

(2)

Under the definition of the baseline app in Sect. 4, the log(odds) of the baseline app having a privacy policy can be calculated by substituting the coefficients of Table 2 into the following equation:

$$ {\text{log(odds(policy}} = {\text{True))}} = b_{0} + b_{{{\text{date}}\_{\text{published}}\_{\text{relative}}}} *{\text{date}}\_{\text{published}}\_{\text{relative}}\_{\text{scaled}} + \ldots $$

(3)

where b₀ is the intercept, b_date__published__relative is a feature coefficient, and date_published_relative_scaled is a scaled feature value. Note that the full equation would include terms for all of the coefficients in Table 2. From this equation, we calculate the log(odds) = −0.887 and odds = e^−0.887 = 0.412 of the baseline app having a privacy policy.

Next, we give an example of changing a quantitative variable. Suppose we start with the baseline app, which has no ratings, and increase the rating_count to 1,000,000. First, we scale rating_count¹³ using the coefficients from Table 1:

$$ \Delta rating\_count\_scaled = \frac{1,000,000 - rating\_count\_baseline}{{S_{rating\_count} }} \approx \frac{1,000,000}{{1.598*10^{5} }} \approx 6.258 $$

(4)

Next, we simply multiply this scaled value by its corresponding coefficient from Table 2 and add it to the log(odds) of the baseline app. This gives us log(odds) = 8.850, or equivalently odds = 6,974. According to our model, an app with 1,000,000 ratings has much greater odds of having a privacy policy than an app with no ratings.