{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T03:24:27Z","timestamp":1740108267652,"version":"3.37.3"},"reference-count":50,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,8,29]],"date-time":"2023-08-29T00:00:00Z","timestamp":1693267200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,8,29]],"date-time":"2023-08-29T00:00:00Z","timestamp":1693267200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Union","doi-asserted-by":"crossref","award":["\u201dNextGenerationEU\u201d\/PRTR"],"award-info":[{"award-number":["\u201dNextGenerationEU\u201d\/PRTR"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100012818","name":"Comunidad de Madrid","doi-asserted-by":"publisher","award":["APOYO-JOVENES-QINIM8-72-PKGQ0J"],"award-info":[{"award-number":["APOYO-JOVENES-QINIM8-72-PKGQ0J"]}],"id":[{"id":"10.13039\/100012818","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100003759","name":"Universidad Polit\u00e9cnica de Madrid","doi-asserted-by":"crossref","award":["APOYO-JOVENES-QINIM8-72-PKGQ0J"],"award-info":[{"award-number":["APOYO-JOVENES-QINIM8-72-PKGQ0J"]}],"id":[{"id":"10.13039\/501100003759","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100003759","name":"Universidad Polit\u00e9cnica de Madrid","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100003759","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Computing"],"published-print":{"date-parts":[[2024,1]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Many studies have exposed the massive collection of personal data in the digital ecosystem through, for instance, websites, mobile apps, or smart devices. This fact goes unnoticed by most users, who are also unaware that the collectors are sharing their personal data with many different organizations around the globe. This paper assesses techniques available in the state of the art to identify the organizations receiving this personal data. Based on our findings, we propose Receiver Organization Identifier (ROI), a fully automated method that combines different techniques to achieve a 95.71% precision score in identifying an organization receiving personal data. We demonstrate our method in the wild by evaluating 10,000 Android apps and exposing the organizations that receive users\u2019 personal data. We further assess the transparency of these data-sharing practices by analyzing the apps\u2019 privacy policies. The results reveal a concerning lack of transparency in almost 78% of apps, suggesting the need for regulators to take action.<\/jats:p>","DOI":"10.1007\/s00607-023-01209-2","type":"journal-article","created":{"date-parts":[[2023,8,29]],"date-time":"2023-08-29T11:02:13Z","timestamp":1693306933000},"page":"163-184","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["ROI: a method for identifying organizations receiving personal data"],"prefix":"10.1007","volume":"106","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0911-4608","authenticated-orcid":false,"given":"David","family":"Rodriguez","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6513-0303","authenticated-orcid":false,"given":"Jose M.","family":"Del Alamo","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8958-6217","authenticated-orcid":false,"given":"Miguel","family":"Cozar","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1808-8410","authenticated-orcid":false,"given":"Boni","family":"Garc\u00eda","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,8,29]]},"reference":[{"key":"1209_CR1","doi-asserted-by":"publisher","unstructured":"Razaghpanah A, Nithyanand R, Vallina-Rodriguez N, Sundaresan S, Allman M, Kreibich C, Gill P (2018) Apps, trackers, privacy, and regulators a global study of the mobile tracking ecosystem. In: Proceedings of the network and distributed systems security (NDSS) symposium, pp 1\u201315. https:\/\/doi.org\/10.14722\/ndss.2018.23353","DOI":"10.14722\/ndss.2018.23353"},{"key":"1209_CR2","doi-asserted-by":"publisher","first-page":"15961","DOI":"10.1109\/ACCESS.2021.3053130","volume":"9","author":"DS Guaman","year":"2021","unstructured":"Guaman DS, Alamo JMD, Caiza JC (2021) Gdpr compliance assessment for cross-border personal data transfers in android apps. IEEE Access 9:15961\u201315982. https:\/\/doi.org\/10.1109\/ACCESS.2021.3053130","journal-title":"IEEE Access"},{"key":"1209_CR3","doi-asserted-by":"publisher","unstructured":"Schindler C, Atas M, Strametz T, Feiner J, Hofer R (2022) Privacy leak identification in third-party android libraries. In: Proceedings of the 2022 7th international conference on mobile and secure services, MobiSec- Serv 2022. https:\/\/doi.org\/10.1109\/MOBISECSERV50855.2022.9727217","DOI":"10.1109\/MOBISECSERV50855.2022.9727217"},{"key":"1209_CR4","doi-asserted-by":"crossref","unstructured":"Balebako R, Marsh A, Lin J, Hong J, Cranor LF (2014) The privacy and security behaviors of smartphone app developers. Workshop on usable security (USEC'14), pp. 1\u201310.","DOI":"10.14722\/usec.2014.23006"},{"key":"1209_CR5","unstructured":"Compliance Intelligence\u2014Checks. https:\/\/checks.area120.google.com\/. Accessed: 2023-06-08"},{"key":"1209_CR6","doi-asserted-by":"publisher","unstructured":"Verderame L, Caputo D, Romdhana A, Merlo A (2020) On the (un)reliability of privacy policies in android apps. In: Proceedings of the international joint conference on neural networks (2020). https:\/\/doi.org\/10.1109\/IJCNN48605.2020.9206660","DOI":"10.1109\/IJCNN48605.2020.9206660"},{"key":"1209_CR7","doi-asserted-by":"publisher","unstructured":"Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2014) Taintdroid. ACM Transactions on Computer Systems (TOCS) 32. https:\/\/doi.org\/10.1145\/2619091","DOI":"10.1145\/2619091"},{"key":"1209_CR8","unstructured":"No Body\u2019s Business But Mine: How Menstruation Apps Are Shar- ing Your Data. Privacy international. https:\/\/privacyinternational.org\/long-read\/3196\/no-bodys-business-mine-how-menstruations-apps-are-sharing-your-data. Accessed: 2023-06-08"},{"key":"1209_CR9","unstructured":"Current Issues\u2014ICANN WHOIS. https:\/\/whois.icann.org\/en\/current-issues. Accessed: 2023-06-08"},{"key":"1209_CR10","doi-asserted-by":"publisher","unstructured":"Libert T (2018) An automated approach to auditing disclosure of third-party data collection in website privacy policies. In: The Web Conference 2018\u2014Proceedings of the World Wide Web Conference, WWW 2018, pp 207\u2013216. https:\/\/doi.org\/10.1145\/3178876.3186087","DOI":"10.1145\/3178876.3186087"},{"key":"1209_CR11","doi-asserted-by":"publisher","unstructured":"Rodriguez D, Del Alamo JM, Cozar M, Garc\u00eda B (2023) ROI: a method for identifying organizations receiving personal data. Mendeley Data. https:\/\/doi.org\/10.17632\/3mdyg53c94","DOI":"10.17632\/3mdyg53c94"},{"key":"1209_CR12","unstructured":"RFC 954\u2014CNAME\/WHOIS. https:\/\/datatracker.ietf.org\/doc\/html\/rfc954. Accessed: 2023-06-08"},{"key":"1209_CR13","doi-asserted-by":"publisher","unstructured":"Liu S, Foster I, Savage S, Voelker GM, Saul LK (2015) Who is .com? learning to parse whois records. In: Proceedings of the ACM SIGCOMM internet measurement conference, IMC 2015-October, pp 369\u2013380. https:\/\/doi.org\/10.1145\/2815675.2815693","DOI":"10.1145\/2815675.2815693"},{"key":"1209_CR14","doi-asserted-by":"publisher","unstructured":"Ziv M, Izhikevich L, Ruth K, Izhikevich K, Durumeric Z (2021) Asdb: A system for classifying owners of autonomous systems. In: Proceedings of the ACM SIGCOMM internet measurement Conference, IMC, pp 703\u2013719. https:\/\/doi.org\/10.1145\/3487552.3487853","DOI":"10.1145\/3487552.3487853"},{"key":"1209_CR15","doi-asserted-by":"publisher","unstructured":"Thao TP, Yamada A, Murakami K, Urakawa J, Sawaya Y, Kubota A (2017) Classification of landing and distribution domains using whois\u2019 text mining. In: Proceedings of the 16th IEEE conference on trust, security and privacy in computing and communications (IEEE TrustCom-17), pp. 1\u20138. https:\/\/doi.org\/10.1109\/Trustcom\/BigDataSE\/ICESS.2017.213","DOI":"10.1109\/Trustcom\/BigDataSE\/ICESS.2017.213"},{"key":"1209_CR16","doi-asserted-by":"publisher","unstructured":"Watters PA, Herps A, Layton R, McCombie S (2013) Icann or icant: Is whois an enabler of cybercrime? In: Proceedings\u20144th cybercrime and trust-worthy computing workshop, CTC 2013, pp 44\u201349. https:\/\/doi.org\/10.1109\/CTC.2013.13","DOI":"10.1109\/CTC.2013.13"},{"key":"1209_CR17","unstructured":"WHOIS Policy Review (2012). https:\/\/www.icann.org\/en\/system\/files\/files\/final-report-11may12-en.pdf. Accessed: 2023-06-08"},{"key":"1209_CR18","unstructured":"WHOIS Accuracy Reporting System (ARS)\u2014ICANN WHOIS. https:\/\/whois.icann.org\/en\/whoisars. Accessed: 2023-06-08"},{"key":"1209_CR19","unstructured":"HTTPS encryption on the web\u2014Google Transparency Report. https:\/\/transparencyreport.google.com\/https\/overview. Accessed: 2023-06-08"},{"key":"1209_CR20","unstructured":"SSL Survey\u2014Netcraft. https:\/\/www.netcraft.com\/internet-data-mining\/ssl-survey\/. Accessed: 2023-06-08"},{"key":"1209_CR21","doi-asserted-by":"publisher","unstructured":"Victor M, Ra\u00fal P (2020) SoK: Three Facets of Privacy Policies. In: Proceedings of the 19th workshop on privacy in the electronic society (WPES'20). Association for Computing Machinery, New York, NY, USA, pp 41\u201356. https:\/\/doi.org\/10.1145\/3411497.3420216","DOI":"10.1145\/3411497.3420216"},{"key":"1209_CR22","doi-asserted-by":"publisher","unstructured":"Ahmad SS, Dar MD, Zaffar MF, Vallina-Rodriguez N, Nithyanand R (2020) Apophanies or epiphanies? How crawlers impact our understanding of the web. In: The Web Conference 2020\u2014Proceedings of the World Wide Web Conference, WWW 2020, pp 271\u2013280. https:\/\/doi.org\/10.1145\/3366423.3380113","DOI":"10.1145\/3366423.3380113"},{"key":"1209_CR23","doi-asserted-by":"publisher","first-page":"2053","DOI":"10.1007\/s00607-022-01076-3","volume":"104","author":"JMD Alamo","year":"2022","unstructured":"Alamo JMD, Guaman DS, Garc\u00eda B, Diez A (2022) A systematic mapping study on automated analysis of privacy policies. Computing 104:2053\u20132076. https:\/\/doi.org\/10.1007\/s00607-022-01076-3","journal-title":"Computing"},{"key":"1209_CR24","doi-asserted-by":"publisher","unstructured":"Zimmeck S, Wang Z, Zou L, Iyengar R, Liu B, Schaub F, Wilson S, Sadeh N, Bellovin SM, Reidenberg J, Louis S (2017) Automated analysis of privacy requirements for mobile apps. In: The 24th annual network and distributed system security symposium, NDSS, (2017). https:\/\/doi.org\/10.14722\/ndss.2017.23034","DOI":"10.14722\/ndss.2017.23034"},{"key":"1209_CR25","doi-asserted-by":"publisher","unstructured":"Wilson S, Schaub F, Ramanath R, Sadeh N, Liu F, Smith NA, Liu F (2016) Crowdsourcing annotations for websites\u2019 privacy policies: can it really work? 25th International World Wide Web Conference. WWW 2016:133\u2013143. https:\/\/doi.org\/10.1145\/2872427.2883035","DOI":"10.1145\/2872427.2883035"},{"key":"1209_CR26","doi-asserted-by":"publisher","unstructured":"Torre D, Abualhaija S, Sabetzadeh M, Briand L, Baetens K, Goes P, Forastier S (2020) An ai-assisted approach for checking the completeness of privacy policies against gdpr. In: Proceedings of the IEEE international conference on requirements engineering 2020-August, pp 136\u2013146. https:\/\/doi.org\/10.1109\/RE48521.2020.00025","DOI":"10.1109\/RE48521.2020.00025"},{"key":"1209_CR27","doi-asserted-by":"publisher","unstructured":"Costante E, Sun Y, Petkovic M, Hartog JD (2012) A machine learning solution to assess privacy policy completeness. In: Proceedings of the ACM conference on computer and communications security, pp 91\u201396. https:\/\/doi.org\/10.1145\/2381966.2381979","DOI":"10.1145\/2381966.2381979"},{"key":"1209_CR28","doi-asserted-by":"publisher","unstructured":"Hosseini MB (2020) Identifying and classifying third-party entities in natural language privacy policies. In: Proceedings of the 2nd workshop privacy, pp 18\u201327. https:\/\/doi.org\/10.18653\/v1\/2020.privatenlp-1.3.","DOI":"10.18653\/v1\/2020.privatenlp-1.3"},{"key":"1209_CR29","unstructured":"Libert T, Desai A, Patel D (2021) Preserving needles in the haystack: A search engine and multi-jurisdictional forensic documentation system for privacy violations on the web (2021). https:\/\/timlibert.me\/pdf\/Libert_et_al-2021-Forensic_Privacy_on_Web.pdf"},{"key":"1209_CR30","doi-asserted-by":"publisher","unstructured":"Binns R, Lyngs U, Kleek MV, Zhao J, Libert T, Shadbolt N (2018) Third party tracking in the mobile ecosystem. In: WebSci 2018\u2014Proceedings of the 10th ACM conference on web science, pp 23\u201331. https:\/\/doi.org\/10.1145\/3201064.3201089","DOI":"10.1145\/3201064.3201089"},{"key":"1209_CR31","doi-asserted-by":"publisher","unstructured":"Binns R, Zhao J, Kleek MV, Shadbolt N (2018) Measuring third-party tracker power across web and mobile. ACM Transactions on Internet Technology (TOIT) 18 (2018). https:\/\/doi.org\/10.1145\/3176246","DOI":"10.1145\/3176246"},{"key":"1209_CR32","doi-asserted-by":"publisher","unstructured":"Kleek MV, Liccardi I, Binns R, Zhao J, Weitzner DJ, Shadbolt N (2017) Better the devil you know: exposing the data sharing practices of smartphone apps. In: Conference on human factors in computing systems\u2014proceedings 2017-May, pp 5208\u20135220. https:\/\/doi.org\/10.1145\/3025453.3025556","DOI":"10.1145\/3025453.3025556"},{"key":"1209_CR33","unstructured":"python-whois\u2014PyPI. https:\/\/pypi.org\/project\/python-whois\/. Accessed: 2023-06-08"},{"key":"1209_CR34","doi-asserted-by":"publisher","unstructured":"Harkous H, Fawaz K, Lebret R, Schaub F, Shin KG, Aberer K (2018) Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium. https:\/\/doi.org\/10.48550\/ARXIV.1802.02561","DOI":"10.48550\/ARXIV.1802.02561"},{"key":"1209_CR35","doi-asserted-by":"publisher","unstructured":"Garc\u00eda B, Gallego M, Gort\u00e1zar F, Munoz-Organero M (2020) A survey of the selenium ecosystem. Electronics 9(7):1067. https:\/\/doi.org\/10.3390\/ELECTRONICS9071067","DOI":"10.3390\/ELECTRONICS9071067"},{"key":"1209_CR36","unstructured":"langdetect\u2014PyPI. https:\/\/pypi.org\/project\/langdetect\/. Accessed: 2023-06-08"},{"issue":"3","key":"1209_CR37","doi-asserted-by":"publisher","first-page":"322","DOI":"10.1214\/088342306000000493","volume":"21","author":"JM Moguerza","year":"2006","unstructured":"Moguerza JM, Mu\u00f1oz A (2006) Support vector machines with applications. Stat Sci 21(3):322\u2013336. https:\/\/doi.org\/10.1214\/088342306000000493","journal-title":"Stat Sci"},{"key":"1209_CR38","doi-asserted-by":"publisher","unstructured":"Wilson S, Schaub F, Liu F, Sathyendra K M, Smullen D, Zimmeck S, Ramanath R, Story P, Liu F, Sadeh N, Smith N A. (2018) Analyzing privacy policies at scale: From crowdsourcing to automated annotations. ACM Trans Web 13(1). https:\/\/doi.org\/10.1142\/3230665","DOI":"10.1142\/3230665"},{"key":"1209_CR39","doi-asserted-by":"publisher","unstructured":"Guam\u00e1n DS, Rodriguez D, del Alamo JM, Such J (2023) Automated GDPR compliance assessment for cross-border personal data transfers in android applications. Comput Security 130:103262. https:\/\/doi.org\/10.1016\/J.COSE.2023.103262","DOI":"10.1016\/J.COSE.2023.103262"},{"key":"1209_CR40","doi-asserted-by":"publisher","unstructured":"Honnibal M, Montani I, Van Landeghem S, Boyd A (2020) spaCy: industrial-strength natural language processing in python. Zenodo. https:\/\/doi.org\/10.5281\/zenodo.1212303","DOI":"10.5281\/zenodo.1212303"},{"key":"1209_CR41","unstructured":"ANY.RUN\u2014Interactive Online Malware Sandbox. https:\/\/any.run\/. Accessed: 2023\u201306\u201308"},{"key":"1209_CR42","unstructured":"Android Developers. (n.d.). Android Debug Bridge (ADB). https:\/\/developer.android.com\/tools\/adb. Accessed: 2023-06-08"},{"key":"1209_CR43","unstructured":"Android Developers. (n.d.). UI\/Application Exerciser Monkey. https:\/\/developer.android.com\/studio\/test\/other-testing-tools\/monkey. Accessed: 2023-06-08"},{"key":"1209_CR44","doi-asserted-by":"publisher","unstructured":"Laperdrix P, Mehanna N, Durey A, Rudametkin W (2022) The price to play: A privacy analysis of free and paid games in the android ecosystem. In: WWW 2022\u2014Proceedings of the ACM Web Conference 2022, pp 3440\u20133449 https:\/\/doi.org\/10.1145\/3485447.3512279","DOI":"10.1145\/3485447.3512279"},{"key":"1209_CR45","doi-asserted-by":"publisher","unstructured":"Razaghpanah A, Vallina-Rodriguez N, Sundaresan S, Kreibich C, Gill P, Allman M, Paxson V (2015) Haystack: A multi-purpose mobile vantage point in user space (2015). https:\/\/doi.org\/10.48550\/arxiv.1510.01419","DOI":"10.48550\/arxiv.1510.01419"},{"key":"1209_CR46","doi-asserted-by":"publisher","unstructured":"Choudhary SR, Gorla A, Orso A (2015) Automated test input generation for android: Are we there yet? In: 2015 30th IEEE\/ACM international conference on automated software engineering (ASE), pp 429\u2013440. https:\/\/doi.org\/10.1109\/ASE.2015.89. IEEE","DOI":"10.1109\/ASE.2015.89"},{"key":"1209_CR47","doi-asserted-by":"publisher","unstructured":"Kollnig K, Shuba A, Binns R, Van Kleek M, Shadbolt N (2022) Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps. In: Proceedings on privacy enhancing technologies (Vol. 2022, Issue 2, pp. 6\u201324). Privacy enhancing technologies symposium. https:\/\/doi.org\/10.2478\/popets-2022-0033.","DOI":"10.2478\/popets-2022-0033"},{"key":"1209_CR48","unstructured":"Crunchbase. https:\/\/www.crunchbase.com\/home. Accessed: 2023-06-08"},{"key":"1209_CR49","unstructured":"Google Play SDK Index. https:\/\/play.google.com\/sdks. Accessed: 2023-06-08"},{"key":"1209_CR50","unstructured":"European Commission: Regulation (EU) 2016\/679 of the European Par- liament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation) (Text with EEA relevance). European Commission (2016). https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj"}],"container-title":["Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-023-01209-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s00607-023-01209-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00607-023-01209-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,17]],"date-time":"2024-01-17T17:39:25Z","timestamp":1705513165000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s00607-023-01209-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,8,29]]},"references-count":50,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1]]}},"alternative-id":["1209"],"URL":"https:\/\/doi.org\/10.1007\/s00607-023-01209-2","relation":{},"ISSN":["0010-485X","1436-5057"],"issn-type":[{"type":"print","value":"0010-485X"},{"type":"electronic","value":"1436-5057"}],"subject":[],"published":{"date-parts":[[2023,8,29]]},"assertion":[{"value":"19 December 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 August 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 August 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare through the submission of this document that they have no conflicts of interest. This work was partially supported by the European Union, the Comunidad de Madrid. These are public funds granting that there are no financial or personal interests related to the research. The authors received no financial support or other benefits from any organization or individual with a stake in the research.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}