Privacy Talk with Konrad Kolling, PhD student at University Oxford: What did you found through research with app tracking pre-post GDPR?

Kohei Kurihara
Privacy Talk
Published in
8 min readMay 8, 2022


This interview is talking about privacy research and transparency.

Kohei is having great time discussing privacy research and transparency with Konrad Kolling.

This interview outline:

  • Introduction
  • Why did you start to research privacy and what is your main research theme?
  • Why did you decide to research app tracking?
  • What did you found through research with app tracking pre-post GDPR?

Kohei: Oh, hello, everyone. Thank you for coming to the privacy talk. I’m very honored to invite Konrad from UK, Oxford. He’s a great researcher. I was inspired from his research publications. So that’s why I’m asking him to join us together to discuss his research. That’s great to be honored.

Thank you for Konrad, coming to this interview session today.

Konrad: Thank you for the kind invitation.

Kohei: Thank you. First of all, let me introduce his profile.

  • Introduction

Konrad Kollnig is a computer scientist and current PhD student at Oxford University. His research analyses the extent of corporate surveillance of smartphone users. He also is the developer of TrackerControl, an Android app to control smartphone surveillance and learn about individual data protection rights. Konrad’s talk will consider ways to reduce corporate surveillance on smartphones.

So he did great research. I’m very excited to talk with you. Thank you.

Konrad: Thank you.

Kohei: So let’s go to the first topic for this interview. I’m crawling into your profiles on the internet. There was a very exclusive, you got interested in the early days that was very inspiring. I’m also really excited about the internet developments through my life.

So I want to ask you why did you get interested in the internet and this theme then why did you come to this field scale to research about these topics?

  • Why did you start to research privacy and what is your main research theme?

Konrad: So my topics and privacy right? Yeah, I think I’ve been interested in computers and computer science for a long time, early childhood. And I probably got interested in privacy itself around maybe the age of 15. When I was a teenager. I wasn’t allowed to have a computer at the time.

So I instead got myself a Raspberry-Pi, which are these small, tiny computers that you can play around. And the thing that seemed really helpful for me at the time was to try to move my data from Google and other online services onto this little Raspberry Pi device.

Because I was a bit fed up with my data being somewhere where I can’t control it, being locked into some digital ecosystem. So I tried to move my data onto my Raspberry Pi. I failed at that. I didn’t succeed. That was quite cumbersome at the time. And things have been improving a lot over the years. So that’s really exciting.

In terms of privacy preserving technologies, that’s been my first contact with privacy. research. I then did my undergrad degree in computer science in Germany, and then a graduate degree at Oxford.

That’s how I eventually got into data protection and privacy research, also in part because there are a lot of great people at Oxford that work in the field and that I’ve got the honor of working — particularly with my supervisor Nigel Shadbolt. So you know, there’s a lot of inspiration in my research group for my research and me.

Kohei: Thank you. So I think that you have a lot of publications so far. So what is your main research field at this moment?

Konrad: Right, so since I’m a computer scientist, I’m trying to use techniques from computer science to understand questions that relate to data protection and privacy.

Obviously, there’s a lot of research that does legal / policy research but I’m not super knowledgeable about these things — I don’t have a formal education in these things.

So instead, I tried to work at the boundary between computer science and some of these policy areas to make a contribution through the methods, I learned during my computer science degrees.

And specifically that means that I’ve gathered a data set of more than 2 million mobile apps, some from Android, some from iOS, some from 2017, and some from 2020.

So there’s a longitudinal dimension as well. And this allows me to track and analyze changes in apps, privacy behaviors, and that’s my main focus of trying to develop robust methods to understand how privacy is changing in the real world. And how it has an impact on individuals.

Kohei: I see, yeah, I think there is a very important topic right now. Since the third party tracking, or any app tracking is very serious issues under the data protection regulations. Your research field, it’s been quite a valuable for the consumers and companies to comply with the data protection regulations to provide a great service for the market.

  • Why did you decide to research app tracking?

So the next question about the transitions in terms of your publication, there is very deep insight related to the tracking analysis. So one of your paper is describing that the third party tracking number is not decreased, even GDPR has been started.

So could you give us the any details one of your papers for the research I was very interested in that topic?

Konrad: Sure, I think to sort of understand the work we did around the pre-post GDPR, how has app tracking changed, it might be worth giving a bit of background on how we started the investigation.

And that’s because not me. Some of my colleagues in the research group, have long been trying to understand privacy and apps and we actually wrote two papers in 2017, 2018, around analyzing 1 million Android apps, and also analyzing the market concentration around data.

So what companies are dominant in this data ecosystem and just how dominant these companies are. That’s been work done by my colleagues, Max, Binns, Nigel Shadbolt, who’ve really inspired the researcher.

I now, in my PhD looking at pre-post GDPR, used these previous methods to understand a phenomenon that I think quite a few of us are interested in trying to understand, that is just how the GDPR has changed data practices inn reality, beyond changing the legal text.

How has that affected the data practices of mobile apps? And that’s particularly interesting because it’s known that mobile apps do engage in some quite invasive data practices.

So we thought, you know, worthwhile to look at how the gold standard of data protection laws changed acts, privacy practices. And so we took the same 1 million apps from 2017 that were previously looked at, and downloaded another 1 million apps to compare the two.

We used the same method to download apps to find apps on the Google Play Store so that we can make a fair comparison between the two. We looked at the Google Play Store in the UK, which at the time was part of the EU and the EU enacted the GDPR, the General Data Protection Regulation that came into force in May 2018, which was exactly between our two points of data collection, 2017 and 2020.

  • What did you found through research with app tracking pre-post GDPR?

We made two main observations. First, apps still do a lot of tracking. The average number of companies that apps can send data to tracking companies has not changed a lot. It’s still Facebook and Google being really, really prevalent in these apps.

Second, we found that the concentration with these companies is still rather high. In other words, there are few companies who dominate this data collection ecosystem. However, these findings do not mean that the GDPR has not changed anything. It means that apps still rely on data driven business models, and there are few companies that really support these business models.

And since business models haven’t changed, there’s still some data that could be transferred to Google and Facebook. Something that we did not look at, something that might have changed is just how invasive this data collection is.

Some of the measures that apps put in place are consent implementations to give users more choice. All these aspects are something we did not consider in the study.

So we do think there’s been some change but it doesn’t doesn’t show up in our data. Yeah, so maybe the final thing, which is particularly interesting given recent court rulings and rulings by regulators in the EU, is the fact that Google and Facebook are really prominent in data collection from mobile apps, despite being US-based.

This means that apps still widely send personal data from the EU to the US. And that’s not really supported anymore by EU law. That’s been due to the Schrems II ruling that puts tight restrictions on transatlantic data transfers. So there seems to be a current mismatch between apps’ data practices, the law and the enforcement of the law by regulators.

But it might change, regulators seem to be increasing their efforts. Even Google, apparently is now rolling out a ‘reject all’ button for its Google search engine in Europe, which it previously didn’t do.

It was quite cumbersome to select what data practices you allow Google to engage with when you first visit Google, and that’s now being addressed due to the French data protection regulator.

Kohei: Yeah, I assume that’s the your research is one of the good evidence, even the Google and Apple, a lot of other providers identified the trackers to the users, but actually, they are not doing the accurate to processing the personal data that is very important to the notice for the consumer should be understood, what is happened actually on data.

So the tracking is a keyword even a lot of vendors are developing their own technology, such as the privacy sandbox to other privacy protected ad-network but actually it might not be works even tracking a lot of this router network so there is a very scares.

So yeah, I learned a lot from the research, there is a very impressive with me. So the next topic about it’s very close to topic but actually a little bit different angle, which means the dark pattern.

I think there is a very important topic as well in Europe that has been started to discuss this theme in accordance with some of the digital regulations, as well as that in the US and in California is a very strong requirement.

The enterprise to avoid the infringement of the consumer nudging, designing processes for that. So in accordance with your article, you said dark patterns have a big impactful the users in some ways such as well-being or other perspectives.

So, my question is, what is the issues of dark patterns and privacy then how we can solve the issues from my perspective?

To be continued..

Thank you for reading and please contact me if you want to join interview together.

Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!