While smartphone users generally agree to share some kinds of data with software publishers when they download apps, many are giving up far more personal information than they realize, according to a team of information technology researchers.

One reason for this: while different apps request different specific permissions, many also share information with the same third-party libraries containing pre-written code to help developers track user engagement and earn money through display ads. And information shared through these libraries isn't usually transparent to users.

More than 70 percent of the 5,000 apps the researchers studied reported users' personal data to third-party companies. In fact, through its many tracking domain properties, Google parent company Alphabet alone collected user data from more than 48 percent of the apps studied, according to the researchers.

1 out of 4 Trackers Collects Unique Identifiers

Writing this week in The Conversation, Narseo Vallina-Rodriguez of the University of California-Berkeley's International Computer Science Institute and Princeton University computer scientist Srikanth Sundaresan described how they and five other researchers from several other organizations created a free Android app called the Lumen Privacy Monitor to gather data for their study. Published on the Google Play Store, the app has been downloaded and used by more than 1,600 people since October 2015.

"We discovered 598 Internet sites likely to be tracking users for advertising purposes, including social media services like Facebook, large Internet companies like Google and Yahoo, and online marketing companies under the umbrella of Internet service providers like Verizon Wireless," Vallina-Rodriguez and Sundaresan said. "We found that more than 70 percent of the apps we studied connected to at least one tracker, and 15 percent of them connected to five or more trackers."

What's more, the researchers found that one out of every four tracking sites was harvesting a unique identifier such as an IMEI number from users' devices. This enables trackers to "connect different types of personal data provided by different apps to a single person or device," Vallina-Rodriguez and Sundaresan said. In most cases, even privacy-savvy users would likely be unaware such data was being tracked.

'Users Need To Know'

By analyzing data collected via the Lumen Privacy Monitor, the researchers were also able to determine that over half of the trackers were able to identify mobile users across devices, meaning they could observe activity on Web sites as well as on apps. This could enable companies to develop "a much more complete profile of your online persona," Vallina-Rodriguez and Sundaresan noted.

The researchers also expressed concern about data being "shipped across national borders," often to countries with widespread surveillance or less-stringent privacy laws, and about some apps for children that were leaking unique identifiers that could be used to pinpoint their physical locations. Tracking such information about children could violate Federal Trade Commission regulations, they said.

Vallina-Rodriguez and Sundaresan concluded that it could be hard to solve such app-related privacy issues. Blocking sensitive information could negatively affect app performance, and even shifting to a paid-app system wouldn't necessarily eliminate user tracking, they said.

"Our findings may be merely scratching the surface of what is likely to be a much larger problem that spans across regulatory jurisdictions, devices and platforms," the researchers wrote. "Transparency, education and strong regulatory frameworks are the key. Users need to know what information about them is being collected, by whom, and what it’s being used for. Only then can we as a society decide what privacy protections are appropriate, and put them in place. Our findings, and those of many other researchers, can help turn the tables and track the trackers themselves."