1. Motivation

As smartphone usage and capabilities grow rapidly, more complex operating systems and applications are developed that can offer a wider range of services to the users. Apart from the traditional mobile phone functionalities such as voice calls and text messaging, smartphones offer a variety of capabilities such as global positioning system (GPS) services, email services, video recording, web-browsing and third-party apps (throughout this document, we will use the term “app” as an abbreviation for mobile applications). Large volumes of users’ personal data are generated and stored on the smartphones such as location traces, usage logs, contacts, photos, documents, calls and messages. Each data type serves a series of purposes ranging from the enrichment of the functionalities of the smartphone to improve the user experience, to the processing and storage of the data. Even when the smartphone is not actively being operated by the user, it produces personal information about the user such as location traces, date-time logs of smartphone activation or shutdown.

These data are often collected from the operating system or the apps on various occasions and for a number of needs such as to support their functionality requirements, create detailed profiles of the users or get insight for a user’s needs and behaviour. The user is asked and/or supposed to give her consent to these apps to access her personal data as dictated/required by the permissions model. Currently, there is no general applicable policy model to effectively specify the terms, conditions and purposes for collection and processing of users’ personal data. However, this practice is to be assessed at its compliance with the law. With regard to the respective regulations of the European Union, personal data are protected and their processing is regulated by the Data Protection Directive 96/46/EC. Data characterised as communication/traffic data (usage logs, location, duration, etc.) are additionally protected by (tele)communications’ secrecy and rules embedded in e-privacy directive (Directive 2002/58/EC).

However, despite the fact that legal frameworks exist in many countries that specify how the personal data are supposed to be handled, there seems to be a considerable lack of transparency regarding the way permission requests are made. Questioned is also the lawfulness of these requests as well as the respective collection of data. Moreover, we diagnose a...