Inspiring

Answered

Prevent network call on app start to https://airdownload2.adobe.com (violates GDPR law)

Forum|Forum|7 years ago
April 11, 2018
3 replies
2466 views

Hey Folks,

I work at a publisher for mobile games, we have some AIR games in our portfolio and need to make sure that all our apps comply with the new european GDPR law and accompanying Google and Apple software policies. This means that mobile apps cannot make ANY network calls without first informing the user why they are needed and we need to ask for explicit permission first. However, whenever we start one of our AIR apps on a mobile device it automatically makes a network call to https://airdownload2.adobe.com. Can anyone tell me what this call is for and how we can disable it? If we cannot disable it then we may have to pull all our AIR apps from Google Play and the iOS app store since cannot risk any lawsuits, so an answer would be much appreciated.

Thanks!

This topic has been closed for replies.

Correct answer rikl14421868

According to Adobe this has been fixed with AIR 31 :D. It took a while, but big thanks for responding and solving the problem Adobe!

Issue tracker: Tracker

R

rikl14421868AuthorCorrect answer

Inspiring

According to Adobe this has been fixed with AIR 31 :D. It took a while, but big thanks for responding and solving the problem Adobe!

Issue tracker: Tracker

natural_criticB837

Legend

Hi,

how exactly was this resolved? Is the tracking call removed completely or do we have to deactivate it manually?

Thanks in advance

R

rikl14421868Author

Inspiring

Our QA has tested the latest build of one of our AIR apps for Android and has checked the network traffic, the network call is no longer being made on app start. We did not have to make any changes for this (other than updating to AIR 31).

Z

zwetan_uk

Inspiring

a network call "as is" does not fall under GDPR
eg. https://airdownload2.adobe.com

without query parameters in a GET request
or body data in a POST request
does not transfer user data to an adobe server

unless PII are passed to the URL call there is no need to worry about GDPR

have a look at

Adobe Analytics and General Data Protection Regulation (GDPR)

R

rikl14421868Author

Inspiring

Hey zwetan_uk, thanks for the feedback.

Any network call identifies the user to the receiver. If the ip is logged then that is data collection. There have been court cases about this, even dynamic ip's have been ruled to be "personal information", so they cannot be collected. At this point we have no idea what the call is being made for so we also don't know if ip's are being logged.

Unfortunately we don't just have to contend with the GDPR, there's also Google and Apple's own software policies, which are even more explicit and restrictive (see the links in my earlier post). Google will label apps as violating user's privacy if they don't first show a consent popup, which will also negatively affect their search rankings and make them ineligible for a feature.

What's frustrating is that we don't know what this call is being made for at all: analytics, updates or whatever it may be. Developers have no choice to opt-in/out. We never requested or enabled analytics by Adobe, also we don't have access to the data so we have no idea what is being collected.

If the call is being made for Analytics, as the link you provided implies, then that is actually a problem.

Z

zwetan_uk

Inspiring

I'm not gonna go too much in depth about it and I'm not a lawyer

yes, an IP address is considered as personal information (or personal data)

and GDPR is clear: no personal data without consent

but when your AIR app initialise a connection to Adobe server

you as a software provider you do not either collect or process the data

if any data was sent during this network call

Adobe on the other end is to be considered as a data collector (controller)

they are the one who stores the IP address on their server logs

and technically they may not store the full IP address
for example (like with google analytics) you can anonymize an IP address

by removing the last 2 bytes

eg. 192.168.1.1 (full)
vs 192.168.0.0 (last 2 bytes removed and so anonymized)

For other things Adobe is also to be considered a data processor
and they cover it with great extend on their privacy pages

see
Adobe Privacy Policy

Desktop App Usage Information FAQ

EU-U.S. Privacy Shield/European data transfers

General data protection regulation, GDPR | Adobe Privacy Center

but more importantly, you have the right to store the IP address on a server log

as long as it is used for the security of the system

see

https://www.ctrl.blog/entry/gdpr-web-server-logs

Legal basis for collecting and storing logs without consent

You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, collect and store personal data as part of web servers logs for the purposes of detecting and preventing fraud and unauthorized access and maintaining the security of your systems.

but again it is not your server collecting the data

natural_criticB837

Legend

Hey, as many others we are also currently preparing for the new rules. Can you link a source where it says you can not have any network calls before approval of the users? Also, our understanding currently is that it would be sufficient to link the terms of service in the app description to state that using the app requires consent with those.

R

rikl14421868Author

Inspiring

There's the GDPR rules as set by the European union which do make an exception for collection of data for "legitimate interests", such as data that has to be sent for the proper operation of the app/software, however the definition of "legitimate interests" is very murky. The only case I could find where "legitimate interest" was judged to be the case was a German government agency that was logging ip's in order to prevent fraud with unemployment benefits. Our legal department has weighed the risks and we've chosen not to take any risks in this regard, gambling on network calls used essentially for analytics being counted as "legitimate interest" is not something we want to do. Also, there have even been lawsuits that have set a legal precedent for dynamic ip adresses being counted as "personal information", which means any network call can be seen as collection of personal information (collection, not necessarily storage, the legal distinction for this is also vague though)*. Hypothetically though, even if this network call would fall under "legitimate interests", the user would still have to be informed of it before it is made and have a chance to opt-out.

Additionally, in response to the GDPR law Google created their own software policies, these are even more strict and explicit than the GDPR law. The information is unfortunately spread out over multiple blog posts, articles and announcements, you can find most of the information here:

Google Online Security Blog: Additional protections by Safe Browsing for Android users

Unwanted Software Policy | Google – Google

Privacy, Security, and Deception - Developer Policy Center

Android will flag snooping apps that don’t warn users

What it boils down to is that you cannot collect ANY information or make any network calls before informing the user and asking for consent. Our legal department has evaluated the situation and we are now making sure that all of our apps don't make any network calls whatsoever before a popup is shown to the user and consent is given.

*There is a sound reason for this: if a company collects data while you are browsing "anonymously" and they link that data to your ip, then later if you log in to one of their services with the same ip you identify yourself and they can link your "anonymous" data to your logged in identity. This is why even a dynamic ip is seen as personal information and logging it without prior warning and consent is illegal. Ofcourse there is a difference between websites and apps, websites cannot work at all without you making a request and them knowing your ip (so they can receive the ip address but not log it or store it), apps however should not need to make any network calls for them to be able to start.

R

rikl14421868Author

Inspiring

Bump. This needs to be cleared up before 25 May 2018 when the GDPR law is enforced. If Adobe does not respond to this we as a publisher may be forced to delete all our AIR apps from the Google Play and Apple App Store so that we do not risk lawsuits and damage to our reputation both with Google/Apple and towards our customers (we do not want any of our apps flagged for privacy violations).

This requires an official response from Adobe and appropriate action. If this issue is not addressed then we as a publisher, our developers and many other AIR developers will be directly affected and may incurr significant losses in our business and income. If this is the case then I expect people will hold Adobe accountable. A response from Adobe would be prudent, if there is any way to escalate this message so that we can get an official response that would be much appreciated.

I've also created a bug tracker here: Tracker

Legal basis for collecting and storing logs without consent

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded