David Rodriguez

David Rodriguez

I am Teaching Assistant and Ph.D. candidate at the Universidad Politécnica de Madrid (UPM), specializing in Privacy Engineering and Cybersecurity.

Publications

You can also find my articles on my Google Scholar profile.

📌 Featured Publications

Privacy Settings of Third-Party Libraries in Android Apps: A Study of Facebook SDKs

Published in Proceedings on Privacy Enhancing Technologies, 2025(2), 2025

This paper investigates how Android developers configure privacy-related settings when integrating the Facebook SDK and Audience Network SDK. Analyzing over 6,000 popular apps, the study finds that many retain default settings that are less privacy-friendly and fail to align with declared practices in privacy labels and policies. It offers recommendations for SDK providers to promote data minimization and improve transparency.

Recommended citation: D Rodriguez, JA Calandrino, JM Del Alamo, N Sadeh. "Privacy Settings of Third-Party Libraries in Android Apps: A Study of Facebook SDKs." Proceedings on Privacy Enhancing Technologies, 2025(2). https://doi.org/10.56553/popets-2025-0056
Download Paper

📚 All Publications

Anycast and Third-party Libraries: A Recipe for a Privacy Disaster?

Published in IEEE Communications Magazine (Accepted for Publication, 2025), 2025

This article reveals that 98.65% of Android apps and 90% of third-party libraries using anycast potentially violate GDPR by enabling undisclosed international personal data transfers. It emphasizes the need for transparency and standardization in TPL privacy disclosures.

Recommended citation: H. Pascual, J.M. Del Alamo, D. Rodriguez, J.C. Dueñas. "Anycast and Third-party Libraries: A Recipe for a Privacy Disaster?" IEEE Communications Magazine, 2025. https://doi.org/10.1109/MCOM.006.2400576
Download Paper

Large Language Models: A New Approach for Privacy Policy Analysis at Scale

Published in Computing (Springer), 2024, 2024

This paper evaluates the use of large language models like ChatGPT and Llama 2 to automate the analysis of privacy policies. Achieving F1 scores over 93% on benchmark datasets, it demonstrates that LLMs can outperform traditional NLP methods in accuracy, cost, and scalability.

Recommended citation: D. Rodriguez, I. Yang, J.M. Del Alamo, N. Sadeh. "Large Language Models: A New Approach for Privacy Policy Analysis at Scale." Computing (2024). https://doi.org/10.1007/s00607-024-01331-9
Download Paper

Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm

Published in 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2024

Analyzing 2,235 privacy policies of Android apps, this paper finds that over 50% fail to meet GDPR transparency standards on data retention. The study uses GPT-4 to evaluate compliance and reveals critical gaps in disclosure practices within the Play Store ecosystem.

Recommended citation: D. Rodríguez, C. Fernández-Aller, J.M. Del Alamo, N. Sadeh. "Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm." IEEE EuroS&P Workshops 2024. https://doi.org/10.1109/EuroSPW61312.2024.00009
Download Paper

Hunter: Tracing Anycast Communications to Uncover Cross-Border Personal Data Transfers

Published in Computers & Security, Volume 141 (2024), 103823, 2024

Hunter is an automated method to trace anycast communications and assess GDPR compliance. Applied to 197 Android apps, it found that 100% of analyzed anycast flows resulted in cross-border personal data transfers, none of which were properly disclosed in privacy policies.

Recommended citation: H. Pascual, J.M. del Alamo, D. Rodriguez, J.C. Dueñas. "Hunter: Tracing Anycast Communications to Uncover Cross-Border Personal Data Transfers." Computers & Security, 141 (2024), 103823. https://doi.org/10.1016/j.cose.2024.103823
Download Paper

Sharing is Not Always Caring: Delving Into Personal Data Transfer Compliance in Android Apps

Published in IEEE Access, Volume 12 (2024), 2024

Analyzing 9,000 Android apps, this paper shows that over 80% of those transferring personal data off-device fail to meet GDPR transparency requirements. It introduces a fully automated method to detect undisclosed personal data transfers and highlights the key role of third-party libraries in non-compliance.

Recommended citation: D. Rodriguez, J.M. Del Alamo, C. Fernández-Aller, N. Sadeh. "Sharing is Not Always Caring: Delving Into Personal Data Transfer Compliance in Android Apps." IEEE Access, 12 (2024). https://doi.org/10.1109/ACCESS.2024.3349425
Download Paper

ROI: A Method for Identifying Organizations Receiving Personal Data

Published in Computing (Springer), Volume 106, Pages 163–184 (2024), 2023

ROI is an automated method to identify the organizations receiving personal data from Android apps. With a precision of 95.71%, the paper shows that 78% of apps fail to properly disclose these recipients, highlighting gaps in GDPR transparency compliance.

Recommended citation: D. Rodriguez, J.M. Del Alamo, M. Cozar, B. García. "ROI: A Method for Identifying Organizations Receiving Personal Data." Computing 106, 163–184 (2024). https://doi.org/10.1007/s00607-023-01209-2
Download Paper

Comparing Privacy Label Disclosures of Apps Published in Both the App Store and Google Play Stores

Published in 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2023

Analyzing 822 apps available in both Google Play and the App Store, this study finds privacy label discrepancies in 66.5% of cases. It introduces methods to detect inconsistencies and explores the role of static analysis in validating app behaviors against label claims.

Recommended citation: D. Rodriguez, A. Jain, J.M. Del Alamo, N. Sadeh. "Comparing Privacy Label Disclosures of Apps Published in Both the App Store and Google Play Stores." IEEE EuroS&P Workshops 2023. https://doi.org/10.1109/EuroSPW59978.2023.00022
Download Paper

ATLAS: Automatically Detecting Discrepancies Between Privacy Policies and Privacy Labels

Published in 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2023

ATLAS analyzes 354,725 iOS apps and finds that 88% of those with both privacy labels and policies exhibit at least one discrepancy. The tool uses NLP to identify mismatches between declared practices and privacy labels—raising concerns of widespread compliance gaps.

Recommended citation: A. Jain, D. Rodriguez, J.M. Del Alamo, N. Sadeh. "ATLAS: Automatically Detecting Discrepancies Between Privacy Policies and Privacy Labels." IEEE EuroS&P Workshops 2023. https://doi.org/10.1109/EuroSPW59978.2023.00016
Download Paper

Automated GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Applications

Published in Computers & Security, Volume 130 (2023), 103262, 2023

This paper presents an automated pipeline to assess GDPR compliance of cross-border personal data transfers in Android apps. Analyzing 4,593 apps, the study found that nearly half of those transferring data outside the EU fail to meet GDPR transparency obligations.

Recommended citation: D.S. Guamán, D. Rodriguez, J.M. del Alamo, J. Such. "Automated GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Applications." Computers & Security, 130 (2023), 103262. https://doi.org/10.1016/j.cose.2023.103262
Download Paper

Reliability of IP Geolocation Services for Assessing the Compliance of International Data Transfers

Published in 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2022

This paper evaluates 10 IP geolocation services and reveals their limitations for compliance analysis. When applied to data from 767 Android apps, services disagree on destinations of personal data flows—raising concerns for GDPR-based assessments of international transfers.

Recommended citation: M. Cozar, D. Rodriguez, J.M. Del Alamo, D. Guaman. "Reliability of IP Geolocation Services for Assessing the Compliance of International Data Transfers." IEEE EuroS&P Workshops 2022. https://doi.org/10.1109/EuroSPW55150.2022.00024
Download Paper