Sitemap
A list of all the posts and pages found on the site. For you robots out there, there is an XML version available for digesting as well.
Pages
Posts
Future Blog Post
Published:
This post will show up by default. To disable scheduling of future posts, edit config.yml and set future: false.
Blog Post number 4
Published:
This is a sample blog post. Lorem ipsum I can’t remember the rest of lorem ipsum and don’t have an internet connection right now. Testing testing testing this blog post. Blog posts are cool.
Blog Post number 3
Published:
This is a sample blog post. Lorem ipsum I can’t remember the rest of lorem ipsum and don’t have an internet connection right now. Testing testing testing this blog post. Blog posts are cool.
Blog Post number 2
Published:
This is a sample blog post. Lorem ipsum I can’t remember the rest of lorem ipsum and don’t have an internet connection right now. Testing testing testing this blog post. Blog posts are cool.
Blog Post number 1
Published:
This is a sample blog post. Lorem ipsum I can’t remember the rest of lorem ipsum and don’t have an internet connection right now. Testing testing testing this blog post. Blog posts are cool.
portfolio
Portfolio item number 1
Short description of portfolio item number 1
Portfolio item number 2
Short description of portfolio item number 2
publications
Reliability of IP Geolocation Services for Assessing the Compliance of International Data Transfers
Published in 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2022
This paper evaluates 10 IP geolocation services and reveals their limitations for compliance analysis. When applied to data from 767 Android apps, services disagree on destinations of personal data flows—raising concerns for GDPR-based assessments of international transfers.
Recommended citation: M. Cozar, D. Rodriguez, J.M. Del Alamo, D. Guaman. "Reliability of IP Geolocation Services for Assessing the Compliance of International Data Transfers." IEEE EuroS&P Workshops 2022. https://doi.org/10.1109/EuroSPW55150.2022.00024
Download Paper
Automated GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Applications
Published in Computers & Security, Volume 130 (2023), 103262, 2023
This paper presents an automated pipeline to assess GDPR compliance of cross-border personal data transfers in Android apps. Analyzing 4,593 apps, the study found that nearly half of those transferring data outside the EU fail to meet GDPR transparency obligations.
Recommended citation: D.S. Guamán, D. Rodriguez, J.M. del Alamo, J. Such. "Automated GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Applications." Computers & Security, 130 (2023), 103262. https://doi.org/10.1016/j.cose.2023.103262
Download Paper
ATLAS: Automatically Detecting Discrepancies Between Privacy Policies and Privacy Labels
Published in 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2023
ATLAS analyzes 354,725 iOS apps and finds that 88% of those with both privacy labels and policies exhibit at least one discrepancy. The tool uses NLP to identify mismatches between declared practices and privacy labels—raising concerns of widespread compliance gaps.
Recommended citation: A. Jain, D. Rodriguez, J.M. Del Alamo, N. Sadeh. "ATLAS: Automatically Detecting Discrepancies Between Privacy Policies and Privacy Labels." IEEE EuroS&P Workshops 2023. https://doi.org/10.1109/EuroSPW59978.2023.00016
Download Paper
Comparing Privacy Label Disclosures of Apps Published in Both the App Store and Google Play Stores
Published in 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2023
Analyzing 822 apps available in both Google Play and the App Store, this study finds privacy label discrepancies in 66.5% of cases. It introduces methods to detect inconsistencies and explores the role of static analysis in validating app behaviors against label claims.
Recommended citation: D. Rodriguez, A. Jain, J.M. Del Alamo, N. Sadeh. "Comparing Privacy Label Disclosures of Apps Published in Both the App Store and Google Play Stores." IEEE EuroS&P Workshops 2023. https://doi.org/10.1109/EuroSPW59978.2023.00022
Download Paper
ROI: A Method for Identifying Organizations Receiving Personal Data
Published in Computing (Springer), Volume 106, Pages 163–184 (2024), 2023
ROI is an automated method to identify the organizations receiving personal data from Android apps. With a precision of 95.71%, the paper shows that 78% of apps fail to properly disclose these recipients, highlighting gaps in GDPR transparency compliance.
Recommended citation: D. Rodriguez, J.M. Del Alamo, M. Cozar, B. García. "ROI: A Method for Identifying Organizations Receiving Personal Data." Computing 106, 163–184 (2024). https://doi.org/10.1007/s00607-023-01209-2
Download Paper
Sharing is Not Always Caring: Delving Into Personal Data Transfer Compliance in Android Apps
Published in IEEE Access, Volume 12 (2024), 2024
Analyzing 9,000 Android apps, this paper shows that over 80% of those transferring personal data off-device fail to meet GDPR transparency requirements. It introduces a fully automated method to detect undisclosed personal data transfers and highlights the key role of third-party libraries in non-compliance.
Recommended citation: D. Rodriguez, J.M. Del Alamo, C. Fernández-Aller, N. Sadeh. "Sharing is Not Always Caring: Delving Into Personal Data Transfer Compliance in Android Apps." IEEE Access, 12 (2024). https://doi.org/10.1109/ACCESS.2024.3349425
Download Paper
Hunter: Tracing Anycast Communications to Uncover Cross-Border Personal Data Transfers
Published in Computers & Security, Volume 141 (2024), 103823, 2024
Hunter is an automated method to trace anycast communications and assess GDPR compliance. Applied to 197 Android apps, it found that 100% of analyzed anycast flows resulted in cross-border personal data transfers, none of which were properly disclosed in privacy policies.
Recommended citation: H. Pascual, J.M. del Alamo, D. Rodriguez, J.C. Dueñas. "Hunter: Tracing Anycast Communications to Uncover Cross-Border Personal Data Transfers." Computers & Security, 141 (2024), 103823. https://doi.org/10.1016/j.cose.2024.103823
Download Paper
Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm
Published in 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2024
Analyzing 2,235 privacy policies of Android apps, this paper finds that over 50% fail to meet GDPR transparency standards on data retention. The study uses GPT-4 to evaluate compliance and reveals critical gaps in disclosure practices within the Play Store ecosystem.
Recommended citation: D. Rodríguez, C. Fernández-Aller, J.M. Del Alamo, N. Sadeh. "Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm." IEEE EuroS&P Workshops 2024. https://doi.org/10.1109/EuroSPW61312.2024.00009
Download Paper
Large Language Models: A New Approach for Privacy Policy Analysis at Scale
Published in Computing (Springer), 2024, 2024
This paper evaluates the use of large language models like ChatGPT and Llama 2 to automate the analysis of privacy policies. Achieving F1 scores over 93% on benchmark datasets, it demonstrates that LLMs can outperform traditional NLP methods in accuracy, cost, and scalability.
Recommended citation: D. Rodriguez, I. Yang, J.M. Del Alamo, N. Sadeh. "Large Language Models: A New Approach for Privacy Policy Analysis at Scale." Computing (2024). https://doi.org/10.1007/s00607-024-01331-9
Download Paper
Anycast and Third-party Libraries: A Recipe for a Privacy Disaster?
Published in IEEE Communications Magazine (Accepted for Publication, 2025), 2025
This article reveals that 98.65% of Android apps and 90% of third-party libraries using anycast potentially violate GDPR by enabling undisclosed international personal data transfers. It emphasizes the need for transparency and standardization in TPL privacy disclosures.
Recommended citation: H. Pascual, J.M. Del Alamo, D. Rodriguez, J.C. Dueñas. "Anycast and Third-party Libraries: A Recipe for a Privacy Disaster?" IEEE Communications Magazine, 2025. https://doi.org/10.1109/MCOM.006.2400576
Download Paper
Privacy Settings of Third-Party Libraries in Android Apps: A Study of Facebook SDKs
Published in Proceedings on Privacy Enhancing Technologies, 2025(2), 2025
This paper investigates how Android developers configure privacy-related settings when integrating the Facebook SDK and Audience Network SDK. Analyzing over 6,000 popular apps, the study finds that many retain default settings that are less privacy-friendly and fail to align with declared practices in privacy labels and policies. It offers recommendations for SDK providers to promote data minimization and improve transparency.
Recommended citation: D Rodriguez, JA Calandrino, JM Del Alamo, N Sadeh. "Privacy Settings of Third-Party Libraries in Android Apps: A Study of Facebook SDKs." Proceedings on Privacy Enhancing Technologies, 2025(2). https://doi.org/10.56553/popets-2025-0056
Download Paper
talks
Reliability of IP Geolocation Services for Assessing the Compliance of International Data Transfers
Published:
Awarded Best Presentation. Presented our findings on the variability of geolocation services and their implications for GDPR compliance.
Identifying Organizations Receiving Personal Data in Android Apps
Published:
Poster presentation of our method to identify recipient organizations of personal data in Android apps, combining WHOIS, SSL, and privacy policy analysis with 94.73% precision.
Comparing Privacy Label Disclosures of Apps Published in Both the App Store and Google Play Stores
Published:
Awarded Second Best Presentation. Presented cross-platform analysis of privacy labels and the inconsistencies with real app behavior.
A Multi-Faceted, At-Scale Analysis of Apps Privacy Disclosures in the Apple and Google App stores
Published:
Presented a poster on automated at-scale analysis of apps privacy disclosures as part of the CMU CyLab Partners Conference 2023.
Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm
Published:
Presentation of our study on data retention transparency in Android apps, based on large-scale analysis using GPT-4.
Privacy Engineering Research: Tools and Methods for GDPR Compliance Assessment
Published:
Invited by Ignacio Castro and his research group to present recent methods and findings in automated GDPR compliance assessment in Android apps.
teaching
Software Analysis and Design – Análisis y Diseño de Software (ADSW)
teaching, Escuela Técnica Superior de Ingenieros de Telecomunicación, Universidad Politécnica de Madrid (UPM), 2023
Since 2023, I have been teaching the second-year undergraduate course ‘Software Analysis and Design’ at the ETSI Telecomunicación (UPM), focused on software design principles, algorithmic complexity, and concurrent programming.
Social, Ethical and Legal Aspects of Data and Artificial Intelligence
teaching, Bachelor in Data Science and Artificial Intelligence, Universidad Politécnica de Madrid (UPM), 2024
Guest lectures delivered in 2024 and 2025 on personal data and its social, ethical, and legal implications, linked to my research in privacy and data protection.