This research aims to establish a new perspective on super apps by examining the role of geolocation in their development. While unpacking the definition of super apps in a broad perspective, it highlights the unnoticed aspect of the geolocation that can redefine the term. With the location-based research on the platform VKontakte (VK), the privacy policies, permissions and the features of the European Union’s (EU) and Russian versions of the app are compared. This comparison brings forward the limitations and opportunities specific locations can offer for the development of super apps.
The exponential growth of mobile apps has led to new forms of app development, which we explore through a case study of VKontakte (VK). This Russian super app belongs to a new model of mobile apps considered “the do-everything apps” (Steinberg, 2020). This research aims to analyse both the app’s Russian and European Union version, their features, required user permissions and privacy policies, in order to conclude what can be considered a super app, and what role geolocation and different values and jurisdictions play in shaping this definition.
The term “super app” has emerged to define a unique mobile app that conveys in the same digital space different services that facilitate daily users’ tasks. It has its own environment on which users can depend: “Super-apps play the role of a marketplace or ecosystem that hosts in itself different types of solutions, services and experiences that traditionally would only be found in an app specifically designed for it.” (Roa et al., 2021). The ecosystem surfacing from super apps translates into increasing user reliance since their everyday needs can be satisfied within one app. “Super-apps provide an ecosystem of services on one platform, thus, allowing their makers to cross-sell and improve user loyalty” (Roa et al, 2021). Users’ privacy and safety need to be considered in super apps evolution, as “the challenges related to security and privacy are key aspects for keeping user data safe.” (Carvalho Ota et al., 2020).
These apps provide diverse functionalities that may or may not constraint the scope in which an app falls under the super app definition. They provide features ranging from chats to social media platforms, online shops to streaming services. Super apps focus on various functionalities at the same time and place - these are apps inside a particular app. Downloading smaller apps within a larger app is possible due to the “mini-program” attribute - “which allows [them] to have the same functionalities as a specialised app directly within the super-app interface.” (Roa et al., 2021). This is one of the common grounds when describing the emergent super apps - “super app internalizes the functions of the web, other apps, and its own complementors” (Steinberg, 2020).
One of the many features stressed when attributing the connotation of the super app are banking and financial functions. However, this can be a controversial feature due to an app’s adjustment to different legislations. Questioning user’s privacy, the GDPR along with European Banking Authority (EBA) legislation, a set of directives and regulations that supervise, among others, online banking, safeguard the use of citizens’ personal data. One of them, the Second Payment Services Directive, or PSD2 - which came into force in 2020 - aims to regulate electronic payment services, to bring security into online banking and shopping, (European Commision, 2020). Its scope “applies to payment services provided within the Union” (Second Payment Services Directive, 2020)
In September 2021, the EBA published a report that analysed “the digitalisation of both front and back-office processes in the EU’s banking and payment sector” (EBA, 2021). It emphasised the challenges of “competent authorities in monitoring market developments and any risks arising from these interdependencies.” (EBA, 2021). Additionally, the Digital Markets Act (DMA), proposed by the European Commission is under scrutiny. This Act’s objective is “to ensure a level playing field for all digital companies, regardless of their size” (European Parliament News, 2021).
This structurally regulated market sets limitations for apps’ banking business models, considered a drawback in the development of a super app in the EU landscape, demonstrating how the legal framework may shape its development.
In comparison, Russia does not follow the GDPR as it has its own data protection law - the Federal Law “On Personal Data” No. 152-FZ introduced in 2006 (Roskomnadzor, 2013). Overall, it carries the same function within the Russian legislative system as GDPR in the EU - that is to provide security and protection for individuals’ personal data, as well as its processing. Moreover, in contrast to the EU, there is no centralised concept such as the EU banking and financial service law in Russia. Instead, there are two distinct laws: one is concerned with banking, its procedures, and information security within Russian banking systems (Bank of Russia Standard, 2014), and the other addresses regulations on the national payment systems. The Federal Law "On the National Payment System" includes rules on various payment systems existing within Russia, this includes rules regarding online wallets. One of the recently accepted laws (11 July 2021) allows for the transfer of money through anonymous electronic wallets with the use of simplified identification (Svetlova, 2021). Altogether, this creates a friendly environment for the growth and development of electronic wallets and digital means of payment in Russia, such as VK Pay.
A detailed analysis of different aspects regarding VKontakte is conducted throughout this paper. Our main conclusion focuses on the conditions that need to be reunited in order for an app to enter the super app realm, and how different geolocations and respective practises and jurisdictions help shape it.A manually compiled list of VKontakte’s official features (excluding third-party applications) with their relations within the interface and whether they are available to Russian users only or worldwide: https://drive.google.com/file/d/1HfMT2xrcT6UT7RtzKhENDY4cf3qgS2Ul/view?usp=sharing
2. Data from the analysis of the Google Play Store APKs of VKontakte and Facebook using the tools AppInspect and Exodus, including a list of general required permissions: https://docs.google.com/spreadsheets/d/1Wier4Hw7o3lBSX5RsbAZy9L--O05Nv9B/edit ?usp=sharing&ouid=105507083896594396938&rtpof=true&sd=trueThis research examines Russia’s largest social ecosystem app, VKontakte, in its Russian and EU versions, comparing access to functionalities, required permissions and privacy policies of this (super) app. Firstly, one of the approaches is a comparative study of VK’s Russian and EU privacy policy, in order to trace whether there are any distinctions based on geolocation. The gathering and analysis of these privacy policies will be conducted manually. A second analysis addresses the requested permissions users need to give to engage with the app. For an equitable comparison, the comparison is drawn between VK’s and Facebook’s general permissions in the Google Play Store. The collected data on VK’s permissions is gathered through the AppInspect tool. Since AppInspect is unable to extract data on Facebook, the tool “Exodus” was used to access data on Facebook’s app permissions. To present these findings, two different visualisations were made: one - made through Photoshop - represents all the general permissions required on both apps, the other - made through RAWgraphs - exposes the ones considered dangerous by Google in both apps. Lastly, by manually collecting the diverse features accessible through VK, a dataset identifying different features available in Russia and the EU was created, highlighting what is allowed in Russia, not allowed in Europe, and vice versa, noting the differences in geolocations. Further, conclusions are drawn on the reasons for such discrepancy between both versions of the same app. To illustrate the different VK app features, a visualisation was created - with the help of UVA Winter School’s DensityDesign team member Andrea Benedetti - using RAWgraphs. This is beneficial in addressing how these features differentiate and limit the creation of the super apps.
Based on these datasets and visualisations, we analyse VK’s particularities as a super app, re-considering them as apps within apps, and formulating our own definition, taking into account how geolocation, changing permissions, privacy policies and features can influence what a super app is and how they alter its meaning.The findings are divided into three sections: privacy policy, permissions and features. The results are extracted from a comparison between the Google Play Store, located in a country within the European Union (the Netherlands) and Russia.
When downloading VKontakte in a European Play Store, one gets directed to ‘vk.com’, accompanied by a separate Cookie Policy. This policy is absent from its Russian counterpart. Both the European VK privacy and cookie policies contain a distinct statement: “This Privacy Policy applies only to the European Union-based users. If you are not a European Union-based user, please refer to the Privacy Policy applicable in the relevant jurisdiction.” (VKontakte, 2018) The sites are customised to the European Union jurisdiction. The general privacy policy therefore mostly correlates to the European law “on the protection of natural persons with regard to the processing of personal data” (Radley-Gardner et al, 2016).
The Russian VK version, in addition to the general privacy terms, relates its privacy policy to the local context by referring to the Federal Law “On Personal Data”. The Russian VK private policy states that according to this law “no separate consent of the User for the processing of his / her personal data is required. By virtue of sub-clause 2, clause 2, Article 22 of this Law, the Site Administration has the right to process personal data without notifying the authorised body in charge of personal data protection.” (VKontakte, 2021). This, in turn, gives the Site Administration a certain level of freedom to operate with the users’ data within the app’s ecosystem on the local Russian level.
As the European version of VK is based around GDPR legislation and the Russian version takes into account the local Personal Data Law, it is worth mentioning their distinctions. They are similar in the way that they ensure the protection of individuals’ personal data and processing. However, they have some differences when it comes to key definitions, responsibilities during data processing, as well as territorial scope (OneTrustDataGuidance and Goroddisky & Partners, 2019). As such, the GDPR considers special protection for children, outlines the territorial scope by referring to the EU citizens, and has a large financial penalty for law violation of up to 20 million euros. The Personal Data Law, on the other hand, does not include special protection for children, nor does it outline the territorial scope, and has a much smaller fine of up to 260 000 euros (OneTrustDataGuidance and Goroddisky & Partners, 2019). In contrast to the GDPR, Russian law carries a different interpretation of the term “personal data”, referring to it as “any information directly or indirectly related to a specified or determined individual (i.e. the subject of the personal data).” (Salminen et al., 2020); making its definition broader in comparison to the one proposed by the GDPR. Overall, the Russian data protection legal framework could be considered vaguer in comparison to that of the EU.
The introduction of the cookie policy of the company claims: “We believe in being clear and open about how we collect and use data related to you. In the spirit of transparency, this policy provides detailed information about how and when we use cookies.” (VKontakte, 2018) This is an interesting statement as Chapter II ‘General Principles’ Article 5 ‘Principles relating to the processing of personal data’ 1(a) of the European law, mentioned in the previous paragraph, requires that personal data needs to be “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency)” (Radley-Gardner et al, 2019). VKontakte’s statement becomes rather insignificant, due to its legal obligation to be transparent about what kind of data is extracted from their users.
The Russian app version does not include distinct Cookie Policy outlines in the app. The European legislative system has a separate Cookie Law concerning the legal use of Cookies. There is no such law within the Russian legislative system, which could be one of the potential reasons for the Russian VK not specifying the Cookie Policy. A brief mention of cookies appeared in The Personal Data Law only in 2018, where it was included as an extension to the personal data term definition (Gurkov, 2021).
Further, according to the privacy policy of the Ecosystem user agreement, Clause 2.2 of the agreement states that “The use of any VK Ecosystem Service and/or its tools,...also means acceptance by the User of the terms of individual user agreements of these VK Ecosystem Services or VK Ecosystem tools and their privacy policies... in full, without any reservations or exceptions.” (Vkontakte Ecosystem user agreement, 2021). Therefore, by agreeing to the general VK Ecosystem terms of use, the user automatically accepts all the individual user agreements and privacy policies of the services and tools within the ecosystem. The VK Ecosystem partly belongs to the larger Mail.ru group. Henceforward, through a general user agreement, the personal data is automatically shared with all other parties within the VKontakte Ecosystem.When it comes to our analysis of VKontakte’s app permissions, one striking finding is the number of permissions - 84 in total - requested by the app. To put this amount into perspective, Figure 1 compares this number to Facebook's permission requests (59 permissions).
Taking a closer look, we found that the permissions can be categorised within the following sections: “Normal”, “Dangerous”, “Signature” and “Other/Unknown”. These categories are used by Google and characterise “the potential risk implied in the permission” granted by their Android Developer tool. Permissions that fall into the “normal” section, are perceived as “lower-risk” as they grant “requesting applications access to isolated application-level features.” Permissions labelled as “dangerous” are valued as “higher-risk” as they give applications access to “private user data or control over the device that can negatively impact the user.” “Signature” level permissions are permissions which are only granted “if the requesting application is signed with the same certificate as the application that declared the permission.” (Android Developers 2021). Finally, the permissions categorised under “Other/Unknown”, are as the name suggests unknown, meaning they come from another source than the Android Developer tool.
Diving deeper into the permissions requested by VKontakte and Facebook, Figure 2 highlights the “dangerous” permissions requested by the two platforms. Besides requesting more permissions, the amount of “dangerous” permissions requested by VK also exceeds that of Facebook (13 vs 10). With more than half of VK’s permissions categorised within the “Other/Unknown” section (see Figure 1), this number of dangerous permissions might even be higher. However, due to their obscure nature, one is unable to indicate the potential risks of these permissions.
Fig 1: VK and Facebook app permissions comparison Fig 2: VK and Facebook “dangerous” permissions comparisonVKontakte’s different functionalities within the app vary depending on the region, in this case, EU and Russia. The dataset presents a clear distinction between the features that each version offers to its users.
Features such as chat, news feed and articles, voice calls and online meetings are common to both versions, similar to many apps. Other common features include health-themed functions, apart from Link Medical ID, only available in Russia, since VKontakte works directly with Russia’s Health Ministry registers, which also allows for the possibility of a Russian COVID Vaccination Status’s feature, whereas EU Privacy law prevents it in the EU; and Call Emergency Services, a Russia-only service. Services such as Academic Curriculum, are available only in VKontakte Russia, as VK works with official Russian education institutions. Many other services are only permitted in Russia since they aren’t aligned with EU regulations. Cultural features such as music, books, movies, live sports broadcasts don’t comply with EU copyright law but are available in Russia.
Another feature only available in Russia’s VKontakte app is the VK Pay, incorporating a virtual bank account, physical debit card and VK cashback. EU banking and financial services laws don’t allow for this. The Russian version also offers physical services, such as Food Delivery services and VK Taxi. Another interesting feature is the third-party app store which is an app store within VKontakte’s app. The Russian version allows users to download all apps that VKontakte runs.
Fig 3: Features availability in EU and Russia
From the findings presented above, it is possible to analyse the main differences between VKontakte’s EU and Russian versions. There is an evident pattern in Russia’s version that is not visible in the EU's version.
Starting with the privacy policy, distinct policies are mentioned in the Russian and the EU version of the app. The EU version of VKontakte’s privacy policy indicates the observation of EU’s legal regulation, from which privacy policies are made in accordance with sets of EU directives and regulations. The Russian version, on the other hand, includes Russian local specificities by taking into account the Russian legal regulations. The private data legislation in the EU and the Russian Federation share many similarities, however also carry some significant differences, as the GDPR includes more specificities than the Personal Data Law. The lack of clarifications may potentially open room for data speculations. Altogether, one can suppose that it is not the difference between laws, but rather the absence of EU legal alternatives within the Russian legislative system, which allow for super apps such as VK to function fully within the country.
Relating the privacy policy to the wider Russian legal debate, Yarovay law is important to consider. Introduced in 2016, it obliges data organisers to keep transferable information (user’s messages) stored for up to one year. Secondly, the law binds them to grant encryption keys to Russian enforcement authorities (Gurkov, 2021). Hence, this gives authoritative governmental bodies power over personal data. As the Russian VK version follows the local jurisdictions, it also has to obey the Yarovaya law. This legal environment allows for easier state control. The creation of a single super app ecosystem falls into the state surveillance ideology, where all life aspects could be potentially traced within one platform.
The app’s permissions comparison with Facebook acknowledges the extensive permissions users are requested in VKontakte. Permissions authorise apps to collect users’ data, their consent is necessary, however, many times it doesn’t explicitly state how it is collected and processed (Pybus, Coté, 2021), hence the 84 permissions VKontakte’s app requires. From three types of permissions, there isn't a specific description on “Other/Unknown”. These could be custom permissions, designed by the platforms themselves, which one can only speculate about. The binary response to permissions is fundamental for users’ interaction with the app, they are “able to exercise their agency through dismissing or granting (some of) the permissions”. By granting an app permission, “Big Data is shared across applications and different corporations, and value is generated in opaque ways” (Lai, Flensburg, 2020). The significant number of permissions VKontakte requests to provide means to satisfy daily users’ needs in one singular app, defines its business model.
Regarding its features, it is visible that the extensive functionalities the app doesn’t run in the EU when passing through EU legal frameworks. The active features within the EU’s version of the VK app are significantly less than those in Russia's version. As explained, Russian VK is directly connected to different government bodies, allowing for a variety of functionalities within the app. Diverse app’s stakeholders related to the State explains the connection, “Russia’s Gazprom has gained control of the country’s largest social media network, VKontakte” (The Moscow Times, 2021). Criticism arose regarding the approximation to the Kremlin, and “accused the company of readily sharing user data with Russia’s security services.”(The Moscow Times, 2021).
The original term “super app” was defined by Blackberry’s owner Mike Lazaridis in 2010 as “a closed ecosystem of many apps”. Its collection of features makes users engage daily “because they offer such a seamless, integrand, contextualised and efficient experience.” (Infopulse, 2019) “A super-app is a stripped-down version of an app that runs within an all-in-one platform, allowing users to bypass an app store like that of Apple” (Fasnacht, 2021) However, how timeless this definition might seem, some adjustments can be made, which is elaborated in our results.
We have observed different aspects of the app VKontakte; the privacy policy, permissions and its features, and the differences when the application is downloaded in an EU country or Russia. Visualisations were used on the sections of permissions and features to emphasise VKontakte’s impact on the utilisation of their users’ data. The privacy policy showed that the European Union has stricter and clearer legislation on data tracking and processing than Russia; a considerable amount of permissions used by VKontake were threatening the users’ privacy and security; more features are allowed in the Russian version of the app than in the European version due to the restrictive European laws. These three categories showed the restrictions on super app development in the EU, due to different regulations, meaning that the regulatory landscape and the market circumstances in the EU do not allow for the same kind of super app as available in Russia.
Therefore, we want to iterate VKontakte's heavy reliance on the reigning legislation of the geographical location the app is downloaded from. Constructed from our research we want to propose our interpreted definition of Super Apps:
Super Apps are closed media ecosystems that seamlessly link digital features and services, which nature is contingent on the geopolitical legislation they operate in.
These are apps that run within apps themselves, as shown with VK, dismissing any other “outside” apps. The major collection of users’ data creates a sense of fulfilment with just one (super) app. However, “[a]s super apps gain popularity and become trendy, the concerns related to security and privacy for the user data must be a priority” (Carvalho Ota, 2020). It is evident that users’ geolocation and inherent regulation shape a super app: where privacy laws are less strict, the super app has better conditions to prevail and rule.
Since this is an emerging topic, whose evolution happens daily, further research may portray new elements, crucial to an ever-changing definition and unfolding of super apps, consequently making the super app and its definition somewhat dynamic.
Moreover, further research may investigate the increasing impact of super apps’ popularity in a user’s life, analysing them through a societal lens.Android Developers. 2021. ‘Guide’. Android Developers. Accessed 18 January 2022. https://developer.android.com/guide/topics/manifest/permission-element?hl=nl.
‘AppInspect’. Jason Chao. n.d. Accessed 19 January 2022. https://appinspect.jasontc.net/.
Bank of Russia Standard. 2014. ‘MAINTENANCE OF INFORMATION SECURITY OF THE RUSSIAN BANKING SYSTEM ORGANISATIONS’. https://www.cbr.ru/Content/Document/File/51217/st-10-14_en.pdf.
Carvalho Ota, Fernando Kaway, Jorge Augusto Meira, Raphael Frank, and Radu State. 2020. ‘Towards Privacy Preserving Data Centric Super App’. In 2020 Mediterranean
Communication and Computer Networking Conference (MedComNet), 1–4. Arona, Italy: IEEE. https://doi.org/10.1109/MedComNet49392.2020.9191550.
‘Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on Payment Services in the Internal Market’. n.d. Accessed 19 January 2022.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366. ‘EBA Digital Platforms Report - 210921.Pdf’. n.d. Accessed 19 January 2022. https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Repo rts/2021/1019865/EBA%20Digital%20platforms%20report%20-%20210921.pdf. ‘EBA Regulation and Institutional Framework’. 2019. European Banking Authority. 19 March 2019. https://www.eba.europa.eu/about-us/legal-framework/eba-regulation-and-institutional-frame work.
‘EU Banking and Financial Services Law’. n.d. Text. European Commission. Accessed 19 January 2022. https://ec.europa.eu/info/law/law-topic/eu-banking-and-financial-services-law_en. ‘EU Digital Markets Act and Digital Services Act Explained | News | European Parliament’. 2021. 14 December 2021. https://www.europarl.europa.eu/news/en/headlines/society/20211209STO19124/eu-digital-ma rkets-act-and-digital-services-act-explained.
Fasnacht, Daniel. 2021. ‘Banking 4.0: Digital Ecosystems and Super-Apps’. In Theories of Change, edited by Karen Wendt, 235–56. Sustainable Finance. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-52275-9_15.
Federal Law of 27 July 2006 N 152-FZ ON PERSONAL DATA. n.d. Accessed 19 January 2022. https://pd.rkn.gov.ru/authority/p146/p164/.
Gritsenko, Daria. 2021. The Palgrave Handbook of Digital Russia Studies.
Gurkov, Alexander. “Personal Data Protection in Russia”. In The Palgrave Handbook of Digital Russia Studies, edited by Gritsenko, Daria. Wijermars, Mariëlle. Kopotev, Mikhail. 95 - 113. Russia: Palgrave Macmillan, 2021.
OneTrust DataGuidanceTM, and Gorodissky & Partners. 12/19. ‘Comparing Privacy Laws: GDPR v. Russian Law on Personal Data’, 48.
Pybus, Jennifer, and M. Coté. 2021. ‘Did You Give Permission? Datafication in the Mobile Ecosystem’. Information, Communication & Society, February, 1–19. https://doi.org/10.1080/1369118X.2021.1877771.
Radley-Gardner, Oliver, Hugh Beale, and Reinhard Zimmermann, eds. 2016. Fundamental Texts On European Private Law. Hart Publishing. https://doi.org/10.5040/9781782258674. Roa, Luisa, Alejandro Correa-Bahnsen, Gabriel Suarez, Fernando Cortés-Tejada, Maria A. Luque, and Cristián Bravo. 2021. ‘Super-App Behavioral Patterns in Credit Risk Models: Financial,
Statistical and Regulatory Implications’. Expert Systems with Applications 169 (May): 114486. https://doi.org/10.1016/j.eswa.2020.114486.
Salminen, Mirva, Gerald Zojer, and Kamrul Hossain. 2020. Digitalisation and Human Security: A Multi-Disciplinary Approach to Cybersecurity in the European High North. 1st ed. Springer International Publishing.
Sophus Lai, Signe, and Sofie Flensburg. 2020. ‘A Proxy for Privacy Uncovering the Surveillance Ecology of Mobile Apps’. Big Data & Society 7 (2): https://doi.org/10.1177/2053951720942543.
Steinberg, Marc. 2020. ‘LINE as Super App: Platformization in East Asia’. Social Media + Society 6 (2). https://doi.org/10.1177/2056305120933285.
Svetlova, Anna. 2021. ‘Путин подписал закон, позволяющий переводить деньги физлицам через анонимные кошельки’. [online] Gazeta.Ru. 11 June 2021. Available at: https://www.gazeta.ru/business/news/2021/06/11/n_16090982.shtml?updated [Accessed 19 January 2022].
Times, The Moscow. 2021. ‘Gazprom Gains Control of Russia’s Top Social Network’. The Moscow Times. 3 December 2021.
https://www.themoscowtimes.com/2021/12/03/gazprom-gains-control-of-russias-top-social-n etwork-a75724.
VKontakte. ‘VK Cookie Policy’. 2018. 21 May Accessed 19 January 2022. https://vk.com/privacy/cookies
VKontakte. ‘VK Ecosystem User Agreement’. n.d. Accessed 19 January 2022. https://id.vk.com/terms.
VKontakte. ‘VK.com Privacy Policy’. 21 May 2018. Accessed 19 January 2022. https://vk.com/privacy?eu=1
‘Εxodus’. n.d. Accessed 19 January 2022. https://reports.exodus-privacy.eu.org/en/. 15