Premise

In June 2025, BfDI Bundesbeauftragter für den Datenschutz und die Informationsfreiheit imposed two fines on Vodafone totaling €45 million BfDI verhängt Geldbußen gegen Vodafone following serious deficiencies in internal controls and authentication mechanisms. Specifically, significant weaknesses emerged that allowed some partner agencies to misuse personal data, even to the point of signing non-existent contracts. Vulnerabilities in Vodafone’s authentication system exposed customer data to potential unauthorized access by third parties, thus compromising the security and confidentiality of personal information.

What’s happening with the My Vodafone Italia app? The application is available for the App Store and Google Play, click here to read.

WARNING: After detecting issues with the authentication system (on personal accounts), an in-depth test was conducted, highlighting significant issues related to consent collection. The investigation, conducted via web access from Linux Mint and an Android mobile device, revealed an excessively invasive approach to collecting user permissions, potentially compromising privacy protection principles.

The analysis

The evolution of Vodafone’s web access systems has progressively complicated the user experience, transforming what was once a simple procedure into a labyrinth of authentication. While initially just entering a username and password was sufficient, today users find themselves involved in an increasingly complex and invasive process. Verification text messages, presented as a security measure, have evolved into the requirement to associate an email address, with the stated goal of strengthening authentication. This mechanism has proven to be an effective tool for acquiring additional customer information: a second mobile number and an updated email address.

The worst is not over yet… at a certain point the website blocks the user and demands that the My Vodafone Italia app be installed on their mobile phone.

The crucial question is: how far can a company go in the name of security and the competing, simple need of customers for indiscriminate access to their data? A trivial example: obtaining the remaining credit on your phone line!

Google Play Store review of My Vodafone Italy:

Google Play Store review of My Vodafone Italy

Application installation in a controlled environment

The installation was performed on test users on the GrapheneOS operating system, sandboxed Google services with an app downloaded from the Aurora Store , and Rethink. internet traffic control.

Control trackers present in the app

The following trackers are reported by εxodus :

My Vodafone Italy - tracker

Learn more about the topic click here to read, remember that trackers are subjected to you, you cannot express a refusal.

App traffic control strategy

With the Rethink listening app, you can start to understand how traffic flows on the network by monitoring the sites that perform tracking activities, also supported by the information collected by εxodus.

Remember that it is always important to check the traffic flow, as it can vary depending on the installed versions and the functions required by the software.

Example of domain rules blocked with Rethink:

My Vodafone Italy - domain rules blocked with Rethink

A first tip block tealium

Tealium more tracker details from εxodus.

Imagine an invisible electronic eye following your every move on the web. Tealium is just that: a sophisticated digital tracking system that records, analyzes and stores every minute detail of your online browsing.

What does it actually do? It captures every click, every movement, every moment of your digital experience. Tealium immediately begins building a detailed profile of your behavior. It records your IP address, identifies the device you’re using, precisely measures the time you spend on each page, and tracks the exact sequence of your virtual movements. The information collected is processed instantly and stored in highly profiled databases. This data then becomes a valuable asset for marketing companies that can use it to create extremely targeted and personalized ads. It’s like having a digital detective who knows your online movements better than you remember them. Every page visited, every interest shown, every preference is captured and transformed into a detailed profile that can be sold, analyzed, and used for commercial purposes.

Tealium represents the most advanced evolution of digital surveillance: a system that transforms your browsing experience into an open book, where every page tells something about you.

The screen starts with an informed consent with no way out, it is not possible to select or deny consents. My Vodafone Italy - the ridiculous informed consent request

Let’s try to understand:

  • What permissions will we ask of you… we request! But if I have to ask you for permissions, then I indicate that I’m requesting them as if they’ve lost their informed consent. This is the right time to ask for them again: ask for them, but if I ask you for something, I should be able to say no, thanks!
  • Call management and call logs. Why are they concerned with improving the customer service call experience? What does the operator care, given tha t they’re monitored by switchboards and even recorded—I hope only with consent. What do they do with the calls in my call log? But, call reception and quality depend on the telephone network infrastructure. It seems like a joke to me, a load of bullshit!
  • Why do you need to know the location of my device, under the sneaky pretext of letting me know the nearest stores? You’re tracking me to suggest a possible Vodafone point, what customer care!
  • Background location, this is a gem, since they need to collect data on the best data and voice experience and identify areas to optimize even when the app is closed! If I have to be your technician, you have to pay me! But Vodafone doesn’t have a structure with its own employees to monitor the area and measure signal quality, etc., etc., because the customer must unknowingly be a guinea pig and bear an energy cost on top of the premature consumption of the phone!
  • Notifications is targeted advertising, why ever!

If the software is designed without a deny consent cursor, and since there are plans to make them mandatory, blocking is currently only possible via the operating system. However, this option may not always be valid and may vary between operating systems. Furthermore, there is no guarantee that this programmatic denial will be blocking in the future.

My Vodafone Italy - informed consent refusal

I demand your documents otherwise no app and website

If I’m a Vodafone customer and purchased a SIM card, Vodafone already has my personal information and manages me as a customer. Therefore, it is inappropriate to require the inclusion of documents to access the site. In this case, it is necessary to intervene through the Data Protection Authority.

My Vodafone Italy - identification documents

Conclusion

In the meantime, to manage the administrative transition to the new provider, you can access their telephone service. Read the information How can I manage my products if I don’t access the new Vodafone systems? Click here to read.