The Expert's View with Jeremy Kirk

Fraud Management & Cybercrime , Governance , Privacy

The Gap Between Mobile Apps and Privacy

Why Are Users Surprised by Data Slurping?
The Gap Between Mobile Apps and Privacy
Here's a visualization of data Facebook collects created by ShareLab's Facebook Algorithmic Factory investigation. (Source: ShareLab)

Over the last few months, there's been a steady drip of investigative stories looking at the data that mobile apps collect and how companies like Facebook ingest it.

See Also: Live Webinar | Empowering Your Human Firewall: The Art and Science of Secure Behavior

The latest came on Friday from the Wall Street Journal. The top-line finding: Eleven health and fitness apps shared sensitive data, such as heart rates, menstrual cycles or pregnancy statuses, with Facebook. This occurred whether or not a user had a Facebook account.

"It's misleading when mobile app developers point to their privacy policies as a reason why the data collection should be expected. Privacy policies virtually never dig into the details and are usually slyly crafted to reassure." 

The data was sent because the apps used Facebook's mobile analytics SDK, which collects information that helps for better ad targeting. The SDK allows app developers to create new advertiser segments. These "buckets" - broad categories such as age brackets or whether someone is a sports enthusiast - can then be used to target ads. The ad industry maintains that this method protects people's privacy, as the generalized categories don't reveal any specific, identifying information.

Facebook advises app developers not to send it health and financial information. The company also says it didn't use the data for advertising. Sending that kind of data would violate its terms and conditions, Facebook tells the Journal. But the newspaper reports that users had no way of opting out of that kind of data transfer.

The story raises concerning questions about users' expectations when they download an app, the opaqueness around what the app is actually doing and how this relates to privacy law.

Some of the apps stopped sharing data with Facebook after the Journal published its report, the newspaper reported Sunday.

Meanwhile, New York Governor Andrew Cuomo has ordered two state agencies to investigate the Journal's report that Facebook may be accessing far more personal information than previously known, the Guardian reports.

Blaming the User

There's a tendency to blame the victim, although calling app users victims is probably hyperbole. The argument runs like this: If you don't want your personal data collected and transferred to unnamed companies, don't use the app.

This seems like a fair point on the surface. Mobile apps have to generate revenue, and that is largely done through targeted advertising, which is based on collecting location data, app activity, browsing activity and a variety of other metrics. Consumers should know by now this is a common practice that makes unpaid apps possible.

But clearly, they don't. And that's because some online advertising companies and app developers haven't been forthright about what's going on under the hood of their services. They've rightly anticipated that if users knew the full details of how their personal data was collected and shuffled around, the response may be: "No way. Bye."

It's misleading when mobile app developers point to their privacy policies as a reason why the data collection should be expected. Privacy policies virtually never dig into the details and are usually slyly crafted to reassure.

The only accurate way to figure out what data an app is transmitting is to man-in-the-middle the traffic with a web debugging proxy and scan data fields. That's unreasonable for most users.

Europe's General Data Protection Regulation represents the biggest driver to shine a light on data sharing. The regulation demands clarity in privacy polices and terms of service, mandating plain language. That is starting to play out, starting with Google, which received a record $57 million GDPR fine from French regulators last month (see: France Hits Google With $57 Million GDPR Fine).

Zeynep Tufekci, a privacy expert and associate professor at the University of North Carolina at Chapel Hill, concisely sums up the problem:

This shouldn't be the case. The Journal, for example, spoke to a 25-year-old woman who used Flo, a menstrual cycle app. After learning her health data was transferred to Facebook, she was considering deleting it.

Flo's privacy policy appeared to give assurance that the kind of information it collected, such as menstrual cycle, wouldn't be shared. Following the Journal's story, Flo said it would limit its use of external analytics systems while it conducts a privacy audit.

Keeping Track Is Challenging

With tens of thousands of mobile apps, it's impossible for investigative journalists and privacy researchers to keep up. The data sent one day may be different than the data sent five days and two updates later.

There is a fair argument about the balance of the Journal's story, which seemed to cast Facebook in a shady light. Then again, Facebook was only the recipient of the data sent by the 11 apps. The responsibility lies with the app developers, writes Antonio Garcia Martinez, an author who was Facebook's first product manager for targeted advertising.

With its lingering data foibles and general shadiness, it's hard to see how Facebook would get off easy here, but Martinez has a solid point. He also highlights that the technical documentation for the analytics SDK has been public for five years, suggesting the story may be more of a scoop of perception than a breaking-news exposé.

But clearly there's a case to be answered here by Apple, Facebook and Google, which also has an analytics SDK for Android apps. The companies are in the best position to do the technical testing to figure out what data apps are sending and whether there's friction between user expectations and privacy policies.

Until those gaps are closed, stories such as the Journal's will still hold unwelcome surprises.



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.