All access, all seemingly complementary.
Beneath the user-friendly interfaces, apps are quietly collecting payment for their services. Whether it’s identifying your location, a backdoor entrance to your address books or a glimpse inside your smartphone camera, apps and the third-party companies that have paid their way into the app’s infrastructure are stockpiling personal information to create individual consumer portraits designed to bring advertisers the ultimate payday.
Considering that hundreds of pieces of information can be collected from apps in a single day, according to a recent Carnegie Mellon University study, it’s becoming clear that the actual price of a free smartphone app might be your identity.
Followed by your phone
“Your location has been shared 5,398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days.”The notification one smartphone user received during CMU’s experiment — which focused on whether app permissions managers and privacy alerts helped consumers manage how personal data is shared — shocked both anonymous test participants and researchers who were already expecting to see frequent shares.
Even smaller numbers, such as a notification showing 356 shares was called “huge” and “unexpected’ by a participant. After seeing a notification showing more than 4,000 shares, one participant hoped it was a joke: “4,182 [times], are you kidding me? It felt like I’m being followed by my own phone. It was scary. That number is too high.”
The worst part, according to Norman Sadeh, a professor in the School of Computer Science’s Institute for Software research, is those figures undersell the actual scope of the problem.
“The complete statistics show that the average number was more than 6,200 [notifications] over two weeks,” said Mr. Sadeh.
Sponsored in part by the National Science Foundation, Google, Samsung and the King Abdulaziz City for Science and Technology, the study collected app behavior data from 23 Android phone users for one week, then gave users access to permissions manager AppOps during the second and third weeks. Once users had access to the permissions manager, they reviewed permissions 51 times and restricted permissions 272 times for 76 apps. One participant did not review any permissions.
Mr. Sadeh said the results showed that when given a chance to manage how personal information is shared, most smartphone users seize the opportunity. Unfortunately, consumers with the latest Android phones no longer have that option: Last year the AppOps software was discontinued.
Monitoring even while you sleep
For as much as the study focused on smartphone user privacy habits, the end result revealed much more about app behaviors.Noting a 2013 study showing that only 17 percent of apps that access consumer location data do so for its primary functions, Mr. Sadeh said some of the most notable offenders were companies such as Groupon, which was accessing location data more than 1,000 times in two weeks. Those findings lined up with what CMU researcher and associate professor and researcher Jason Hong found through his website and app PrivacyGrade.
Using crowdsourced data to determine how people expect smartphone apps to use personal data and phone functions, PrivacyGrade gives apps letter grades based on how close the Android apps come to those expectations. While behemoths such as Google Maps and Instagram received A grades, lesser known titles such as BlackJack 21 Live-Casino received a C for offenses including sharing location information with advertisers. A Bible app received a D for sharing location information with third parties and for tapping into other apps running on the device.
Actual changes in location weren’t a factor, as apps collected just as much location information from users who remained in the same space over several hours as those who were on the move.
“Late at night when people were most likely sleeping, apps were still collecting information,” said Mr. Sadeh.
Although such information appears redundant at first glance, it’s a contributing piece to the puzzle advertisers and data research firms are building, said Adi Kamdar, a spokesman for San Francisco-based nonprofit Electronic Frontier Fund.
“Even if you’re sitting in the same office or in your house for some amount of time, that information about how often you’re at home versus work, out shopping, out on a run or drive or on a bike ride reveals a lot about you,” said Mr. Kamdar. “It reveals how sedentary you are, how likely you might be to buy things related to the home versus outdoor-related goods.”
Even with a privacy manager in place, iPhone users could find themselves overwhelmed by the responsibility that comes with control.
Yuvraj Agarwal, CMU assistant professor and founder of the university’s Systems Networking and Energy Efficiency Lab, said he and his team at the University of California San Diego developed the Protect My Privacy app in 2012, when Apple was not offering an alternative option. Like AppOpps, Protect My Privacy sends users notifications when an app attempts to access location data, contacts or other information within the phone. However, it goes one step further by intercepting communication between the app and the phone before any information is lost. Despite only being available for jailbroken iPhones, or phones that have been modified to allow customization, Protect My Privacy has been downloaded more than 200,000 times. Mr. Agarwal said the company released a version for iOS 8 last week.
The onus, for better or for worse, is on users to decide whether an app needs the information it is seeking. Unfortunately, putting control into end users’ hands is no magic bullet.
Steady customer base aside Mr. Agarwal has no illusions Protect My Privacy, or any privacy manager for that matter, is without fault. Additionally, with potentially hundreds of alerts per day depending on how many apps a user has on their phone, it might work a little too well. On top of that, users unsure of exactly how apps use location and other personal information often end up denying permission only to allow it again after discovering how the rejection affects operations.
“It can get overwhelming pretty quickly,” said Mr. Agarwal.
One idea shared by all three researchers is that the problem could be alleviated somewhat through predictive technologies and a range of privacy categories that determine whether users feel very strongly about limiting sharing or are more open with their data.
Outside of user-controlled solutions, the researchers said app developers themselves must do a better job of knowing exactly what permissions third party advertisers are seeking and rein in the data collection.
“Think of apps as being put together with Lego pieces, some pieces are set by developers, others are set by companies such as Facebook to access certain services and others are set by advertisers,” said Mr. Hong. “If I’m a developer, an easy way to make money is to just grab one of these Lego pieces that’s from an advertiser, plug it in and voila; I start getting money out of it. The thing is developers don’t often know what these third [parties] are doing.”
With an imminent rise in data collection coming through smart watches, fitness monitors and Wi-Fi enabled gadgets yet to be conceived, Mr. Hong said advertisers and developers need to find the balance between consumer study and consumer stalking to harness what the app economy can eventually become.
“It’s very likely in the near future that all of our smart devices are going to know everything about us,” he said. “On one hand, this is a really good thing because it can help us with health care, sustainability, transportation and other kinds of things. At the same time, this vision can only happen if people feel like they’re in control of the data flows and they are comfortable with how the data’s being used.”
©2015 the Pittsburgh Post-Gazette. Distributed by Tribune Content Agency, LLC
