Too many mobile apps are collecting private subscriber data without explaining why they need it, according to a study by international government privacy commissioners.
Dubbed the Global Privacy Enforcement Network Privacy Sweep, examiners from 26 countries — including Canada’s federal privacy commissioner — divided up 1,211 apps between them last May, looking at what the software asked permissions users were asked for in accessing, and whether it explained the purpose.
What they found was that investigators couldn’t understand why nearly one-third of the apps (31 per cent) needed access to certain information on mobile devices — like the location or camera photos and metadata.
They also found that the data collection explanation for some 43 per cent of apps used small print and lengthy privacy policies that required scrolling or clicking through multiple pages, hard to handle on small smart phone screens. Best practices include using larger font, pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen, Canadian privacy commissioner Daniel Therrien said in a release.
“Fortunately, there were few examples of apps collecting the sort of information that would appear to exceed their functionality—like a flashlight app seeking permission to obtain your contacts list,” he said in a statement. (see below)
“But we did find many apps were requesting permission to access potentially sensitive information, like your location or access to your camera functions, without necessarily explaining why. This left many of our sweepers with a real sense of unease.”
“At the end of this experiment, one thing is clear to our sweepers: privacy communications are fluid and the level of accessibility will depend on user know-how, the platform being used (e.g. Android, iOS or BlackBerry) and the type of device, whether it’s a Lenovo tablet, an iPad or a Samsung Galaxy smartphone,” he wrote in a blog.
This was the second year privacy commissioners have done a sweep of mobile apps. Most apps ask user permission to access device data on installation, with users free to decline. That may mean the app doesn’t install.
In an age when organizations — some legitimate, some criminal — are willing to pay for consumer data, app developers may try to get as much information as they can from users. The study is a reminder to mobile app developers that they shouldn’t ask for permissions to access data when it isn’t necessary — particularly because there might be unwanted publicity.
Among those apps criticized were
CORRECTION: The original version of this story said the developer of this game has committed to making changes.
It should have said this:
Sometimes apps explained what data they were collecting, but didn’t justify the privacy practices. The commissioner wrote to one of them cited in his blog. The developer of one of that games has committed to making changes.