Site icon IT World Canada

Many mobile apps still ask for unexplained access to device data

Too many mobile apps are collecting private subscriber data without explaining why they need it, according to a study by international government privacy commissioners.

Dubbed the Global Privacy Enforcement Network Privacy Sweep, examiners from 26 countries — including Canada’s federal privacy commissioner — divided up 1,211 apps between them last May, looking at what the software asked permissions users were asked for in accessing, and whether it explained the purpose.

What they found was that investigators couldn’t understand why nearly one-third of the apps (31 per cent) needed access to certain information on mobile devices — like the location or camera photos and metadata.

They also found that the data collection explanation for some 43 per cent of apps used small print and lengthy privacy policies that required scrolling or clicking through multiple pages, hard to handle on small smart phone screens. Best practices include using larger font, pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen, Canadian privacy commissioner Daniel Therrien said in a release.

“Fortunately, there were few examples of apps collecting the sort of information that would appear to exceed their functionality—like a flashlight app seeking permission to obtain your contacts list,” he said in a statement. (see below)

Why does this flashlight app need to access your microphone?

“But we did find many apps were requesting permission to access potentially sensitive information, like your location or access to your camera functions, without necessarily explaining why. This left many of our sweepers with a real sense of unease.”

“At the end of this experiment, one thing is clear to our sweepers: privacy communications are fluid and the level of accessibility will depend on user know-how, the platform being used (e.g. Android, iOS or BlackBerry) and the type of device, whether it’s a Lenovo tablet, an iPad or a Samsung Galaxy smartphone,” he wrote in a blog.

This was the second year privacy commissioners have done a sweep of mobile apps. Most apps ask user permission to access device data on installation, with users free to decline. That may mean the app doesn’t install.

In an age when organizations — some legitimate, some criminal — are willing to pay for consumer data, app developers may try to get as much information as they can from users. The study is a reminder to mobile app developers that they shouldn’t ask for permissions to access data when it isn’t necessary — particularly because there might be unwanted publicity.

Among those apps criticized were

Super-Bright LED Flashlight, a popular free app that allows users to turn their mobile phone into a flashlight. For some reason the app sought permission to access the user’s camera/microphone, device ID/ call information and even photos/media/files. There was no privacy policy listed in the app’s Google Play store site.

Pixel Gun 3D, a cartoon game that allows users to create and customize their own characters. It ask permission to access device ID/call information, device/app history and photos/media/files, among other things, but there is no privacy policy available on this app’s marketplace listing, on its website or within the app itself. There is a hard to read term of use policy granting the developer full control over the user’s content.

CORRECTION: The original version of this story said the developer of this game has committed to making changes.

It should have said this:

Sometimes apps explained what data they were collecting, but didn’t justify the privacy practices. The commissioner wrote to one of them cited in his blog. The developer of one of that games has committed to making changes.

 

Exit mobile version