It’s amazing how much time we spend on our mobile devices. It’s often the first thing we check when wake up and the last thing we look at before we go to bed. Our mobile devices have become an extension of ourselves and contain a good deal of our personal information. Some of it is highly sensitive personal information like our location and contacts.
How often do we consider how our privacy and security is protected when we use mobile apps? Do we actually read the apps’ privacy policies and consider how our data will be collected, used, and shared before we download the app? Sometimes, often, never? It’s enough to make us throw up our hands and shake our heads in disbelief. What’s up with that?
Findings from the FTC’s Report on Mobile Shopping Apps
Obtaining information about how shopping apps handle our data is crucial to our privacy practice.
According to Jessica Rich, director of the FTC’s Bureau of Consumer Protection: “As mobile apps become more central to the shopping experience, it’s important that consumers have meaningful information about how those apps work before they download them.”
The latest FTC report reveals mobile shopping apps lack sufficient disclosures. In the FTC “What’s the Deal? An FTC Study on Mobile Shopping Apps,” [PDF] report, the agency reviewed the most popular shopping apps and found them deficient in disclosures on how they handle consumer data.
In the study, the FTC surveyed 121 shopping apps from the Google Play and Apple App Stores in three categories: price comparison apps, “deal” apps (which provide consumers with coupons or discounts), and in-store purchase apps (which allow consumers pay with their mobile device for goods purchased in physical stores.)
The good news is a majority of the surveyed apps actually had privacy policies. The privacy policies were accessible via links on the apps’ promotion pages in the iTunes or Google Play app stores, and most were also displayed on the app developers’ websites.
However, the FTC found the content of the policies in terms of data collection, use and sharing, to be a bit of a mixed bag. Nearly all of the privacy policies stated that the apps might collect users’ names and contact information (home address, email and phone number). A smaller percentage of apps disclosed collection of other forms of personal data such as location, a Social Security number, driver’s license, date of birth, and/or gender.
Policies often noted the collection of transaction data (including items purchased, purchase amount, purchase date/time, purchase location, and method of payment). Many policies revealed that the services may obtain consumer data from third parties, including credit bureaus and identity verification services.
App Policies Vague Regarding Data Usage
The FTC report specifically takes issue with broad and vague descriptions of data use which, in the FTC’s opinion, make it difficult for consumers to assess how their data would actually be used. It’s this sort of lack of complete information which prevents us from making a true choice.
The report notes that “some policies stated that they might use personal data to “enhance” or “improve” users’ shopping experiences without further explaining those terms or providing examples that would help consumers understand the reasonable limits of such use or how uses might go beyond what consumers reasonably expect.”
Every reviewed policy disclosed that the scope of the collected data was “necessary to provide the service.” Those that specified additional potential or secondary uses included use for “advertising” or “marketing communications” with the user, “service improvements,” and “personalization.”
Additional Concerns over Data Sharing
The FTC Report expresses concern that while many policies stated how data would be shared, and limited sharing to some extent, a certain percentage used vague language that reserved broad rights to share consumers’ data without restriction. In fact, 29 percent of the price comparison apps, 17 percent of the deal apps, and 33 percent of the in-store purchase apps that were reviewed reserved the right to share users’ personal data without restriction.
If the policies did note a restriction on sharing, the most common was sharing data only with service providers, followed by “subject to confidentiality agreements.” Other policies provided that users’ personal data would be shared only with a user’s consent.
To enhance transparency of privacy practices and enable consumer choice, the FTC report makes a number of recommendations to companies that provide mobile shopping apps to consumers including:
1) Clearer descriptions concerning data collection, use and sharing. The report concludes that the vague language made it difficult for consumers to make informed decisions about whether to use the apps based on privacy considerations.
2) Ensuring that the data security promises translate into sound data security practices. The report notes that many apps promise certain safeguards for their data. The FTC recommends that such companies follow through on those security promises by providing strong protections for the data they collect.
Survey: “Is there a such a thing as online privacy?”
Rad Campaign, Lincoln Parks Strategies and Craig Newmark of Craigconnects recently surveyed over 1000 people about their experience and views on online privacy. They compiled their results in an infographic at Online Privacy Data. The survey concludes that there is a general mistrust when it comes to online services and mobile apps and collection and use of data.
74% of Americans are either very or somewhat concerned about having too much personal information about them online.
59% think applications they have downloaded to their phone, table or computer likely sell their information.
67% are concerned that apps sell their information.
…yet 24% click the Terms of Service “I agree” box without reading the terms, 42% merely skim the information and only 17% carefully read the terms.
What’s up with that? It would seem we have a serious disconnect between our beliefs, fears, and action. Where is the personal responsibility for our privacy?
How to Make Informed Privacy Choices with Apps
So what are your choices? How do you take advantage of mobile tech conveniences while guarding your privacy? Appthority’s recent Reputation Report [PDF] offers a number of helpful tips to accompany a survey of the security risks behind the most popular mobile apps. Appthority App Risk Management Service analyzed the behaviors of the Top 400 mobile apps, including the top 100 free apps and 100 paid apps for both iOS and Android.
2. Be wary of free apps. The Appthority report determined that free apps are riskier than paid apps. As the saying goes “If the product is free, you (and your data) are the product.” The biggest disparity between free and paid apps was found to be the use of location tracking. While 66% of free apps track for location, less than half of paid apps (37%) include location tracking. Free apps were also found to be more likely than paid apps to use single sign-on (via social networks) (67%), share data with ad networks (52%) and analytic frameworks (35%), offer in-app purchasing (57%), identify the user or UDID (73%), and access the users’ address book or contact list (28%).
3. Remain cautious about paid apps. Unfortunately, paid apps aren’t always entirely safe. While 99% of the free apps surveyed included at least one risky behavior, so did 83% of the top paid apps according to Appthority.
4. Be aware of risky app behaviors. The App Authority Report identifies the following risky behaviors:
Single sign-on (with social networks). Sign sign-on using Twitter or Facebook for example, is often presented as a convenient and simple user experience choice, but there are concerns. First is that your data is shared with the social networking site and potentially their ad networks. Second is the “single point of failure” security issue. If your social login is compromised, all of the apps (and websites) that you log into using that same password may be compromised as well.
Sharing with ad networks. Your data which is collected via the app can be sold or shared with third-party ad networks and data brokers. The report found that a large percentage of paid apps share data with ad networks. Although we might not be presented with ads on paid apps as we are on free apps, the app developers may still be sharing our data with advertising firms and data brokers.
Sharing data with analytics frameworks. Many apps use third-party analytics frameworks like Flurry and Google Analytics, which provide analytics services to the developers in order to track your use of the app. Developers and analytics companies may then sell your data to advertisers and data brokers.
Identifying the user or UDID. The UDID is the “Unique Device ID,” and behaves much like a web-based cookie that you can’t delete. The core privacy concern with UDID tracking is the “permanent” nature of the device-to-user linkage. With a UDID, developers can correlate user behavior across multiple apps (even if you have different usernames and passwords for each of the apps) and then match them to a unique user.
Accessing the address book or contact list. Are you willing to share your contacts with an app developer? Not only is it not necessary for providing the service in most cases, it could negatively impact the privacy of those on your contact list.
Calendar access. The calendar is often one of the most sensitive troves of personal information. Consider the confidential or potentially sensitive information stored there: Colleague names, meeting invites, corporate dial-in information (with access codes) and personal appointments related to health, banking, recreation, and family.
5. Clean out your device. As a final tip, uninstall unused apps and remove the residual data files associated with them. If you’re like most mobile users, you have dozens (if not hundreds) of old apps lurking on your mobile device. Guess what, even if you haven’t opened that app in a while, it might be tracking you and sharing that data with data brokers. A recent article by the Wall Street Journal “Digits” blog revealed Foursquare now tracks users even when the app is closed.
Fortunately, there’s a handy uninstaller that you can use to remove apps in batches.
Don’t lose sight of “what’s app” with your mobile privacy. Use your privacy awareness and privacy practice to make informed decisions about your privacy on mobile apps.