‘We’re paying with our data’: Why privacy can be a problem with apps

Odds are you’re reading this story right now on your smartphone — and you’ve likely used one or more apps on your phone today. 

The average Canadian has at least 18 apps on their mobile device according to research group Catalyst Canada: everything from fitness to social sharing to shopping and games. But is the fun and convenience worth all the personal information you could be giving away?

CBC’s Marketplace worked with experts to create a horoscope app to investigate what Canadians can unknowingly reveal about themselves when they install an app on an Android smartphone. The short answer? You could be giving companies the ability to access a whole lot of personal information.

Your location, text messages, photos, even the ability to activate your microphone and camera. Those are just some of the permissions many app designers seek in the lengthy terms and conditions agreements app users are required to accept.

Michigan Pokemon Go-Park

Popular apps haven’t been without problems. Pokemon Go maker Niantic had to make a change to their system after it was found their permissions allowed them to gather more data than they needed about users. (Salwan Georges/Detroit Free Press/Associated Press)

Some apps need to access data in your phone for some of their functions. For example, Facebook needs to access your location if you want to check in somewhere; Instagram needs access to your camera and microphone in case you want to post a picture or video in the app.

But problems persist for many app makers — ride-hailing service Uber has faced lawsuits over privacy questions and was recently criticized for the way it tracks users in real time. 

And last year, Pokemon Go maker Niantic had to update its permissions after a mistake that allowed “full access permission” to a player’s Google account. The company says it wasn’t initially aware of the flaw and didn’t receive or access the broader data beyond basic user ID or email address.

‘We’re paying with our data’

Domingo Guerra, president and co-founder of San Francisco-based Appthority, says apps can be “the perfect spy tool” in some cases. 

“A lot of times we’ll download an app thinking it’s a flashlight, thinking it’s a game, thinking it’s a social media app, but it’s so much more bundled into it,” he says.

  • Read more about the Marketplace investigation this weekend, when CBC’s Diana Swain interviews a producer of this story for The Investigators.

“In general, we see that free apps are not really free … we’re paying with our data.”

Guerra’s company, which specializes in app risk management, helped develop Marketplace’s experimental app. He says some companies could be collecting more data than they need so they can sell it to third parties.

“A lot of times we’ll download an app thinking it’s a flashlight, thinking it’s a game, thinking it’s a social media app, but it’s so much more bundled into it.”
– Domingo Guerra, president and co-founder of Appthority

“If a developer’s going to sell your information to a third party, like an advertising network, then having not just your name or your playing habits but also maybe your location, is more valuable.”

It took less than a day to design and build the app called My Daily Horoscope. The horoscope app was available to Android phone users through a third-party website. Similar to popular apps, My Daily Horoscope had a lengthy terms of service agreement that testers had to agree to download the app.

No questions before clicking ‘accept’

A handful of Canadians downloaded it, no questions asked. They skimmed through the hefty contract quickly and clicked on “accept” within seconds. They had a free app — and the Marketplace team behind the app had access to a trove of data.

By accepting the terms of service, testers gave the app access to the phone’s microphone, contacts, call logs, text messages, camera and location. 

That meant the app had access, like the ability to track the phone’s movements and download photos and text messages. But it also had control: the ability to activate the camera, turn on the microphone.

Domingo Guerra

Domingo Guerra, co-founder and president of Appthority, says ‘having not just your name or your playing habits but also maybe your location, is more valuable.’ (CBC)

Marketplace only accessed data to demonstrate to the testers what they had given up. After the test, all information collected by the app, which is no longer available to download, was destroyed.

App stores like Apple’s iTunes and Google’s Play have guidelines that require apps to disclose what permissions they want and what they do with the data. But it’s still possible for apps to push past what you’d expect and ask for data that they don’t need.

‘It’s disturbing’ 

The most shocking app permission for one of the testers, Shahbaz, was the ability to turn on his camera and microphone unprompted. Marketplace is not revealing the full names of the people who installed the test app to protect their privacy.

“Yeah, it’s disturbing. I feel kind of violated. I should have read those terms and conditions.”

Same goes for Jason, who said he thinks the government should implement stricter rules and regulations to better protect consumers.

“If you want to do business in Canada it needs to be regulated, it needs to be watched and that, this is their job to make laws and regulations, this is what they should be doing.” 

Daniel Therrien, Canada’s privacy commissioner, says he can only give out warnings to companies who run afoul of privacy legislation. While there were few reported cases of privacy breaches involving apps in Canada in recent years, Therrien says it’s something his organization is watching.

CBC app

The Marketplace horoscope app was available only to Android users through a third-party website. After the test, the personal information was destroyed. (CBC)

He says one of the issues is whether “we should have stronger enforcement powers, such as the authority to order companies to change their practices, or even to issue fines” in a way that mirrors the U.S. and some western European countries. 

“This is a very lucrative business, there’s certainly a case to be made that companies that make a lot of money with personal data should face important sanctions” if they don’t behave as required by privacy laws, he says.
There are steep fines from the U.S. Federal Trade Commission, and the agency has fined companies as much as $800,000 for privacy violations. Europe is cracking down too, forcing companies to reveal exactly where people’s personal data is going.

Bottom line? Consumers need to be aware of how much data they are offering up. The application manager is the go-to spot for users who want to manage their settings. People should also do a “spring cleaning” on their phones and delete the apps they aren’t using anymore — because they could still be collecting data.

Smartphone privacy concerns2:41

What about the CBC app? What we access on your phone

You might be wondering, what exactly does the CBC News app need to access on your phone? Here’s a rundown of the permissions CBC asks for and the reasons why.

Network connectivity status and type
The CBC News app checks this to prevent the app from crashing if the signal strength isn’t good, and to help understand why something may be taking a long time to load. 

Location services
The app accesses this to help deliver local news and weather.

Diagnostic and usage data 
This helps the app know how many people are reading stories and when and what ads the user has already seen. It also helps track the stability of the app and diagnose any issues.

For more about what CBC does with the data it collects, read the privacy policy here:

Article source: