iPhone Privacy Is Broke And Apps Are To Blame (#GotBitcoin?)
Don’t be too confident in those privacy controls. Our test of 80 apps in Apple’s App Store reveals most apps are tracking you in ways you cannot avoid. iPhone Privacy Is Broke And Apps Are To Blame (#GotBitcoin?)
Uhhh, Curious George? You Got A Little Too Curious This Time
There’s a kids’ iOS app called Curious World that, not surprisingly, stars the cute little pants-less monkey. Turns out, the app was collecting my son’s age, name and every book he tapped, and sending that data to Facebook Inc.
The Company’s Response? Whoopsies!
“There was some rogue code in the app that was mistakenly sending this data,” said Abhi Arya, the chief executive of Curious World. He says this info was not used by the company or Facebook. In response to this reporting, the company is updating the software.
Sharing information businesses know about children under 13 is prohibited by Facebook’s Terms of Service, a Facebook spokesman said. Apple says it is investigating the situation.
Congratulations! You’ve bought an iPhone! You made one of the best privacy-conscious decisions… until you download an app from Apple’s App Store. Most are littered with secret trackers, slurping up your personal data and sending it to more places than you can count.
Over the last few weeks, my colleague Mark Secada and I tested 80 apps, most of which are promoted in Apple’s App Store as “Apps We Love.” All but one used third-party trackers for marketing, ads or analytics. The apps averaged four trackers apiece.
Some apps send personal data without ever informing users in their privacy policies, others just use industry-accepted—though sometimes shady—ad-tracking methods. As my colleague Sam Schechner reported a few months ago (also with Mark’s assistance), many apps send info to Facebook, even if you’re not logged into its social networks. In our new testing, we found that many also send info to other companies, including Google and mobile marketers, for reasons that are not apparent to the end user.
We focused on the iPhone in our testing—largely because of Apple’s aggressive marketing of personal privacy. However, apps in Google’s Play Store for Android use the same techniques. In some cases, when it comes to providing on-device information to developers and trackers, Android is worse. Google recently updated its app permissions and says it is taking a deeper look at how apps access personal user information.
The Biggest Problem Isn’t The Data Collection
The company that publishes my columns makes money from advertising—publisher and advertiser alike rely on customer data. The problem is, we aren’t told what tracking is going on in our apps, and we’re given very few controls to curb it.
Over the last few weeks, the biggest tech companies have put on some impressive Privacy Theater. At their respective developers’ conferences, Google and Facebook announced tools to help us control the flow of our personal data—especially on the web. Apple CEO Tim Cook, who was standing up for user privacy before it was cool, is expected to follow suit Monday at his company’s Worldwide Developers Conference.
In fact, Apple will limit third-party tracking in apps in the Kids category of the App Store, according to a person familiar with the matter.
Apple declined to comment on this, but a spokeswoman provided a statement:
“For privacy and security reasons, Apple does not see what data users choose to share with developers and we can’t see what developers do on their servers.”
However, on a page about its App Store practices, Apple says the second most common reason for rejecting an app is “privacy concerns.” (And I certainly didn’t “choose to share” the data that was harvested from some of these apps.)
The statement continues: “As part of our ongoing efforts to make users’ data even more secure, we will continue to address the challenges of improving transparency and helping users get stronger privacy and security protections for the data they’ve chosen to share.”
My app-tracking adventures show that more transparency and stronger protections are needed. Our current privacy controls are no better than a game of Whac-A-Mole (as I demonstrate in the video above). Knock one tracker down and another pops up.
All The Ways They Spy
When I launched “Curious World,” seven third-party trackers lit up. Yes, Facebook, and others from Kochava, Braze and Mixpanel—companies you probably never heard of, which play various roles in the tracking of user activity for marketing. Mr. Arya said none of the apps’ behavior violated the federal rule known as COPPA, which prohibits companies from collecting personal information from children.
That’s small potatoes compared to what’s found in other apps. Sephora? Ten third-party trackers. The company said it uses the data to improve customer experiences through personalization.
Meditation apps surprised me with an average of six trackers each. (At least they provided an immediate way to relieve the stress caused!) And yes, The Wall Street Journal app had a handful, too.
What The Heck Are These Doing In Our Apps?
Same thing they’ve been doing on websites for years: helping companies learn our habits so they can make more money.
App makers add these chunks of code to their apps to see how the software performs or to learn more about users in order to sell or place ads. The trackers gather info about you—your actions in the app, your location, your phone specs. Using special software, I witnessed them receiving plenty of my personal info, from my browsing of 10 different pairs of flip flops to my search for the keyword “depression.”
The meditation apps didn’t request my phone’s precise location data but one, Glo, collected my IP address—the internet address associated with the Wi-Fi network I was on—and used it to plot my latitude and longitude. When I mapped those online, the pin appeared just a few blocks from my house. The app sent those coordinates to Glo’s servers three times in five minutes.
A Glo Inc. spokeswoman said it collects this data to make sure the company is staying compliant with different geographic regulations, like Europe’s General Data Protection Regulation, and for security purposes. It also says IP data is meant to gather a general location of a user and it’s not usually as accurate as it was in my case.
Some Facebook and Google pings, however, appeared to send information for analytics and not ad tracking. It depends on how the apps have implemented their services.
One piece of frequently sent info is your phone’s unique mobile advertising ID, a string of letters and numbers that serves as a proxy for your identity. The more times your ID pops up along with new information, the better companies will get to know you and follow you around with ads—even if they don’t know your name.
What You Can (And Can’t) Do Now
There are no settings in iOS or Android that let you block trackers within apps. There’s irony in that, since Apple has pushed against tracking in its Safari web browser and Google recently moved to limit tracking cookies in its Chrome browser.
An iOS app called Privacy Pro SmartVPN from a company called Disconnect does block all these sorts of trackers and can save you the cellular data that they typically suck up, but it requires the use of a virtual private network which can interfere with some apps and web pages.
Sure, some tech experts will tell you that you deserve to be mined for your data if you choose a free app over its premium version. Except when I paid to upgrade various iPhone apps, I didn’t see a change in the flow of information. A recent study of Android apps from researchers at the University of California at Berkeley found the same: 48% of paid Android apps reused all the same third-party trackers.
The researchers’ conclusion: “The privacy benefits of paying for apps are tenuous at best.”
The same goes for turning off that mobile ad ID. In iOS, go to Settings > Privacy > Advertising, then switch on Limit Ad Tracking. This will turn your ID into a bunch of zeros. (Android lets you reset the ID—Settings > Google > Ads > Reset advertising ID—but you can’t zero it out.)
So now companies can’t associate your info and actions with you or your device, right? Say hello to fingerprinting! When the ad ID isn’t available, trackers look for other identifiers (operating system, IP address, carrier) to form a digital fingerprint they can try matching with info they’ve gathered elsewhere.
The best you can do is plug some data leaks. In iOS, go into Settings > Privacy > Location Services and turn off all the apps that don’t need to know your every move. (For Android, go to Settings > Security & Location.) Also, on your iPhone, go to Settings > General > Background App Refresh, and turn off all but the apps you depend on most.
What Should Be Done
Some data, including a phone’s operating system and IP address, is commonly tracked via apps and there’s no way to disable it. Pam Dixon, founder and executive director of the World Privacy Forum, says this is one of many things app developers and app stores could be more transparent about.
A 2013 National Telecommunications and Information Administration proposal for app transparency, which Ms. Dixon contributed to, suggested disclosures akin to nutrition labels. The mockups included info gathered—age, location, biometric info, etc.—and who it was shared with—ad networks, data brokers, etc.
Sure, we could try to pick our apps more carefully—for instance, Apple’s own apps and services promise less tracking and more disclosure. (It’s probably no coincidence that, according to Bloomberg, Apple will release a menstrual cycle app next week.)
The real work needs to come from Google, Apple and our regulators, however.
Apple is in a complicated spot. Without an ad-focused business model, it’s one of the companies I trust most, but it faces an antitrust suit from consumers alleging it stifles competition in the App Store. Cleaning up might be mistaken for bullying.
In a new page on its website Apple says: “We take responsibility for ensuring that apps are held to a high standard for privacy, security, and content because nothing is more important than maintaining the trust of our users.”
We look forward to hearing how Apple’s going to do that. iPhone Privacy Is Broken, iPhone Privacy Is Broken, iPhone Privacy Is Broken, iPhone Privacy Is Broken,iPhone Privacy Is Broken, iPhone Privacy Is Broken,