News & Views

85% of apps not up to scratch on privacy, study finds

by Powernet - Sep 15, 2014

A coordinated study of apps run by a group of national privacy and data protection bodies from all around the world has found that the vast majority are failing to provide adequate information on the privacy implications of using the app.


The study, conducted by the Global Privacy Enforcement Network (GPEN), looked at over 1200 apps with participants each tasked with looking at a handful developed in, or targeting users in, their own region.

It found that only 15% provided clear information on how the app gathers, uses and shares private data on the user, to an extent that the user could feel confident in their understanding of how it works.

30% provided no privacy information at all, other than the request for permissions made by the device at the time of installation.

GPEN is a joint effort to encourage and facilitate cooperation between privacy regulators and similar bodies, withmembers representing over 50 countries and regions. Of these, 26 from 19 different locales participated in the study.

According to the Privacy Commissioner's Office in New Zealand:

The survey included a mix of Apple and Android apps, free and paid apps, as well as public sector and private sector apps ranging from games and health/fitness apps, to news and banking apps.

Other data picked up by the study included finding that 75% of all apps require at least one permission, with almost a third demanding location information, 16% wanting the device ID data, 10% asking for access to the camera and 9% prying into contacts lists.

A few good apps were praised for making an effort, particularly those that alerted the user just before possibly private data was going to be sent.

But the majority need to change radically to live up to the standards expected by the privacy regulators, who have promised to contact the worst offenders to suggest they start behaving better.

It's likely most of their users would agree with this stance, if they only knew what was going on behind the scenes of their games and social networking gizmos.

The problem is, of course, that a large proportion of these apps are not designed for the pleasure or benefit of their "users" - they are really only aiming to get as many people as possible to install and activate them, accepting the privacy-destroying permissions, so they can harvest data and sell it on to advertisers and marketeers.

We're being steadily trained to think of paying for things as unnecessary or stupid, and to accept the term "free" as synonymous with "free in return for your privacy", despite efforts by the likes of GPEN and the EU to push back the tide.

The 1200 apps looked at here represent the tiniest fraction of the app world, with Google's Play Store currently hosting over 1.1 million free and 200,000 paid-for apps, and Apple's store offering similar numbers.

App developers are aware of the public's aversion to paying up front and are monetizing their offerings in other ways, by simple advertising (which can lead to all sorts of unwanted consequences thanks to layers of standard ad libraries the app developers have no control over), the increasingly intrusive and irritating "in-app purchases", or barefaced harvesting of personal data for resale.

We're slowly making steps in the right direction. Publicising efforts like that of GPEN draws more attention to privacy issues.

In a highly publicised case, the FTC recently made it very clear to Google that scamming cash out of kids with in-app purchases is unacceptable.

However, some moves may be counterproductive - Google has apparently extended its "refund window" from 15 minutes to two hours after installing a paid-for app, to allow you time to see if it's got anything to offer.

Sounds like a good idea, and of course will provide some protection from poor-quality or copycat apps trying to cash in on the paid-for market, but ultimately it's not going to kill off the scammers producing dodgy apps, who will instead migrate to the thriving faux-free, privacy-groping side of the app marketplace.

The only way to defeat this menace is for everyone to pay attention to what they're installing, to shun apps that fail to provide proper privacy information, to refuse to grant unnecessary app permissions, to demand better, clearer and more flexible permission systems for all devices, and maybe even to get used to paying a little up front now and again in return for better quality, less intrusive software.

Source - Sophos Naked Security Blog
Image Credit - Static.securityintelligence.com


 

TAKE OUR I.T. HEALTH CHECK