CBC MARKETPLACE | By Asha Tomlinson – Texts, photos, location — you could be giving up a lot more than you think when you download some apps.
Odds are you’re reading this story on your smartphone — and you’ve likely used one or more apps on your phone today.
The average Canadian has at least 18 apps on their mobile device, according to research group Catalyst Canada — everything from fitness to social sharing to shopping and games. But is the fun and convenience worth all the personal information you could be giving away?
CBC’s Marketplace worked with experts to create a simple horoscope app as a way to show how much Canadians can unknowingly reveal about themselves when they install an app on an Android smartphone.
In downloading the app, which does little more than provide astrological advice, the eight people Marketplace approached in downtown Toronto gave us access to their location, their phone’s camera, even their microphone.
These are just some of the permissions many app designers seek in the lengthy terms and conditions agreements app users are required to accept.
Marketplace followed up with four of the respondents a week later but is not revealing their full names to protect their privacy. One of the testers said the app permissions are “disturbing.”
“I feel kind of violated,” said Shahbaz.
- Watch the Marketplace story Are Your Apps Spying On You? Starting Friday at 8 p.m. (8:30 p.m. NT) on TV and online
Domingo Guerra, president and co-founder of San Francisco-based Appthority, says apps can be “the perfect spy tool” in some cases.
“A lot of times, we’ll download an app thinking it’s a flashlight, thinking it’s a game, thinking it’s a social media app, but it’s so much more bundled into it,” he says.
“In general, we see that free apps are not really free … we’re paying with our data.”
Third parties can benefit
Some apps need to access data in your phone for some of their functions. For example, Facebook needs to access your location if you want to check in somewhere; Instagram needs access to your camera and microphone in case you want to post a picture or video in the app.
But problems persist for many app makers — ride-hailing service Uber has faced lawsuits over privacy questions and was recently criticized for the way it tracks users in real time.
And last year, Pokemon Go maker Niantic had to update its permissions after a mistake that allowed “full access permission” to a player’s Google account. The company says it wasn’t initially aware of the flaw and didn’t receive or access the broader data beyond basic user ID or email address.
Guerra’s company, which specializes in mobile risk management for businesses, helped develop Marketplace‘s experimental app. He says some companies could be collecting more data than they need so they can sell it to third parties.
‘A lot of times we’ll download an app thinking it’s a flashlight, thinking it’s a game, thinking it’s a social media app, but it’s so much more bundled into it.’– Domingo Guerra, president and co-founder of Appthority
“If a developer’s going to sell your information to a third party, like an advertising network, then having not just your name or your playing habits but also maybe your location, is more valuable.”
It took less than a day to design and build the app, called My Daily Horoscope. The horoscope app was available to Android phone users through a third-party website.
Similar to other popular apps, My Daily Horoscope had a lengthy terms of service agreement that testers had to agree to to download the app.
No questions before clicking ‘accept’
The participants who downloaded the app skimmed through the hefty contract quickly and clicked on “accept” within seconds. They had a free app — and the Marketplace team behind the app had access to a trove of data.
By accepting the terms of service, testers gave the app access to the phone’s microphone, contacts, call logs, text messages, camera and location.
That meant the app had the ability to track the phone’s movements and download photos and text messages. But it also had control: the ability to activate the camera, turn on the microphone.
Marketplace only accessed data to demonstrate to the testers what they had given up. After the test, all information collected by the app, which is no longer available to download, was destroyed.
App stores like Apple’s iTunes and Google’s Play have guidelines that require apps to disclose what permissions they want and what they do with the data. But it’s still possible for apps to push past what you’d expect and ask for data they don’t need.
The most shocking app permission for one of the testers, Shahbaz, was the ability to turn on his camera and microphone unprompted.
“I should have read those terms and conditions,” he said.
Same goes for Jason, who said he thinks the government should implement stricter rules and regulations to better protect consumers.
“If you want to do business in Canada, it needs to be regulated. It needs to be watched…. This is their job: to make laws and regulations. This is what they should be doing.”
Daniel Therrien, Canada’s privacy commissioner, says he can only give out warnings to companies who run afoul of privacy legislation. While there were few reported cases of privacy breaches involving apps in Canada in recent years, Therrien says it’s something his organization is watching.
He says one of the issues is whether “we should have stronger enforcement powers, such as the authority to order companies to change their practices, or even to issue fines” in a way that mirrors the U.S. and some western European countries.
“This is a very lucrative business, there’s certainly a case to be made that companies that make a lot of money with personal data should face important sanctions” if they don’t behave as required by privacy laws, he says.
There are steep fines from the U.S. Federal Trade Commission, and the agency has fined companies as much as $800,000 US for privacy violations. Europe is cracking down, too, forcing companies to reveal exactly where people’s personal data is going.
Bottom line? Consumers need to be aware of how much data they are offering up. The application manager is the go-to spot for users who want to manage their settings. People should also do a “spring cleaning” on their phones and delete the apps they aren’t using anymore — because they could still be collecting data.