It’s no secret that mobile apps take some, shall we say, liberties with your personal information. From Pokémon Go to FaceApp, you’ve probably heard about how apps track and collect data about what we do on them and on our devices, often without us knowing it. The good news is you have some control over your apps and have some options for protecting your privacy. The bad news: Even these have limitations. Here’s what you can do — and what you can’t.
App access requests aren’t necessarily about invading your privacy, but they come with risks
Apps often require access to parts of your mobile device to function — you know, their intended purpose and, presumably, why you downloaded them in the first place. If you want to post photos on Facebook, its app needs to access your photo library. If you want real-time traffic updates that follow you as you drive, Waze needs access to your phone’s location services. Speech-to-text programs need access to your microphone. That doesn’t mean they’re using that access to listen to your conversations. In fact, they probably aren’t (except for when they are, like when Facebook workers were listening to users’ audio chats).
But some apps may use that access for things that aren’t required for the app’s functionality, or they want access to other device features that have nothing to do with the app. That’s how you get flashlight apps that should only need access to your camera’s flash hardware but that also collect your location data and sell it to ad networks.
“The reason for data collection is almost always monetization,” David Choffnes, an associate professor in computer science at Northeastern University, told Recode. “This could be from advertising or from selling your data to other companies. So even when the app you download is ‘free,’ you are often paying for it — with your data.”
Permissions and privacy policies can help
Over the years — and typically in response to criticism over a newly discovered privacy breach — Apple and Google have taken steps to prevent unauthorized access to device features and to better inform users about what their apps access.
“There’s still a whole ecosystem predicated on sucking as much information from people’s phones as possible,” Jen King, the director of consumer privacy at Stanford Law School’s Center for Internet and Society, told Recode. “Now you have a little bit more choice over denying apps access to some of this.”
To that end, apps must now ask for and receive your permission to access certain device features; they don’t just have it by default. That’s why you get that little popup window when you first install an app that requests access to things like your camera, your location, or your address book. You may also be able to control when the app has access, like allowing it to track your location only when the app is in use. The popup usually also says why that access is being requested in the first place, although that explanation may leave a few things out.
BuzzFeed News reported that apps may tell you they need your location data to give you a better, more personalized experience without mentioning that they also sell that data or use it to target ads. One weather app, the New York Times found, sent location data to 40 different companies while users probably assumed their location was only being tracked to get the local weather forecast.
You also have privacy policies, which app stores now require apps to link out to, that explain in greater detail what data apps collect and how they use it. But those policies can be lengthy, vague, and difficult for the average person to understand. For instance, a policy might say your data could be shared with affiliates, which actually means it will be shared with advertisers and/or analytics companies.
The Wall Street Journal broke down policies from Apple, Google, Amazon, and Domino’s to show just how much data could be collected from something as simple as two friends buying pizza. In the end, it found 53 pieces of information could have been collected from the two friends, who would have to spend about five hours reading more than 75,000 words of privacy policies to figure that out. No one is going to spend their time doing this, and companies know that.
“Consumers aren’t given the information they need to make informed decisions, and the entities supplying that information are not incentivized to give them accurate or useful information,” Serge Egelman, research director of the Usable Security & Privacy Group at the International Computer Science Institute, told Recode.
What to look out for
Some of the worst privacy invaders share the same red flags. Here’s what to watch out for.
Free apps are usually loaded with trackers — they have to make money somehow, after all — though you shouldn’t assume that purchased apps will protect your privacy. Egelman’s research has found that the paid versions of apps often have the same trackers as their free counterparts.
“I think we are moving into an era where you can’t just assume that you pay for something and it doesn’t do that,” King said. “I think that used to be a safe assumption and it’s getting a lot less safe.”
Games are often considered to be among the most invasive apps — not to mention that they’re often targeted to or made expressly for kids who should be protected by privacy laws tailored to children. If you’re downloading a game app, give its permissions requests a careful look.
One simple thing to watch out for: You should think twice before downloading apps that ask to access features that don’t seem to have anything to do with the service they provide.
“Ask yourself if the permission is commensurate with what the app is,” King said. “If it’s a weather app, does it need access to your photos or access to your address book? Not likely.”
You might also want to do some research on an app’s developer. If you’re not comfortable with the Chinese government potentially having access to your data, for instance, it may interest you to know that TikTok is owned by a Chinese company. TikTok maintains that it does not store any user data in China and that it does not share user data with the Chinese government. Similarly, FaceApp is based in Russia but says it does not store user data in that country. It’s up to you to decide how much you trust those companies.
It’s also a good idea to periodically check your device’s settings to see which apps you’ve given permissions to and what you’re permitting them to do. Apple and Android devices now tell you which features apps have requested access to and if you’ve granted that access — and give you the ability to change those permissions in some cases.
Here’s how: For Apple devices, go to Settings > Privacy. You’ll see a list of permissions (for example: location services, contacts, or photos). Click each one to see which apps have requested access to those features and change them accordingly. You can also go to Settings and scroll down to where each of your apps is individually listed. Click on each one to see what you have given it access to and adjust as you see fit.
For Android devices, go to Settings > Apps & Notifications > App Permissions. You’ll see a list of permissions. Tap each one to see which apps have access to them and then adjust. You can also go to Settings > Apps & Notifications > [App] > Permissions. Adjust accordingly.
“My approach is to deny permissions to an app unless you determine that it’s absolutely necessary for the app to function,” Choffnes says. “Another approach is to limit the number of apps you install on your phone. Put another way, think twice before installing an app, and occasionally delete apps you aren’t using anymore.”
But permissions have limits
Much of Egelman’s research focuses on the data collection users don’t know about and can’t stop, no matter how many permissions they deny. He says permissions are “an illusion of control.”
Apps simply find other ways to get the information they want, including location data. Or they use data that isn’t controlled by permissions, like unique device identifiers that allow apps to collect data about how and when you use them, which advertisers then use to better target their products. Both Apple and Android now allow you to reset advertising identifiers, and Apple devices have a “limit ad tracking” option.
“The bread and butter for the tracking that occurs — profiling people and what they do — that data generally isn’t protected by the permissions system at all,” Egelman says.
Egelman worked with researchers to create AppSearch, a service that can give you some idea of what your Android apps are really tracking and who they’re sending that information to. I checked it out for myself and, sure enough, many of my favorite apps were laden with trackers. Cookie Jam, I am so disappointed in you.
And, of course, there are the apps that do objectionable things with your data without being transparent about it: Facebook, Brightest Flashlight, Path, and Snapchat have all settled FTC complaints on privacy violations. There’s not much you can do about that, other than boycott an app if you don’t like how it’s handled users’ data.
“There are so many stories about data breaches and unexpected uses of our data that it’s hard to flag just one as the most troublesome,” Choffnes says. “I would argue the most troublesome use is the one that hasn’t happened yet.”
What else you can do
Of course, the best way to avoid having your data mined by apps is not to download them at all. You’ll just have to decide for yourself if what the app gives you is worth what it takes away.
Open Sourced is made possible by the Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.