Your mobile apps are spying on you

Privacy on the web has always been a contentious issue, as the vast majority of users wish to remain anonymous while browsing. However, little attention has been given to the privacy of mobile phone users. Hence I was interested to read the article on mobile apps from Sarah Perez:

www.readwriteweb.com/archives/dear_iphone_users_your_apps_are_spying_on_you.php

Compared to computer use, mobile phones have a greater potential to infringe on your privacy for the following reasons:

  • Mobiles are registered to a unique user (legally this is very difficult to avoid)
  • Mobiles are rarely shared (though this is more common in Asia)
  • No such thing as “Internet cafe for mobiles”, user almost always use their own phone
  • Mobiles broadcast their position by triangulating with transmitters typically with an accuracy of 500m radius (though with GPS enabled phones this can be much more precise).

Putting the web analytics privacy debate into perspective

Since Google, Microsoft and Yahoo entered the market with their web analytics tools, privacy has certainly received a lot more air/blog time. Essentially, because of the wealth of other data these companies possess, people fear how such information can be used.

That’s a healthy fear in my view and its right to question those companies, and others, as to their approach towards end-user privacy. However, the web analytics debates around cookie use and the lesser known Shared Objects, pale compared to what could be happening on your mobile – I use the term mobile rather than iPhone here as I am sure the same issue occurs with other smartphones.

Do you fear mobile phone tracking as much as web analytics tracking?

View Results

Loading ... Loading ...

Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…

7 Comments

  1. Phil

    An iPhone WiFi virus called “iPhone/Privacy.A” which steals personal data such as contacts, sms, email, apps has just been detected.

    It only effects Jailbreaked iPhones with have not changed the default root password of “alpine”.

    The Virus software is installed on a PC or MAC and then scans for connected iPhones via WiFi. It does not install anything on the iPhone, but it is able to remotely access the users data.

    Change iPhones root password to secure the device:
    http://cydia.saurik.com/password.html

    Further Readng:
    http://www.ihackintosh.com/2009/11/iphoneprivacy-a-first-malicious-iphone-malware-detected/

    Reply
  2. Phil

    The other Mobile Analytics tracking solutions are:
    Pinchmedia, Mobclix, Flurry, Medialets

    PinchMedia has responded to the spyware accusation:
    http://www.pinchmedia.com/blog/pinch-media-user-privacy-and-spyware/
    http://www.pinchmedia.com/blog/improved-opt-out-methods-for-pinch-analytics/

    Related post by an iPhone user:
    http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail?entry_id=46054

    A developer has created an iPhone opt-out APP for Pinchmedia, Mobclix, Flurry, Medialets:
    http://cydia.saurik.com/package/com.saurik.privacy

    AS developers are using GA gadgetTracking to monitor usable of their APP, I suspect an APP that blocks GA tracking on iPhones could follow!
    http://code.google.com/apis/analytics/docs/tracking/gadgetTracking.html#trackingYourGadget

    Cheers

    Phil.

    Reply
  3. Phil

    Brian,

    I agree Developers understand cookies; they know their uses & implications.

    However they are not experts in privacy, data storage & protection, this is especially true for small scale applications designed for iPhones.

    I presume that a developer wants to know: “How many times has my application being installed, how often is it used & what elements are most popular?” or “how can I resell other iPhone APPs to these users?”

    I suspect the storage of IP`s, IMEI, cell phone number could be accidental; as the developer sets the APP to “POST-all” available information. However, personal information can only be stored for the purpose for which it was intended to be used, and it should not be used for different purpose (e.g if a customer buys a mobile APP, then later gets an SMS message with an offer for a new mobile phone contract, this could be seen as data miss-use).

    If the developer stores email address or cell phone number, that allow users to be contacted in the real world, then the developer needs to allow for user access requests & needs to be registered with ICO (or equivalent) failure to register could result in a warning & then a £1,000 fine.

    Do you think developers are aware of the fine for privacy non-compliance? I would guess, the answer would be no, most developers have not even heard of P3P, let alone privacy laws.

    Personally, I think that widget tracking on iPhones (or via tools such as addthis.com on websites) presents more of a problem that 1st, 3rd party or Flash cookies, as they are silently tracking and not being “open” about purpose or data usage.

    As you have suggessed above increase transparency is the key, it helps build user trust & long term encourages users to download more APPs without fear the APPs are “doing anything nasty” behind the scenes.

    Hope that is useful.

    Phil.

    On a comical note, did you see the recent Google Opt-Out Village parody video?
    http://mashable.com/2009/08/11/google-opt-out-village/

    ICO in UK get increase powers to fine from April 2010
    http://www.out-law.com/default.aspx?page=10188

    ICO registration for £35
    http://www.dotmailer.co.uk/resource_centre/email_marketing_and_the_law/dpa_data_controller.aspx

    BTW: the GoogleToolbar has an interesting new feature, if you opt-out of “internet based advertising targeting” which updates the doubleclick cookie, so that if you clear cookies. The toolbar automatically re-drops cookie with the opt-out saved, effectively creating an undeletable cookie.

    Reply
  4. Brian Clifton

    Chris: Agreed, though the key here is transparency. The web analytics industry, via the Web Analytics Association, has been battling for many years to educate legislators (and end-users) on what cookies really are – benign text files with very little threat to personal identification. The debate on 1st v 3rd party cookies muddies the waters and has dragged the whole thing out – as have the proliferation of Share Objects. My comments on this are below.

    At present I see very little debate about mobile apps and certainly there is a lack of transparency.

    Phil: Thanks for detailed response and links. I would disagree that developers are unaware of privacy – they are end-users like everyone else. Studies have shown, that the more tech savvy a web user is, the more likely they block/delete their cookies i.e more aware of the privacy implications.

    In my view there is no problem in tracking individuals per se, but this should be an opt-in process, as per Google toolbar and any other Google service i.e. transparent. Educating the end-user and allowing them to opt-in, is a very different approach to tracking individuals by default, then allowing them to opt-out should they figure out the implications…

    My take on web analytics privacy:
    Personally I would like to see 3rd-party cookies deprecated by browsers so the debate becomes simplified and everyone knows where they stand. If a world of only 1st-party cookies existed, the privacy issue of using them, all but disappears.

    However, Shared Objects (i.e. Flash cookies) are flying completely under the radar as the browser does not control them. In my view that’s a no-no. The end-user should have complete control of their privacy settings in one place.

    Reply
  5. Phil

    One more thing…

    If these mobile app do store personal data, then the user should be given the option to “opt-out” of tracking at the point of install and be able to change this setting within the apps settings.

    This is simular to the Google Toolbar user tracking opt out on web browsers.

    Thanks

    Phil.

    On a related note: Phorm the behavioural targeting company which processed raw server logs on an ISP`s network router and used this data to server banner adverts, was force to offer an “opt-out” of tracking service, due to public pressure.
    http://www.theregister.co.uk/2008/04/09/ico_phorm_tougher/

    Reply
  6. Phil

    Is the cell phones IMEI or telephone number sent in the GET or POST request by these mobile app?

    If this is the case then it could allow the user to be found & contact in the real world, which means that the storage of this data falls under EU privacy laws.

    Also, IMEI`s can be used to re-enable stolen or blacklisted cell phones so they need to be stored safely.

    Secondly, for enquiry based websites tracking of paid search click-2-call is not straightforward due to the lead going offline.

    Although solutions such as MongooseMetrics and FreshEgg have made some progress using either the referring source to display an onpage 0845 or sending a GET request to an enquiry page when a number is called; these solutions are not perfect.

    A more reliable way of linking offline-to-online would be to use phones IMEI, phoneID, or cell number then map this to the enquiryID.

    So to conclude, as the developers that create these APPs are not familiar with privacy laws and there is not regulatory body that governs or has the power to prosecute cell phone privacy violations then this activity will continue.

    Also the need to focus on ROI based advertising will fuel the linkup of users mobile data with other data thus, I suspect this enforcement power will only be increase when a when a large privacy violation occurs.

    Cheers

    Phil

    P.S does Apple educate developers on to read a summary of EU privacy laws, or do their APPs approval team certify an APPs is privacy compliant when it is added to the APPs store?

    UK opt-out for spam phone calls, for individuals.
    http://mpsonline.org.uk/tps/

    Growth of iPhone Apps
    http://blog.flurry.com/bid/24163/Rise-of-the-New-Middle-Class-Indie-iPhone-App-Developers-Part-I

    comScore – iPhone Users in the UK
    http://www.comscore.com/Press_Events/Press_Releases/2009/3/UK_iPhone_Users

    Sends GET request when a phone number is called.
    http://MongooseMetrics.com/solutions-ppc-phone-tracking.php

    Unique 0845 number shown based on referring source.
    http://Freshegg.com/call-tracking-with-google-analytics_734/

    Reply
  7. Chris Johnston

    You always have to weigh privacy/security with ease of use. People want to use Google search, Google Maps, UrbanSpoon, Where, etc. on their iPhone/smartphone/mobile to find whatever it is they are looking for. US mobile networks are very slow and thus you want to get this information in as few steps as possible. If your apps know where you are and in some cases what you usually search for, or are likely to search for (like Google personlized results), this is very useful. In many cases you can not allow these devices and apps to know your whereabouts but it adds a few more steps, which takes more time, when you actually want to use them.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This