Your favourite App may be violating your privacy!

Mobile Apps: New conduits for collecting information?

The smart-phone revolution in the mobile industry has created a booming marketplace for mobile app developers even as Iphone, OVI, android, blackberry marketplaces continue to be bombarded with innumerable apps, with quite a score bordering on the outer boundaries of relevancy. Nonetheless, utilities and entertainment for consumers in the future is believed to spring forth from these mobile apps, as the amount of internet usage on the mobile platform continually increases. However, an enhanced reliance on your mobile phone device for accessing data and information from the world-wide web can pose several privacy issues as mobile apps may collect information such as those relating to your device, age, gender, geo-location etc. Web applications that use flash cookies can also store the information collected in your mobile device, often in plain text, which poses significant privacy threats to you.!!

One can at times view the “permissions” which an app seeks to obtain from the user, before the user  “downloads” that app from any app marketplace. On occasions I have seen strange permission levels requested by apps before allowing me to download, such as the one below:-

“Read phone status and ID. – Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.”

It is a fearful bewilderment that I battle with, everytime when I see that among the “permissions” sought by an harmless app as a condition for the download of the same. The “permission” as pointed above, acts almost likean effective permission to the app to determine numbers of persons to who I make calls to. Also, the part “….and the like” can be easily interpreted to include permissions for the app to read the messages received on my SMS inbox or whatsapp history!! And here I am only speaking of apps that actually display the type of information which they collect and seek permissions for the same. There are several other apps, often paid onesthat  do not disclose any kind of privacy information at all!!

Investigations into Privacy Issues

After going through few of the apps available on the android marketplace through my phone device, I realized that most of these apps do not have any privacy policies in place. Such concerns have been brought to light earlier also by few surveys that were undertaken last year by Future of Privacy Forum (FPF) and the Wall Street Journal. The WSJ Investigation  revealed that “of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones, 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders.” The FPF survey found that three-quarters of most downloaded apps lacked a privacy policy. Also the fact that among paid apps, a mere 33 percent only had privacy policies. A surprising but amusing fact that emerged from the survey was that among the apps surveyed, free apps were more likely to make their privacy policies more easily available than paid apps.

It goes without saying that norms requiring a mandatory privacy policy have to be more stringently observed either through the means of enforcing an appstore’s terms and conditions for app developers or through legal mechanisms, to ensure that a standard privacy policy is made available by app developers as some of these apps invariably collect and store information about the user, his device and to some extent his behaviour on the phone. This will help users to decide before they initiate usage of any mobile app.

Addressing Privacy Concerns

Google’s Developer Distribution Agreement for app developers to place apps on its market place contain conditions which obligate app developers to protect the privacy and legal right of the users. They also mandate that developers should provide a legally adequate privacy notice and protection to users(clause 4.2). The terms also bar the usage of customer information generated from the marketplace for the purpose of selling products or services outside of the market (clause 4.4). Further clause 4.9 also provides that Google may remove products that do not meet acceptable standards.

One way of understanding these conditions would be that Google may remove products that do not meet standards acceptable to Google, one of which requires adherence to privacy rules of US and other relevant jurisdictions, regarding data collection. However, to ensure each app’s compliance with privacy rules and requirements on data collection of different jurisdictions may be too granular and a costly activity for Google and thus users can expect Google to be not proactive in removing apps that flout its terms and conditions.  As a result, we see apps that flout google’s terms and conditions, continue being placed on the android marketplace (now Google Play). It only follows that most of those apps are also not in compliance with the rules regarding privacy in different jurisdictions.

Also, users at an individual level may never be able to report privacy violations because data and information relating to them is often collected without their knowledge. Neither are the users sufficiently aware that data relating to them is being collected by an app, which the users utilize for otherwise very harmless purposes.

As per Section 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (henceforth, “Privacy Rules”), 2011 there is an obligation on a body corporate or any person acting on behalf of a body corporate to:-

  • provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information.
  • And to make such privacy policy available for viewing by the providers of such information.

Such a privacy policy when established shall be published on developer’s website and shall provide for

  • Clear and easily accessible statements of its practices and policies. (Such as the nature of app’s interactions with third party applications or other third parties, the information that is collected by the app and what the persons behind the app do with such information and apply them in what manner)
  • Type of personal or sensitive personal data or information that is collected by the app.
  • The exact purpose for which such personal data or information that is collected has to be outlined.
  • And the policy shall also disclose information regarding sharing of any such collected information with other third parties.

Before such information is shared, ideally, the consent of the provider of information must be sought. This can be outlined in the privacy policy statement itself. Thus, the privacy policy must provide for the exact application and purpose for which information is collected and shared with other third parties and for the duration of period for which such information will be retained and utilised.

However, upon a clarification by the Department of Information Technology over which Apar had written a post, the said privacy rules may apply only to those legal entities located within India and also only when a particular legal entity collects sensitive data or personal information under a contractual obligation with the user directly. Therefore, a large number of apps and body corporates may not be within the purview and ambit of Indian privacy rules at all. Also even if such body corporates may be liable under foreign jurisdictions, it can be said without much thinking that pursuing foreign based companies in foreign jurisdictions will be cost-restrictive for users affected in India. Therefore, this calls for considerable user discretion to protect information relating to him from being tossed around without consent or by non-transparent ways through the world (or marketplace?) of mobile apps.

 

Image from here.