What the app privacy investigation means to you (FAQ)
The government is looking into what data companies are gathering from mobile applications and whether they are violating laws that protect consumers' privacy. But what's it mean for you?
Federal prosecutors are looking into whether mobile application makers, advertisers, and mobile app store owners are violating the law when it comes to transmitting users' personal data. But what's it all mean for average consumers?
The investigation appears to be prompted by a report published by The Wall Street Journal in December that evaluated 101 popular mobile apps. The newspaper said in that article that more than half the applications tested disclosed consumers' personal information without their consent or knowledge.
The story also prompted at least two civil lawsuits against several application companies including Pandora as well as Apple and some ad network aggregators.
To get a better understanding of what this means for users, CNET put together this FAQ.
What is this federal investigation about?
In December, The Wall Street Journal published a story stating that more than half of the 101 mobile apps it tested share information about users without their consent. Civil lawsuits have been filed against several application companies and Apple, which runs and approves apps for its App Store.
The federal investigation is likely looking further into these allegations to see if the law has been broken. Specifically, the government is investigating whether app developers have violated the Computer Fraud and Abuse Act, according to an unnamed source who spoke to The Wall Street Journal in a story published Monday.
This law was created to prosecute computer hackers who go after information stored on a computer.
What information is shared in mobile applications?
Depending on the application, there is a lot of information that can be shared. Some of this information is provided by the consumer and with the consent of the user. But some of it is being sent from mobile devices without the user even knowing or realizing it.
For example, people using an app like FourSquare realize that their location is being tracked. That's the purpose of the application. Users of Pandora also know that their musical tastes are being tracked. Again, that's the purpose of the application. And many people assume and tacitly accept that this information is shared with advertisers. This is why people receive coupons for certain places they visit on FourSquare or why people hear or see certain advertisements on Pandora.
But what many users might not realize is that there is some information that is being transmitted from their phones that they don't realize is being shared. And some of this information can also be used to identify them.
For example, in The Wall Street Journal test, the paper said the most widely shared detail was the unique ID number assigned to every phone. These IDs are set by phone makers, carriers, or operating system developers to track devices. And they usually are not able to be deleted or blocked.
For example, Apple uses a unique device identifier called a UDID, which is similar to a serial number that belongs to each iOS device. According to the test that the WSJ conducted, this number was often transmitted to advertising companies to track usage. In one of the civil lawsuits filed against Apple after the WSJ story was published, the plaintiff alleges that this UDID can be used by third parties to know which apps you download, how frequently you use those apps, and for how long. Also, when this information is gathered and compared with other data collected, the suit alleges that third parties can extrapolate a person's gender, location, income, ethnicity, sexual orientation and political views. All of this can be obtained without the user ever providing consent or having knowledge that the information has been transmitted and shared with third parties.
Does Apple have a policy against this?
Yes, Apple certifies all of its apps for its App Store. And the company's policy is that iPhone and iPad apps "cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used." But according to the WSJ story and the lawsuits filed against Apple, this rule isn't always followed by application developers. Apple has declined to comment on this.
What about Google Android phones? Are they vulnerable as well?
Yes, every phone has a unique identifier that is used and this information could be transmitted to third parties, which could extrapolate information based on this identifier. So far Google hasn't been named in any of the civil lawsuits. But an unnamed source in another recent Wall Street Journal article about the federal investigation said Google has been asked to provide information. A Google spokesperson did not return phone calls or e-mails seeking comment on this topic.
Google is different from Apple in the sense that it doesn't certify or test applications for submission into the Android Market. So the company says it's up to the application developer to handle the user information appropriately.
That said, Google does require that Android apps notify users, before they download the app, about what information on the device the app will access. For example, if an app will access the camera, memory, contact list, or a number of things on the device. Users then have the option to not install the app.
But if some of this information is being given up by users with their consent and permission, why is this a problem?
What makes all of this somewhat troubling is that even if a user provides permission for the app to use its location or other information, neither Apple nor Google require app developers to disclose whether or not they send that information onto third parties, such as advertisers. Also, consumers are often not notified if their unique device identifier is being used by advertisers.
How can I keep apps from getting at my information?
On iOS devices:
Applications that want to make use of your location are required to first get your approval. This comes as a pop-up notification the first time the application asks. If you do not want an app to have your location, you can deny this message. Apple's iOS also keeps track of each time the location is being used with an arrow in the device's status bar at the top of the screen.
As for other types of data, that's where some of the controversy lies. The majority of app makers put third-party tracking tools as part of the underlying code of their application, meaning there's no on-off switch. One solution that users have come up with is jailbreaking their device to get low-level system access, then installing programs that can provide a system-wide block for third-party trackers.
For those with a jailbroken iOS device, there's PrivaCy, a free settings option that includes toggles to turn on and off the anonymous usage statistics sent to companies like Flurry, Medialets, Mobclix and Pinch Media. This gives users a granular control over which of these networks apps can talk to.
For Android users:
Unlike on iOS, there's no app that lets you turn particular data collectors on or off across all apps. However there's a $2 app called Privacy Blocker that can go through your applications and find which are transmitting certain kinds of data. The program is then able to let users toggle, or make edits to those bits of information, such as changing a listed phone number or name fields. The next time that application checks in, it will be transmitting the data the users has come up with.
For BlackBerry users:
The BlackBerry Analytics service, which some application makers use to collect anonymous usage data, can be opted out of. This must be done on an application by application basis. Instructions for how to turn it off can be found on the BlackBerry support forums, linked here.