New reports from researchers looking into the mobile app industry present a chilling tale for the 13th of the month of that would probably make Rockwell’s hair stand on end.
Essentially, researchers found that a bevy of apps collect more information than is explicitly stated in their privacy statements and terms of use.
“Usually, you just have to take the app’s word that it’s grabbing only the data you’ve agreed to give it,” reports Alfred Ng at CNet, referencing recent projects aimed at understanding how our data is illicitly used. “Often, though, there’s more grabbing going on than you were led to believe, security researchers have determined. More than 1,000 apps have been found to take data even after you’ve denied them permissions. For instance, menstrual tracking apps have shared sensitive info with Facebook, as well as with other companies you might not have expected. Similarly, apps designed to block robocalls have shared your phone data with analytics firms.”
Mentioning location data tracking specifically, Ng gives us some even more ominous news. His article reveals that sources show a lot of this data is used by advertisers, but some is also used by government agencies, for example, “to track immigrants.” Ng details persistent research by, among others, Electronic Frontier Foundation senior staff technologist Bill Budington who is uncovering more of this kind of unsavory reality using tools like Panopticlick.
Civil rights and privacy rights activists will likely have their ire raised by the echoes of these reports as they emerge.
There’s also the question of the international context for this type of data use.
The European GDPR that went into effect just a couple of ago had a tremendous impact on American businesses.
Suddenly, any app or company that dealt at all with data on European citizens was, in May 2018, subject to specific rules and regulations, for example, this component of the Privacy and Electronic Communications Regulations 2003 that an author at Fox Williams contest is “relevant” under the GDPR:
“It is unlawful to gain access to information stored in the terminal equipment of a subscriber or user unless the subscriber or user (a) is provided with clear and comprehensive information about the purposes of the access to that information; and (b) has given his or her consent. This applies irrespective of whether or not the location data is “personal data”.
As for impact, a piece by Rob Sobers at Varonis last year notes there had already been $63 million in fines issued in the first year of the GDPR’s enforcement, with Google paying $57 million of those fees, and no less than 144,000 complaints: a biblical number, chilling in its enormity.
So in essence, the GDPR is being broken all the time. It could be that the revenues for some of these companies exceed the punitive impact of the fines themselves. Whatever the case, it seems we have to stay vigilant about how our data is being surreptitiously used by devices that capture it as we use them.
