Smartphone apps can access some pretty personal and intimate information. This ranges from phone numbers and email addresses to GPS coordinates, to name a few.
It would be reasonable to assume that data collected is limited to assisting an app with its functionality. However, this doesn’t always seem to be the case.
A report in the UK’s The Sunday Times, “In a flash your details are on a server in Israel”, sheds some light on data transfer practices in 70 basic smartphone apps.
These run-of-the mill applications were chosen because the Sunday Times felt they sought more information than was functionally necessary.
Using “MiddleMan” software, they were able to monitor app data transfers and made some rather disconcerting discoveries.
The results showed that of the 70 apps, “twenty-one transmitted the phone number, six sent out email addresses, six shared the exact co-ordinates of the phone and more than half passed on the handset’s ID number.”
The excessive and unnecessary data collection is only part of this story. Perhaps more worryingly, the investigation highlights that the terms and conditions of the tested apps do not disclose the names of the data recipients, leaving users clueless about the final destination of their data.
The Sunday Times claimed that personal information was being sent outside the EU data protection fortress to companies and servers in China, India, Israel and America.
Specifically, 15 of the apps, including a puppy wallpaper app “Cute Dog”, sent the phone number to an LA-based nternet advertiser.
In another example, a flashlight app sent the user’s email address and phone number to a server in Delhi, India.
When EU data travels outside the European Economic Area borders, it is said to travel to “third countries.” This can post new risks to the subject’s privacy, and the data enters a minefield of complex legal regulation.
One such regulatory divide is found in Article 25 of the Data Protection Directive (DPD). It demands that the European Commission determine when “third countries” are providing DP standards equivalent to the EU’s DPD.
If the country meets the standards, it is added to a list of approved countries. Currently, this list is very short, notably including Argentina, Australia, Canada and the Faeroe Islands. This means that free flow of data can occur between the EU and these jurisdictions.
The US also has made the cut with its US-EU Safe Harbour Agreement.
Importantly, The Sunday Times headline singled out Israel as an example of somewhere unexpected to send EU data. However, this is a bit of a red herring and should not necessarily alarm concerned parties.
Last year, the European Commission added Israel to the approved countries list, meaning their DP laws are adequate for EU transfers without the need for any additional safety measures.
For India and China, two other destinations mentioned in the report, there is no such seal of approval. Although India recently passed new data protection rules, these don’t equate to the same high EU standards yet.
However, the commercial reality is that developers need to make money from these apps. Nevertheless, I don’t think the business model of collecting and relaying all data that seems vaguely useful is sustainable from a user perspective.
Non-legal approaches may be able to provide businesses a more sustainable model, while protecting customers from over-zealous apps.
Stronger adherence to minimal data collection and clearer user privacy policies are a good start.
Last week’s GSMA mobile app “privacy by design” development guidelines included some brilliant recommendations to develop industry-wide harmonisation in these areas.
Another important practice is to ensure data is strongly encrypted when transferred to “third countries”. This added security is essential considering the likelihood that app data will end up in places that fall well short of the high EU DP standards.