Sophos Cloud Optix
Smartphone apps can access some pretty personal and intimate information. This ranges from phone numbers and email addresses to GPS coordinates, to name a few.
It would be reasonable to assume that data collected is limited to assisting an app with its functionality. However, this doesn’t always seem to be the case.
A report in the UK’s The Sunday Times, “In a flash your details are on a server in Israel”, sheds some light on data transfer practices in 70 basic smartphone apps.
These run-of-the mill applications were chosen because the Sunday Times felt they sought more information than was functionally necessary.
Using “MiddleMan” software, they were able to monitor app data transfers and made some rather disconcerting discoveries.
The results showed that of the 70 apps, “twenty-one transmitted the phone number, six sent out email addresses, six shared the exact co-ordinates of the phone and more than half passed on the handset’s ID number.”
While the permissions for data collection may be buried somewhere in the privacy policy, we all know that most users don’t actually read these non-negotiable, lengthy, and difficult-to-understand contracts.
The excessive and unnecessary data collection is only part of this story. Perhaps more worryingly, the investigation highlights that the terms and conditions of the tested apps do not disclose the names of the data recipients, leaving users clueless about the final destination of their data.
The Sunday Times claimed that personal information was being sent outside the EU data protection fortress to companies and servers in China, India, Israel and America.
Specifically, 15 of the apps, including a puppy wallpaper app “Cute Dog”, sent the phone number to an LA-based nternet advertiser.
In another example, a flashlight app sent the user’s email address and phone number to a server in Delhi, India.
When EU data travels outside the European Economic Area borders, it is said to travel to “third countries.” This can post new risks to the subject’s privacy, and the data enters a minefield of complex legal regulation.
One such regulatory divide is found in Article 25 of the Data Protection Directive (DPD). It demands that the European Commission determine when “third countries” are providing DP standards equivalent to the EU’s DPD.
If the country meets the standards, it is added to a list of approved countries. Currently, this list is very short, notably including Argentina, Australia, Canada and the Faeroe Islands. This means that free flow of data can occur between the EU and these jurisdictions.
The US also has made the cut with its US-EU Safe Harbour Agreement.
Importantly, The Sunday Times headline singled out Israel as an example of somewhere unexpected to send EU data. However, this is a bit of a red herring and should not necessarily alarm concerned parties.
Last year, the European Commission added Israel to the approved countries list, meaning their DP laws are adequate for EU transfers without the need for any additional safety measures.
For India and China, two other destinations mentioned in the report, there is no such seal of approval. Although India recently passed new data protection rules, these don’t equate to the same high EU standards yet.
However, the commercial reality is that developers need to make money from these apps. Nevertheless, I don’t think the business model of collecting and relaying all data that seems vaguely useful is sustainable from a user perspective.
Non-legal approaches may be able to provide businesses a more sustainable model, while protecting customers from over-zealous apps.
Stronger adherence to minimal data collection and clearer user privacy policies are a good start.
Last week’s GSMA mobile app “privacy by design” development guidelines included some brilliant recommendations to develop industry-wide harmonisation in these areas.
Another important practice is to ensure data is strongly encrypted when transferred to “third countries”. This added security is essential considering the likelihood that app data will end up in places that fall well short of the high EU DP standards.
Device and flying apps courtesy of Shuttershock
Data transfering between laptop and device courtesy of Shuttershock
"Non-legal approaches may be able to provide businesses a more sustainable model, while protecting customers from over-zealous apps.
Stronger adherence to minimal data collection and clearer user privacy policies are a good start."
Eh? Maybe it's just me but I don't think it's clear whether you're advocating or decrying "non-legal" (ie illegal) approaches by businesses here! You could almost be SUGGESTING that they ignore the data protection act.
Hello Kieran,
Thanks for your comment. When I suggested "non-legal" approaches I meant increasing use of industry self regulation tools and technical solutions, like the GSMA developer guidelines and stronger encryption.
These methods give businesses other means of protecting user data when it leaves European borders.
This is especially important when physically enforcing EU DP laws would be very difficult, in China or India for example.
I'm definitely not saying the companies should choose one approach or the other. Of course they should always adhere to relevant DP laws.
I am merely suggesting different / complementary tools that strive towards the same end result.
"Non legal" tools like encryption are not bound by the same restrictions as laws, like jurisdiction.
Given this advantage, their usage should be increased when data travels and is held outside the EU.
Thanks,
Lachlan
Non-legal processes such as encryption fall well short of offering any protection to users who have no idea where their data is ending up. Encryption protects data en-route from phone to server, it provides no protection if that server is in the control of a less than scrupulous individual or corporation.
The simple fact is that unless the smartphone OS developers (Google & Apple in the main) close the holes that allow irrelevant data to be collected and sent to ANY server, whether in the EU, a safe country or a third country, user data is not safe.
Sadly it is not in Google’s interest or power to do this. Their oversight of the apps that hit Android phones is minimal at best, and apps can get through that do a whole lot more than send your address to India. Google itself makes plenty of money from using your personal data, so it would be seen by most as hypocritical (or worse – creating a monopoly on user data) if they were to lock out their app developers from doing the same.
For Apple it is slightly less clear cut. They also use your data (location stored on your iPhone for instance), but do they profit from it? They have better app approval processes, but they too need revenue to flow from micro-transactions that are subsidised by revenue generated by ads. As we move forward those ads are goomg to become more targeted to the individual, and how will that happen without collection of an individual’s information?
In the end, self regulation will not work. Legislation by individual states and international law will force the developers into a position where they have to ensure user data is held safely and only shared when implicit permission is given.
And that will only work when users work out what they should and shouldn’t share with unknown third parties. And that needs education of an increasing user base who do not actually understand the technology that they have in their pockets.
Why does the headline say "Your data is going to China" and then the article is mostly about the data going to Israel?
I guess you were afraid of seeming anti-semitic since the article mostly tries to raise suspicion about Israel, leaving the "detail" that they comply with EU data protection laws till nearly the end of the story.
I can’t speak on behalf of Lachlan the author, but wasn’t it the Sunday Times which raised the Israel connection?
And as Lachlan points out, they’re considered to be an ‘allowed’ country under EU data protection laws.
So, if anything, we’re debunking the Israeli connection angle.
Israel isn’t really the biggest issue.. Other countries are. Despite what the Sunday Times might have inferred.
Of course, you may not be happy that your data is going to parties in other countries full stop. Smartphone app users beware..
Thanks Graham, that is exactly right. I was trying to show that the Sunday Times headline implied data from the EU shouldn't be sent to Israel, but there is actually nothing (legally) wrong with this practice.
That's because the European Commission have formally acknowledged that Israel has adequate standards of data protection for EU transfers. This means data can flow between the EU and Israel with no additional safeguards required.
The real issue is of course companies designing apps that collect too much information and then sending it abroad in the first place (often to countries that haven't got adequate standards of data protection for EU data transfers)
Yes, but what are the apps?
I understood the article in a way Graham did, too. I don't see the reason for invoking anti-semitic argument, since there is nothing here to imply such a qualification. And I agree with Lachlan's opinion on, possibly, better adequacy of technology and self-regulation tools for data protection in many cases.
I'd like to see what happens when you alter the smartphone contract, deleting or mod-
ifying the provisions you object to.
Has anyone investigates Voxer? The mere operations of the application, transfers all contact data, somewhere, and interlinks this data so users are getting fishing scam, unsolicited blocked phone calls etc. Why this app has not been blocked by the major security applications, I can not fathom..
Can you provide a link to a technical document which details how Voxer does this, Michael Wetmore?
Is there some way to tell when apps are sending data out and/or give users a way to block it from being sent? Or are smartphones so far behind computers when it comes to personal information protection that it's going to take years to fix?