The State of Data Privacy in Mobile Apps Space

– Amardeep Mathur & Gajendra Maheshwari

Introduction

Mobile phones have become a natural corollary to human life and are digital repositories of our everyday experiences. These mobile phones are loaded with applications (apps) that support our mobile based activities and in turn end up collecting a lot of our personal data including sensitive personal data, sometimes on real time basis, generating data privacy concerns for the users. Laws and regulations in relation to data privacy are sprouting all over the world, and amongst them the General Data Protection Regulation (EU) 679/2016 (GDPR) remains in the forefront. The GDPR provides an elaborate legal framework to ensure data privacy and allow data subjects more control over their personal data.[1] GDPR has reinforced that Data Privacy is no longer an issue of trivial compliance and is part of everyday boardroom discussions and a matter of business necessity.[2]

Risk Analysis of Mobile Apps

With the numbers of mobile phone users are growing exponentially, market size of mobile phone applications has seen tremendous growth. For a market, which is expected to achieve market size of 497.31 billion dollars by 2026[3], data privacy remains a nascent issue. While number of mobile app downloads have constantly increased in the years[4], data privacy risks these apps may pose have not been adequately addressed. It becomes important to analyze the issues that pose privacy risks for users.

Collection of large amounts of personal data

Apps collect all sorts of personal data, most of the times collection of such personal data depends on user’s express permission, which means one can toggle on or off permissions to control collection of personal data category. Personal data which apps can access and collect include, location data, personal data, health data, data from camera, wellbeing data etc. Furthermore, mobile phone devices come heavily embedded with various sensors such as microphone, camera, accelerometer, GPS, Wifi, etc. These sensors can generate very personal and copious amounts of data. It also increases the creation of metadata[5] such as metadata in relation to location, time, temperature, and other things.

Much of the personal data is prima facilely, collected through consent, but it also happens behind users back, as observed in the case of metadata. Large part of metadata collection happens without express consent, by default use of sensors, device identifiers etc. With such large of amounts of personal data being generated and collected by way of these applications, risk of privacy invasion increases manifolds[6] as it takes the app developers further away from privacy principles of data minimization and limited processing.

Device identifiers and liquid surveillance

Use of identifiers and sensors has seen rampant increase. With new mobile phones being introduced in the market every day, the underlying technology in relation to device identifiers and sensors has also improved. Mobile phone devices come with improved and sophisticated sensors and identifiers. These identifiers are help id and fingerprint the mobile device. While most these identifiers are incorporated as a necessity and were never intended to be utilized for other reasons such as targeted advertising, they are rampantly used by advertising companies to run targeted campaigns. For ex. The IMEI number or a Mac id being unique identifiers to track and isolate android or apple devices, they can also be used by advertising companies to sell ads targeting users having a particular device or model. Apples new ultra-wideband bionic chip which comes in all its latest devices can track and locate all of user movements in real time.[7] This is the latest technology in everyday liquid surveillance, it leaves little or no control for users to control aspects of data processing as the primary design of the technology is resistant to privacy controls and transparency.

Complicated Mobile app Ecosystems

A mobile app ecosystem consists of a large and complex network of actors and controllers, who are associated with the entire lifecycle of development deployment and functioning of the app. Privacy of personal data in mobile applications is largely dependent on how the app is implemented and how it is conceived in its development ecosystem. This inevitably leads to a trade off between functionality and privacy. A bridge between privacy and functionality, can be the concept of privacy by design and default.[8] By following privacy by design and default principles every actor or component related to device hardware and operating system, software development, ad libraries and app store etc., will have to inculcate and design such features, which will automatically support user privacy right from the basic design without compromising on functionality. [9]

While some element of privacy control does appear at various junctures, such as at operating system level, where user control and consent mechanism for data collection is provided, or at app platform level, where app stores require app developers to post a privacy policy and adhere to their data privacy guidelines. For example, Apple recently updated their privacy standards and requires app developers to make elaborate disclosures and put up a privacy policy before they can place their app on the Apple Appstore[10].

Data Security

When large amount of personal data is generated, collected and processed, data security becomes an important concern. A recent study in this regard highlights that an exceptionally large portion of apps available today, contain known security lapses, were prone to information leakage and their usage threatened user privacy. In terms of privacy, these apps required more than necessary set of permissions, some of which were classified by Google as ‘’protection level dangerous’’ or “not intended for third party use”.[11] It thus becomes clear that even though in the use of mobile application boomed in the pandemic, the state of mobile privacy did not improve for the better, leaving people exposed to greater privacy related vulnerabilities.

The Way Forward

Our lifestyles are digitally dependent, and our cultures are based on support from our devices and their applications, which control every aspect of our life and daily activities from lifestyle to education to entertainment and finance.[12] The pandemic has further strengthened this pattern, and thus it becomes important then ever, that privacy obligations are not just remain legal words but are translated into everyday compliance.

Adhering to existing Guidelines and Recommendations

Privacy regulators around the globe have come up with set of regulations and guidelines to ensure that legal requirements are incorporated in the overall app development and deployment process. Some examples of such guidelines and recommendation are Article 29 Working Party opinion on “Geolocation services on smart mobile devices” and “Apps on smart devices”[13]. UK ICO’s guidance on app developers[14] and the California Attorney General published “Privacy on the Go: Recommendation for the Mobile Ecosystems”[15]. While many more of such guidance from regulators and industry bodies are available, it becomes imperative for app developers and other actors involved in the ecosystem to adhere and follow such guidelines and incorporate the same at every stage of app development and deployment process.

Personal Data Collection and Consent

For processing personal data, apps rely on consent or permissions of the user. The prominent permission architecture is key to absolve all privacy requirements, as all acts relating to collection, sharing and processing of personal data is dependent on a single / universal consent.

The consent mechanism used by the apps is not adequately transparent and does not fulfill the requirement of “true and informed consent”.[16] Thus lack of transparency and full disclosure of the consent mechanisms becomes the first issue in the current state of consent. Secondly, the permission architecture, are burdened to cover multiple groups of activities and processing operations. Studies are show that android apps request additional privacy-risking permissions every three months.[17] Ideally, consent should be obtained for all processing operations under the same purposes and for different processing operations / purposes separate consent should be obtained.[18] Usually, a single step of account registration is treated as consent (by way of action) for an embargo of things such as collection storage processing terms of use etc. Such single action consent seeking actions are not compliant with the privacy law requirements. Lastly, complex permission architecture denies users the right to negotiate consent for primary functionality of the app and for any third-party functionality as well.

Transparency and other fair information principles

Transparency is one the primary privacy requirements second only to accountability. These are golden principles in data privacy that every app owner / developer should achieve. Transparency can be achieved when the app provides a privacy policy, privacy notices embedded in the app, and privacy statements and information submitted by the app is displayed on the app store where users can review permissions and privacy statements beforehand. Further apps should display information when seeking user inputs and provide explainers for app’s special functionality.

Notice / awareness is one of the fair information principles[19] which relates to the golden requirement of openness or transparency. By giving out all the relevant information regarding data collection and handling practices to users, app developers can achieve this principle. Other fair information processing principles include Choice / Consent; Access/participation; Integrity / Security and Enforcement / Redress. What is required that the app ecosystem is at least build around these fair information practice principles.[20]

Data Subject Rights

Data Privacy legislations are aimed at giving more control to individuals over their personal data. And this gives rise to various rights to the data subjects. The GDPR provides data subjects with right to access, erasure, rectification, portability, object etc.[21] It is important for app developers to clearly put out the rights available to users of the app and how they can exercise it. It further becomes essential to put in place simple modalities which allow data subjects to put in their requests and enable app developers to process and honor them. Honoring data subject requests is a shared responsibility of data controllers and data processors as to fully execute data subject requests there needs to be in place a mechanism between them to facilitate processing of data subject requests.[22] This mechanism needs to be simple in design and execution, so that exercising privacy rights doesn’t seem like a burden.

Data Transfers and Sharing

Data Sharing among mobile applications remain a prime privacy concern. Apps share personal data of users with third parties as a matter of functionality and revenue. Apps in order to offer improved and wide range of functionality and features are heavily dependent on complex integration and associations with third parties. In addition to that, the practice of transferring personal data to third parties for the purpose of harvesting is also rampant.[23] Sophisticated third-party trackers are embedded in the source code of multiple mobile apps which tracks, logs and transfers data about a single user, collected from multiple applications ultimately enabling the beneficiary company to form a profile of the user. The widespread and uncheck use of data sharing and harvesting can be attributed to the now popular “freemium” model which allows app developers companies to generate revenue from advertising. Contrary to mandates of privacy laws regarding transfer and sharing data, unchecked data sharing practices create more complicates privacy issues for the user. Large portion of user privacy issues can be addressed if only the inbuilt permissions architecture allows granting consent to the app, the downstream processers and third parties who are seeking personal data, separately. Such, uncontrolled transmission of data across third parties leads to accountability issues, as well as poses risks of unaccountable and subtle data breaches.

It is important for app developer to be transparent regarding their data handling and sharing practices as well as remain accountable for personal data in their or the third party’s control. Unless steps are taken in this regard, data harvesting and pervasive data transfers will only grow.

Conclusion

Mobile applications are designed to provide new age functionality, high user engagement and complex inter-dependability. While every data breach incident highlight privacy implication and generate user concern, it is often short lived and most of the privacy issues remain unaddressed in a long run. Countries where laws like GDPR exists are seeing app developer and owner companies falling in line and demonstrating their privacy compliance, but for other countries where no such law exist or enforcement is weak, app developers show concern for privacy only as per the market sentiment. For app developers and owners to truly ensure user privacy, they need to redesign and rethink privacy from the fundamental level. Transparency, Accountability Privacy by Design, and Default should not be just keywords, but rather they should be incorporated at every stage and their implementation and enforcement should flow from board room level.

[1] The General Data Protection Regulation (EU) 2016/679 Recital 5

[2] Data Privacy Will Be The Most Important Issue In The Next Decade; Mary Meehan – <https://www.forbes.com/sites/marymeehan/2019/11/26/data-privacy-will-be-the-most-important-issue-in-the-next-decade/> accessed 9 August 2021.

[3] Allied Analytics LLP (Allied Analytics LLP 2019) <https://www.researchandmarkets.com/reports/4989487/mobile-application-market-by-marketplace-app?utm_source=dynamic&utm_medium=BW&utm_code=jjfbkh&utm_campaign=1354777+-+Global+Mobile+Application+Market+Value+to+Reach+%24407.31+Billion+by+2026+with+a+CAGR+of+18.4%25&utm_exec=anwr281bwd> accessed 9 August 2021.

[4] Ibid

[5] Metadata is defined as “data about data”

[6] Yellowbrick, ‘Yellowbrick Survey: Pandemic-Era Consumers Love Apps but Have Security Concerns’ (Yellowbrick 2021) <https://www.yellowbrick.com/press-releases/yellowbrick-survey-pandemic-era-consumers-love-apps-but-have-security-concerns/> accessed 10 August 2021.

[7] Yan Shvartzshnaider, ‘Every Move You Make, I’Ll Be Watching You: Privacy Implications of The Apple U1 Chip and Ultra-Wideband’ (Freedom-to-tinker.com, 2021) <https://freedom-to-tinker.com/2019/12/21/every-move-you-make-ill-be-watching-you-privacy-implications-of-the-apple-u1-chip-and-ultra-wideband/> accessed 16 August 2021.

[8] Coined by Ann Cavoukian, Information and Privacy Commissioner of Canada 1990.

[9] Misha Ketchell, ‘The ‘Privacy By Design’ Approach For Mobile Apps: Why It’s Not Enough’ (The Conversation, 2021) <https://theconversation.com/the-privacy-by-design-approach-for-mobile-apps-why-its-not-enough-164090> accessed 12 August 2021.

[10] https://developer.apple.com/app-store/app-privacy-details/details/#:~:text=App%20privacy%20details%20on%20the,or%20used%20to%20track%20them

[11] Synopsys, ‘Peril In A Pandemic: The State Of Mobile Application Security’ (Synopsys 2021) <https://www.synopsys.com/software-integrity/resources/analyst-reports/mobile-application-security-covid.html> accessed 13 August 2021.

[12] ibid

[13] ARTICLE 29 DATA PROTECTION WORKING PARTY, ‘Opinion 02/2013 On Apps On Smart Devices’ (2013)

[14] UK Information Commissioner’s Office, ‘Guidance for app developers’ (2014)

[15] California Attorney General’s Office, ‘Privacy On The Go: Recommendations For The Mobile Ecosystem’ (2014).

[16] The General Data Protection Regulation (EU) 2016/679 Recital 32

[17] V. F. Taylor and I. Martinovic. 2017. To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution. In ACM Asia Conference on Computer and Communications Security (ASIACCS’17). https://doi.org/10

[18] Nikola Kožuljević, ‘The Best Way to Get User Consent for Mobile Apps In 2019 – Smartlook Blog’ (Smartlook Blog, 2019)

[19] United States of America, Federal Trade Commission, ‘PRIVACY ONLINE: A REPORT TO CONGRESS’ (Federal Trade Commission 1998).

[20] The Effect of Fair Information Practices and Data Collection Methods on Privacy-Related Behaviors: A Study of Mobile Apps, <https://www.researchgate.net/publication/339316397_The_Effect_of_Fair_Information_Practices_and_Data_Collection_Methods_on_Privacy-Related_Behaviors_A_Study_of_Mobile_Apps>

[21] The General Data Protection Regulation (EU) 2016/679 Chapter 3, (Article 12-23)

[22] The General Data Protection Regulation (EU) 2016/679 Recital 59

[23] Rob Thubron, ‘New Study Claims Data Harvesting Among Android Apps Is “Out Of Control”‘ (TechSpot, 2021) <https://www.techspot.com/news/77077-new-study-claims-data-harvesting-among-android-apps.html> accessed 16 August 2021.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.