It’s Time to Revisit App Permissions
Data is the new oil. If you’re not paying for it; you’re the product. These are some of the oft-repeated lines in today’s digital economy.
Although they are generalisations, at times even lazy and inaccurate, the proliferation of apps coupled with the exponential increase in mobile traffic has resulted in user data being accumulated by companies at a scale that was previously imaginable.
Trapyz, a Bengaluru-based startup that specialises in machine learning driven consumer insights for brands and advertisers, in fact, goes by a very catchy tagline: “If data is the new oil, then location intelligence is rocket fuel.”
Already most of what we do, both online and offline, are being increasingly used as fodder for targeted advertising by various companies that offer their service for “free” in exchange for our attention and us voluntarily sharing our day-to-day minutiae.
Whether we’re listening to music, reading a book, watching a TV show, going to the doctor, taking the subway to work, talking to our friends, checking the news, applying for a loan, or spending the weekend shopping, the end game is this: We live in a world of infinite, untapped data. Even more specifically, every one of us is a bottomless data mine, the oil waiting to be extracted, the rocket fuel to drive companies’ profits at our expense.
Yet it is a deal we have made with the devil. A trade-off tacitly agreed upon when we click the “I agree” button without even batting an eye, when we hand our data in return for the shiny promise of “free” services, when we end up living in a new digital reality dictated by the very technology we created in the first place.
But indications have emerged that this barter could be much worse than what we bargained for. A new investigation undertaken by The New York Times has found that “at least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information.”
This ideally should come as no surprise, given how many apps directly prompt us to share this information (see image below) as part of what I call “the exchange,” but even then it’s startling to note the sheer volume of the data collected, with some apps extensively tracking users’ location down to the exact latitude and longitude, and updating their whereabouts more than 14,000 times a day in some cases.
To evaluate location-sharing practices, The Times tested 20 apps, most of which had been flagged by researchers and industry insiders as potentially sharing the data. Together, 17 of the apps sent exact latitude and longitude to about 70 businesses. Precise location data from one app, WeatherBug on iOS, was received by 40 companies. When contacted by The Times, some of the companies that received that data described it as “unsolicited” or “inappropriate.”
Even more troublingly,
These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder.
Sure, companies like Trapyz are interested in unearthing location patterns (“Map user journeys based on point of interest visited, category, sub-category, visit frequency, dwell time, repeat visit and time of day,” goes slide #6 of the presentation) and not the real identities of the users so as to zero in on target audiences and personalise ad campaigns, but in the wrong hands, the dataset, however anonymised with a unique ID (which is also why you should periodically reset your advertising identifier on Android, iOS and macOS), risks becoming susceptible to re-identification attacks, all without the user’s consent.
Just last week, Facebook suffered from yet another privacy blow when a treasure trove of emails released by the U.K. Parliament revealed the company’s growth-at-all-costs mindset with a blatant, intentional disregard for user privacy, going to the extent of collecting Android smartphone users’ call and SMS history despite knowing it was sensitive, with the sole purpose of improving its People You May Know feature. (Not only wasn’t this setting made opt-in, there was no way to opt-out either.)
Google, likewise, landed in a similar situation earlier this August when Associated Press found that the company can track its users even when the “Location History” setting has been turned off. The search giant, for its part, responded by stating that “There are a number of different ways that Google may use location to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services,” adding, “We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”
Like it or not, being part of “the exchange” can seem to make this practice of indiscriminate location (or data in general) gathering “fair game,” but it is also the company’s (or the app developer’s) responsibility to seek user’s explicit consent (as is the case with E.U.’s GDPR), not only for gaining location access in order to show weather alerts, but also allow their information to be used for purposes other than what they are meant for (in this case, advertising) instead of burying them in dense legalese.
What’s therefore required is a major revamp of digital privacy laws and how app permissions work. Granular permissions (currently available both on Android and iOS) are mostly fine, except when they are not, and which is why it’s time to introduce temporary app permissions. This way users can accomplish what they set out to do (i.e. check out a place on Google Maps, or geotag a photo) without having to bother about these apps encroaching on their privacy. (Note: Android already has an app called Bouncer which does exactly this.)
Furthermore, it goes without saying the time-honoured practice of online service providers forcing users to accept incomprehensible terms and conditions (which we do without reading them anyway) needs an urgent overhaul. Not only does this “legal” loophole allow companies to collect and process personal data, using it as they see fit, they are able to find all sorts of ways to monetise the information, right from using it to target ads to selling it to third parties based on some hidden clause we’ve accepted blindly, resulting in a trade market where any data collected by an app or a service becomes a mere commodity with a price tag attached to it.
So what’s the alternative? A GDPR-like privacy regulation? It’s hard to say. A working paper published last month by Jian Jia and Liad Wagman of the Illinois Institute of Technology and Ginger Zhe Jin of the University of Maryland analysed its “short-run impact on investment in new and emerging technology firms” and found that they end up hurting smaller firms than large internet companies, with average investment per deal in E.U. startups dropping 39.6 percent. The end result is no different: monopolies whose mission is to exploit user data continue to thrive successfully despite paying fines (if found to be in violation) that have no impact on their outsized profit margins.
It’s a fact that data has become the front and centre of most businesses. No longer can we expect to get something truly for free, because we pay for these so-called “free” services with our valuable data, and therefore it’s important that we establish clear rules with regards to data ownership and how personal information is collected, processed, stored and shared, while giving users complete control over their data at every stage.
