Sneaky phone apps just about obey the law, still have no trouble guzzling your data, says Which?
Probe shines light on epic Ts&Cs and clever tactics to make users cough up
Apps use sneaky tactics to get UK users to hand over more info than they need to – and privacy policies remain long and confusing.
These claims were this week emitted by Brit consumer rights body Which? in a report into data privacy of 29 commonly used Android and iPhone apps released.
The investigation found that – despite proclamations that accompanied May's enforcement of the General Data Protection Regulation – firms are still devising ways to slurp ever more data.
"In some cases we feared that apps were in breach of GDPR," Which? said. "In others, their practices were probably lawful, but had disturbing implications for the future of privacy."
It found that all the apps used encryption to some degree, but the downside of this is that "it's harder to know exactly what they're dong with your data".
Some, however, lacked security for the owner: the investigation found that the Flo Period and Ovulation Tracker app, which contains sensitive info on women's periods or sexual activity, was not password-protected by default. The firm said it is planning to add a password-setting feature at the registration screen in future versions.
The primary issue, though, was the way apps undermine user privacy with sneaky tricks like bundling requests together, hiding the most privacy-friendly settings or using questionable advertising permissions.
Take the pop-up on the AccuWeather app – which said it shared data with 199 partners – that appeared when the testers were trying to read the list of third-party advertisers (there are 18 unaffiliated providers of advertising it shared the data with). The app then suggested the user paid a charge to avoid targeted advertising.
Another bugbear was location tracking - as well as noting Google's already well documented and much criticised not-really-off tracking activities, Which? also raised questions about Amazon's shopping app.
According to Which?, Amazon's app opened with the postcode of the location of the phone displayed in the search bar – which was different to that of the address attached to the account.
It is likely Amazon was taking the location from the phone's IP address, Which? said – noting that the app hadn't explicitly asked to know the general location.
Another area in which app makers are yet to make positive changes – in spite of pressure from activists, regulators and the public – is in the wording of their terms and conditions and privacy policies.
In total, the Ts&Cs and privacy policies for all 29 apps came to a whopping 333,336 words.
"That's longer than Crime and Punishment by Fyodor Dostoyevsky, nearly twice the length of Catch 22 by Joseph Heller, and almost four times as long as Nineteen Eighty-Four by George Orwell," Which? said. "Based on average reading it would take 22 hours, 21 minutes to read all the policies in one go." Not to mention being mind-numbingly dull.
The organisation used the report to once again call for an investigation into the digital ads market, which is powered by the huge proliferation of smartphones and is worth more than £10bn in the UK alone.
Although apps have to ask for permission to access various phone functions or data to provide services, Which? noted some also use these permissions to power their advertising.
The body is calling on the Competition and Markets Authority to conduct a study into how the digital advertising market operates. ®
Sponsored: Becoming a Pragmatic Security Leader