Mobile Apps and the State of Privacy

Mobile apps can pose significant privacy risks for those not made aware of how their personal and private data is used.

Mobile applications or mobile apps or just plain apps are software programs designed and developed to run on a mobile device. Mobile apps can be downloaded and accessed directly by users using their smartphone; tablet; mobile phone; PDA; etc., and they can be downloaded by one or more of the following ways:
  • Via the mobile operating system owner’s online app store or the internet (e.g. the Apple Store);
  • Preloaded by your internet provider.
Some apps are “free” – meaning they are not purchased with real money by the user but funded by advertisers (whose ads dominate and sometimes interfere with the use of the app), while other apps must be purchased with real money by the user According to Ericsson, as of March 2018 there were 7.9 billion mobile device subscriptions worldwide. There were 98 million new subscriptions during the first quarter of 2018. Mobile application subscriptions associated with smartphones now account for 68% of all mobile phone subscriptions. That number exceeds the population in many countries. It is estimated that by 2020 almost 75% of the global population will be connected by mobile. Much of this growth will come from Asia, and in particular China, which will account for almost half of app users in 2020 (source: – Mobility Report, June 2018). This rise in mobile use, and the ever-increasing departure by marketers from traditional marketing to selling brands and products through mobile applications, has led to developments in technology that will continue to transform how the world communicates. So, if you use a smartphone or other mobile device to access the nternet, chances are you have downloaded, or your mobile device came with pre-loaded, mobile apps that you are accessing and using for many of your online activities instead of just an internet browser. There are hundreds of thousands of apps available. They are easy to download and extremely convenient. These mobile apps allow users to:
  • Access and read the news/books
  • Play games
  • Stream music
  • Take photos
  • Watch videos
  • Monitor their heart rate
  • Work out with a fitness regime
  • Get directions and maps
  • Find a nearby restaurant
  • Get the weather report
  • Pay for purchases on the spot
  • And a whole bunch more
Awesome, yes. But... Along with the exciting capabilities mobile apps offer, it is prudent to keep in mind that with the expanding functionality that mobile apps provide when integrated into mobile devices, the online worldwide privacy risks and the concern of how to protect the user’s (your) privacy increases. Why? Because mobile apps can collect all sorts of data and transmit it to:
  • The app developer;
  • The app store;
  • The internet provider;
  • The platform owner of the mobile device operating system; and
  • Third-party advertisers or an ad network
Some apps access only the data they need to function; others access data that’s not related to the purpose of the app. The bottom line is: This data being collected from you, including your personal and private information, may then be shared or sold by these entities in their sole discretion to other companies or entities around the world and oftentimes without the user’s (your) permission or knowledge. A case in point: In FTC (Federal Trade Commission) vs. Frostwire LLC), the FTC sued the developer of a peer-to-peer file sharing mobile app. The complaint alleged that the app’s default settings were configured so that, immediately on a user’s installing and setting up the app on a mobile device, it would publicly share files stored on that device. According to the FTC complaint, the default settings were likely to cause users to unwittingly disclose personal files stored on their mobile devices. Among other things, the settlement:
  • Bars the company from using default settings that share users’ files.
  • Requires the app to provide clear and prominent disclosures about file sharing and how to disable it.
The question then inevitably becomes: How private and secure is your private and personal information when accessing and using a mobile application that is now integrated within your mobile device(s)? This article is intended to explore and answer this question from the perspective of the risks to your (the user’s) private and personal information in the access and use of mobile apps, as well as recommendations on how to manage these risks. Onward! See also: Do Health Apps Threaten Privacy?   Using Mobile Apps When you directly download and install an app, or your internet service provider pre-downloads and installs an app or applications you decide to activate on your mobile device, you are instantly allowing that app or applications to access data stored on your smartphone or other mobile device. The app’s access to your data could be limited, or it could be an app capable of accessing large amounts of information, including:
  • Your personal and private information
  • Information on and of your friends and associates
  • Family photos and videos
  • Your phone and email contacts
  • Call logs
  • Internet data
  • Calendar data
  • Health data
  • Data about the device’s location
  • The device’s unique IDs
  • Information about how you use the app itself
  • Your web browsing history, etc. that is stored on your mobile device
So before you download an app or use a pre-loaded app it may be wise to understand at a minimum:
  • What of your data the app is going to collect
  • How it stores your data
  • Where and what other devices or entities is your data going to be shared with
To get the answers is easy, right? You just go to the app’s privacy policy. Yet, the reality is that it is foolish to assume that any data is private in the mobile app world, or that the mobile app world has taken the responsibility to protect a user’s right of privacy seriously, because almost all mobile apps do not have privacy policies. Are you shocked to learn such a fact? I certainly was! So why don’t the majority of apps have privacy policies? Because:
  • Most developers think it is technically too complicated and time-consuming as they rush to develop apps; or
  • Some developers are focused on getting new products to market to meet a deadline at the behest of an organization, and adequate consideration of privacy and security is not a priority, if at all; and
  • There is a belief among some developers and organizations that no one, (e.g. the user or the FTC or the courts), is really enforcing the laws governing privacy in the mobile world.
At this point, I believe it is worth noting again: These apps collect and store a tremendous amount of information. Even apps that appear to ask for permissions during installation can become a back door to your mobile devices and your private and personal information, along with that of your friends and family. So, what does this mean for organizations (as well as the developers) of the apps they offer? Well, first and foremost, for organizations (and developers) to dismiss the safeguarding of a user’s privacy whether technically, legally or morally in the interest of following the money, suggests a failure of transparency to the user in how those organizations collect, use and share personal and private information. So what can be done to address this concern? As a start, certain attorneys general and legislators in certain states in the U.S. have started to advocate and support new laws as well as to enforce current laws governing privacy in the mobile world. So let’s take a moment to discuss some states' actions: California has long been a leader in privacy legislation to ensure that cutting-edge innovations, inclusive of mobile apps, are developed responsibly to protect users’ private and personal information. To that end, In 2004, California enacted the California Online Privacy Protection Act (CalOPPA) requiring commercial operators of websites and online services, inside and outside of California, to conspicuously post clear, detailed privacy policies to promote transparency, be reasonably accessible to consumers of the online service and enable consumers to understand how companies collect, use and share personal information and those third parties with which they share that information. One of the principles agreed on is to make mobile apps’ privacy policies available to users on the app platform before they download the app. This will give them the opportunity to either opt-in or opt-out before they download or activate the app, as opposed to having no real choice after the fact. If developers and companies do not comply within 30 days after being notified of noncompliance, they can be prosecuted under California’s Unfair Competition Law or False Advertising Law. For example: The attorney general considered any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.” Based on this interpretation, letters were sent to up to 100 non-compliant apps at the time, starting with those available for mobile users that were the most popular. The companies were given 30 days to conspicuously post a privacy policy within their app that informed users of what personally identifiable information about them was being collected and what would be done with that private information. Delta Airlines was among the recipients of this letter. In December 2012, the attorney general of California, Kamala D. Harris, announced the first legal action under California’s online privacy law against Delta Airlines, for failing to comply with the 30-day notice letter to conspicuously post a privacy policy within the mobile app “Fly Delta.” The suit sought to enjoin Delta from distributing its app without a privacy policy and penalties of up to $2,500 for each violation. The suit was filed in the San Francisco Superior Court. It is no secret that California is currently unique in applying its privacy law to mobile apps, and many states look to California as a leader in this area. It is anticipated that more dedicated state laws will be forthcoming based on these actions. But it is not just states in the U.S. that are concerned about mobile app privacy. This concern reaches across the pond. It is, therefore, important to note the actions of other countries, as well. See also: Blockchain, Privacy and Regulation   The European Union The ePrivacy directive (2002/58/EC, as revised by 2009/136/EC) sets specific standards for all parties worldwide that wish to access and store information already stored in the mobile devices of users located in the European Economic Area. The most important of the standards in regard to developing for mobile platforms is article 5(3) stating that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent. This consent needs to be based on the user, having been provided with clear and comprehensive information by the mobile platform, in accordance with Directive 95/46/EC. For example: a clear explanation of the purposes for which the mobile platform is processing and storing the user’s information. So the bottom line is this: It is important for organizations and app developers to know that these directives are imperative laws in that the individual’s rights are non-transferable and not subject to contractual waiver. This means that the applicability of European privacy law cannot be excluded by a unilateral declaration or contractual agreement. As a result, the mobile app developer or organization must: Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:
  • Who they are (identity and contact details)
  • What precise categories of personal data the app wants to collect and process
  • Why the data processing is necessary (for what precise purposes)
  • Whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed)
  • What rights users have, in terms of withdrawal of consent and deletion of data
Note: Similar laws exist in other countries as well with slight modifications. It may be of interest to you to read in their entirety such similar laws, particularly your own country’s law. Multiplying the Risks The online worldwide privacy risks associated with the use of mobile devices increases with the use of mobile applications, not only because of the lack of privacy policies and transparency associated with the applications, but because mobile apps have their own unique set of challenges for the user who cares about mobile privacy, such as:
  • Mobile devices hold personal information for a long time by design. In other words, nothing is ever erased. This information is provided and accessed by the developer as he/she designs the mobile app and then disseminates it to the world. For example: If an organization requests or pays for a developer to develop an app, the organization provides the developer access to the user information stored on the mobile device or devices to which the app will be downloaded. That information is then stored in the new app for dissemination to the world.
  • Encrypting information is not foolproof to protect privacy, as encryption on both the Android and iPhone can be broken with minimal effort. In addition, it is not that difficult to extract data from a passcode-protected device. In other words: Never underestimate a hacker.
  • Mobile app developers rely on and use hardware device identifiers (hardware IDs) to track users and to enable:
    • Their apps’ functionality
    • Content
    • Advertising providers to track users across many mobile apps
It’s important to understand the key difference between hardware IDs and identifiers associated with social media platforms’ browser cookies. The key difference between hardware IDs and identifiers associated with website browser cookies is that hardware IDs are permanently associated with the device. By deleting cookies and local shared objects, an end user can typically prevent a certain amount of tracking and retain some degree of anonymity from third parties. Each time the third party's servers connect with the end user, the third party must set new, different, unique identifiers. However, in the mobile app context, even if a user deletes the app, clears all web content, wipes all storage and restores factory defaults, the hardware ID remains unchanged. Third parties that have tracked the end user's network traffic and stored that information can still associate it with the end user's device. In other words, hardware IDs are unique and permanent identification numbers, or character strings, associated with a device, and they can practically not be deleted or reset by a user. As a result, even if a user deletes the app, clears all web content, wipes all storage and restores factory defaults on their browser, the hardware ID remains intact. Third parties that have tracked the user’s network traffic and stored that information can still associate it with the user’s device and identify that mobile device for the life of the device. This has prompted objections from privacy advocates regarding the use of hardware IDs for tracking purposes. Types of hardware IDs include:
  • Cell phone radio (mobile equipment identifier (MEID))
  • International mobile station equipment identity (IMEI)
  • Wi-Fi radio (media access control (MAC)) address
  • Bluetooth radio identifier
  • Platform-specific identifiers (e.g. Apple’s unique device Identifier (UDID). Note: although Apple prohibits its developers from accessing UDID, in an analysis conducted by Appthority in 2013, 5.5% of the tested iOS apps were accessing it anyway.
  • Integration of apps with social media platforms, giving them even more of a user’s private and personal information. For example: Facebook, in response to the pressure from its stakeholders to make more revenue via mobile advertising, is streaming advertisers’ ads via mobile applications that also allow them to leverage the Facebook Connect feature, which invites users to sign into numerous apps and websites using their Facebook identity. This provides Facebook and its advertisers with the ability to monitor the actions that users take in all such apps, which in turn has potentially many monetarily satisfying commercial opportunities for Facebook, its partners and advertisers. These mobile ads are getting more and more aggressive, such as accessing and transmitting personal information and changing phone settings without user consent (reference: Lookout-a mobile security firm). Even if a developer is cognizant of the importance in providing users with a privacy policy that actually protects their private and personal information and does so, such a policy is often long and difficult to read on devices with smaller screens. (Try reading the Apple Store privacy policy on your mobile device).
Other Risks Wow! After that litany of unique risks, it may seem difficult for some of our readers to believe there are other risks a user needs to be aware of – but there are. For instance: children and mobile applications.
  • The apps collect personal information
  • The apps let children spend real money even if the app was free.  For example: The game Robolox is free. It also allows the user to enhance one’s character in the game by “purchasing” various add-ons by using points earned during the game (i.e.: swords, helmets, the Phoenix, etc.). However, if you do not have enough points, you can use real money (usually from mom or dad’s credit card) to buy the points you are lacking to purchase the coveted add-ons.
  • Apps include ads (which is extremely annoying to most children – and – raises the question: Is there any violation of the Children’s Online Privacy Protection Act (COPPA) as amended effective July 2013 to include the mobile app space).
  • Apps link children to social media web services without the parental notice and consent COPPA requires. (reference: see Children’s Online Privacy and Apps section of COPPA 16 C.F.R Part 312), and
  • Surprise of surprises, the apps most likely will not tell you they are transferring data (how can they when most of them choose not to be transparent with the user?)
The point is: Mobile applications can pose significant privacy risks for organizations, their customers/clients and individuals worldwide if they are not made aware of how their personal and private data is used. So how can you, as the user of these apps that organizations provide you to download or you buy directly from developers (such as Rovio, which is the developer of Angry Birds) manage the risks threatening your mobile app privacy? Well, the truth of the matter is: There is no easy way to know what data a specific app will access or how it will be used. However, if possible: Before you download or access and activate a pre-loaded app, find out who created the app and for what purpose; look at screen shots; read the description, content rating and any users’ reviews. . In other words: Do your due diligence, and only access and use apps from trusted sources. Managing the risks of how an app stores your data (as an individual or an organization) For mobile apps, as well as social media platforms, user data can be stored remotely on servers on the web. However: In the social media platform or website context, most user data stored locally is stored centrally in browser files, while in the mobile app environment it is stored locally by each app. Therefore, your information stored in a mobile app is not centrally located but is splintered and app-specific, making it more difficult if not impossible for users to know how much of their data is stored in each app and disseminated externally to third parties. Additionally, mobile apps generally do not provide tools to the user to:
  • Access local storage to review what the app has stored of the user’s information; or
  • Manage the content of the information stored
The foregoing is another way of reinforcing that, as a rule, realistically and practically users do not have any control or access to their data that is stored on a mobile app, This lack of control includes access to manage the use of their personal and private data or any other part of their data for that matter. Don't provide your credit/ATM card information Some mobile payment acceptance applications that are marketed and sold to retailers, airports, etc. for processing of credit/debit card information will store such information on the user’s mobile device if there is no internet connection available at the time and then send it when a network connection can be made. The point? Any time data lingers on a device, even if encrypted, there is a higher risk of that data being compromised (need we say “Target”?). Currently, a user has no means to manage this risk except to not provide this information. See also: Wearable Tech Raises Privacy Concerns   On the other hand: To manage your risk for those mobile payment acceptance applications you have on your own mobile device, check to see if your payment acceptance application has a "store and forward" feature, and, if it does, turn it off.
  • Location information. Many apps track your location There are location-based mobile application services like Yelp and Foursquare that need your location to function properly. However, there are also apps (such as a simple flashlight) that do not need your location to function and yet still track it.
  • Some apps provide location data to ad networks, which may combine it with other information in their database to target ads based on your interest and your location
  • Once an app has your permission to access your location data, it can do so until you change the settings on your phone
  • However, if you don’t want to share your location, you can turn off location services in your phone’s setting. The downside is even if you turn off location services it may not be possible to completely stop the app from broadcasting your location data.
Bottom line: Now that you have the information, use it wisely in making your decision to download or activate a pre-loaded app that will provide specific location data Managing where and what other devices or entities your data is going to be shared with Users should not assume any of their data is private in the mobile app world or that the mobile app world has taken the responsibility to protect your right of privacy seriously. For instance: Many apps send users data via unencrypted connections that potentially expose users’ personal and private data to everyone on a worldwide network without the user’s knowledge or permission. The lesson, therefore, in how to manage the risk of a mobile application violating the privacy rights of an organization as well as its customers/clients and the individual user is to understand that currently there is little or no privacy protection for users of mobile applications, and based on that understanding, as well as doing your due diligence, make your decision as to whether to access and use an app accordingly. Follow (or I will be writing about them, as well) the developments of:
  • The Federal Trade Commission’s increasing focus on the subject of mobile app privacy or lack of same to determine FTC’s regulation and enforcement.
  • The multi-stakeholder process facilitated by the National Telecommunications and Information Administration to develop an enforceable code of conduct on mobile app transparency.
  • The implementation of the recommendations of Kamala Harris in her white paper “Privacy on the Go,” describing an approach for developers and other players (like the mainstream social media platforms, which provide the user information to the developers) in the mobile app world to consider when designing the app.
  • State/country legislative and enforcement actions to achieve privacy controls that allow users to make, review and change their privacy choices based on widely accepted fair information practice principles (FIPPs) that form the basis for many privacy codes and laws in different parts of the world.
Takeaway Users care about mobile privacy, and, yes, they do find value in mobile apps. They are also eager to try them as they are released (as opposed to waiting for several versions to have been tested first). However, as Harris said: “Losing your personal privacy should not be the cost of using mobile apps, but all too often it is. Users of those apps deserve to know [and have the ability to control] what is being done with their personal information.” I would submit to you that It should now be clear that the risks to one’s personal information is substantial when using mobile apps and that these risks are good enough reasons as to why a developer or the organization that engages the developer as well as other stakeholders in the world of mobile apps should first and foremost begin with the mindset of worldwide privacy and security of a users’ personal data in the initial design of any mobile app.

Judith Delaney

Profile picture for user JudithDelaney

Judith Delaney

Judith is the founder and chief new media compliance strategist for CMMR Group-TurnsonPoint, a new media compliance solutions firm located in Petaluma, Calif. CMMR Group-TurnsonPoint specializes in the integration of new media strategies with business strategies to effectively manage risk associated with online compliance (such as the HIPPA Omnibus Rule), global social media private and data protections and contract risk management.


Read More