FYI.

This story is over 5 years old.

Tech

Most Apps Fail at Telling Users What Data They Collect, Survey Finds

Apps by and large still have major issues with disclosing their use of user data.

Apps by and large still have major issues with disclosing their use of user data. In a recent survey, some 85 percent of apps "failed to clearly explain how they were collecting, using and disclosing personal information."

The United Kingdom's Information Commissioner's Office (ICO) and Global Privacy Enforcement Network (GPEN) published yesterday the results of survey into the privacy communications of mobile apps. The report is an effort to help instruct UK app developers on best practices for handling sensitive user data, and to meet standards under the UK Data Protection Act.

Advertisement

The results of the survey, which looked at over 1,200 mobile apps assessed by 26 privacy enforcement regulators from across the world from May 12 to 18, were troubling, but there were a few bright spots.

As part of the survey, the ICO also examined 50 of the top apps released by UK developers. They found that more than half (59 percent) of all apps surveyed made it difficult to find even the most basic privacy information.

"Our office focused largely on apps that were downloaded often by Canadians, according to the popular top app chart Distimo," the ICO's Simon Rice told me over email. "We also focused on popular apps developed by Canadian companies."

Also notable is that one in three apps "appeared to request an excessive number of permissions to access additional personal information," while 43 percent of apps failed in tailoring privacy communications to small mobile screens, buried it in small print, or hid important information in lengthy privacy policies with either long scrolling pages or across multiple pages.

Rice emphasized that it was up to each participating privacy enforcement authority to determine which apps were to be assessed. Some participants focused on apps in specific sectors or with particular themes, or apps developed by public sector organizations.

"About three-quarters of the apps we looked at were free," Rice explained, "while the remaining ones were paid apps. Our assessment included a significant number of games, as well as health and fitness apps, news and magazine apps, and social networking apps."

Advertisement

Among the worst, according to the Office of the Privacy Commissioner of Canada blog, were Super-Bright LED Flashlight, which requests users' information from camera, microphone, device ID, and call information, as well as making requests for photos, media, and files. It's unclear why the app would require all of that user data just to operate a flashlight.

Pixel Gun 3D seeks permission to access device ID and call information, as well as device and app history, photos, media, and files, among other information, all while failing to post its privacy policy on the app, its website, or on its marketplace listing.

Despite these and other glaring failures, ICO did find examples of good privacy practice. As noted on the blog, apps like Shazam, Fertility Friend (an ovulation calendar), and Trip Advisor ranked well. All clearly communicated their privacy policy for collecting data such on identity and location, amongst others, and explained how it is used.

"The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection, or use, of personal data as it was about to happen," ICO wrote. "These approaches make it easier for people to understand how their information is being used and when."

Given that it's been over a year since Edward Snowden's NSA revelations, which helped kickstart debate on mobile app privacy, one would think app developers would already be updating their privacy communications. If ICO's report doesn't apply the necessary pressure, then perhaps it's time various pieces of robust legislation to force app developers to act responsibly.