After doing a mobile apps “sweep,” the office of the Privacy Commissioner of Canada has found a lot of consumer apps are asking for unnecessary permissions without explaining why – and that’s a problem for user privacy.
On Thursday, the Privacy Commissioner’s office released the results of a global sweep of 1,211 apps built for smartphones and tablets. This is the second year in a row these groups have done these sweeps. Last year, they focused more on the language in user privacy agreements, but this year, the focus was on mobile apps and the permissions they demand, before users download them – for example, access to contact lists, the smartphone’s camera, and so on.
By teaming up with 25 other privacy enforcement groups from 18 other countries, participants looked at the apps from May 12 to 18. Out of its sample of apps, about 75 per cent of the ones examined asked for at least one or more permissions.
Thirty-two per cent of them requested a user’s location, while 16 per cent wanted access to the device ID . Fifteen per cent wanted access to other accounts, 10 per cent wanted to access the camera, and another nine per cent wanted to access the user’s contacts.
Here in Canada, the Privacy Commissioner’s office looked at 151 apps that were either developed in Canada, or that are popular among Canadian mobile users. The apps were for Android and iOS.
One of the worst offenders was Pixel Gun 3D, which was the 18th most downloaded game in Canada in the Apple Store a month before the sweep, according to Distimo, an app analytics service.
In its permissions, that game gave its developers the right to access a device’s ID, its call log, its app history, photos, media, and other files. There was also no privacy policy listed.
Then there was the Super-Bright LED Flashlight app, a free app that hit the number 17 spot in Canada for most downloaded app the week of the sweep. Like its name implies, the app allowed users to make their phones into flashlights – but it also asked for permission to access the microphone, device information, call information, photos, media and files.
Even worse, there was no privacy policy, and the developer website listed took users to links, one which offered users the chance to buy the domain name. And when ITBusiness.ca tried to email the developers of that website, the email bounced back.
However, there were some bright spots within the sweep. Shazam, a popular app for users looking to identify unknown songs playing in places like stores or bars, has a strong, clearly-worded explanation as to why it asks for certain permissions.
“Our sweepers were singing the praises of this app because its privacy communications provided clear explanations of individual permissions that left them with a generally positive feeling about how their personal information would be used,” read a blog post on the Privacy Commissioner’s site. It added the iOS app sends notifications before accessing smartphone features like the microphone, and the Android version provides a link explaining why the app needs certain information.
Ultimately, while developers do need to ask certain permissions to make their apps effective, it’s important to be clear about why they’re asking for them – and part of that includes making the language clear, so users know what they’re getting into.