Future Tense

How to Understand What Info Mobile Apps Are Collecting About You

It takes a little work, but it’s worth it.

Photo illustration by Slate. Photo by Diego Cervo/Thinkstock.

Photo illustration by Slate. Photo by Diego Cervo/Thinkstock.

There’s an old truism that’s popular among privacy advocates: “If you’re not paying, you’re the product.” Your age, interests, purchasing habits, frequented locations, health, and social map are all valuable pieces of information that comprise a digital shadow, which can be packaged, bundled, and sold to the highest bidder.

It’s tempting to download the coffee shop app so you can have the convenience of ordering ahead. Figuring out what data that app is collecting, on the other hand, can be awfully inconvenient. But many apps engage in irresponsible practices that are worth understanding. Once you know how to spot them, you can decide which apps are worth the potential invasion of privacy, and which should be banished from your devices forever.

Apps that collect way more information than is necessary—and sometimes share and sell it

Take flashlight apps. They’re meant to do one simple thing: turn on the LED flash of mobile phones. But many ended up having access to a lot of unnecessary data and phone functions, including users’ calendars, location, and camera. The infamous “The Brightest Flashlight” app shared users’ precise location and unique device identifier to third parties without disclosing that it did so—not exactly critical to a functioning flashlight. The Federal Trade Commission addressed this case in 2013, but there are plenty of other examples where this is not the case. Be wary of the cartoon game that wants to access your personal photos, or the weather app that requires access to your microphone. Uber, for instance, requires access to your location data even when you are not using it unless you turn off location data entirely on your phone.

That’s because information collected by apps is frequently shared with and sold to third parties. This is usually disclosed in the privacy policy, if the app actually has one. According to a 2016 Future of Privacy Forum study, at least 24 percent of top apps still do not have a privacy policy. While there is a wealth of literature about how terms of service agreements and privacy policies are not often read, they are still critical features as they spell out company commitments and are legally enforceable. One bit of good news: Google plans to remove apps that handle personal or sensitive data from the Google Play Store if they don’t have privacy policies. (You can get more information about companies’ disclosures and commitments regarding privacy from Ranking Digital Rights, a New America project I work for.)

Apps that pull you into their greater ecosystem

First, ask yourself what the added value of having an app is: Plenty of people use Facebook and other services on their mobile devices, for example, without having an app. Downloading an app provides companies with more direct access to your information than a visit to their website will. Prime examples of this are the Facebook and Messenger apps. You can access Facebook from your mobile browser, but once you try to use the messaging feature there, you’ll be out of luck—you’re forced to download Messenger. As the Guardian put it: “The real reason that Facebook is pushing chat into its Messenger is to create another platform or silo from which Facebook can access you as a user.”

Apps that don’t protect your data

In 2014, the Starbucks app was found to be storing passwords, email address, and previous GPS information unencrypted, leaving it open to onlookers to exploit. Starbucks addressed this vulnerability shortly after it was discovered, but it is certainly not the only app to have had this issue. More recently, Wired conducted an investigation into the top 10 dating apps in the United Kingdom and found that most had some insecurity that leaked personal information of the users. This is also something that you can look out for in privacy disclosures (when they exist), which should spell out a company’s commitment to using strong encryption in both storage and transmission of personal data. If you can’t find any language to that effect, don’t use it.

* * *

You may be tempted to just give up and let all your data hang out. But you can take control of your information. Here are four steps you can take right now to better improve your digital autonomy through your mobile device, inspired by the MyShadow project—which has worked for years to promote awareness around digital shadows and what users can do about them.

1. Take control and change your settings.

Apple iOS gives you a clear, useful overview of which apps have access to different types of data; you can find it by going to Settings > Privacy.

Android version 6.0 (Marshmallow) and up also enables users to manage app permissions by going to Settings > App > Permissions. Turn off permissions to data tracking when they are not in use. For example, ride and map apps don’t need to have access to your location data when you’re not actively using them. (Bonus: Turning these permissions off will also save on battery power.)

2. Check disclosures.

If you’re not going to read the privacy policy, at least make sure the app has one. And if you’re concerned about your financial, fitness, health, or other sensitive information being secure, then check to see how seriously the app maker takes encrypting user data by looking at their disclosures in the privacy policy, which should be located at the bottom of the page in the app store before you download.

3. Use apps that maximize your privacy.

Signal is a secure messaging app that uses end-to-end encryption to protect your texts and voice calls. DuckDuckGo is a search engine that explicitly does not collect, store, or share any information about you. Disconnect is also an app that seeks to protect users from tracking and improve device performance. These apps clearly state in their privacy policies what information (if any) they must collect in order for the app to function and that they do not share this information with any third parties unless legally bound to do so. Signal may not have stickers for your photos, but it’s a lot more secure.

4. Perform regular app maintenance.

This means regularly updating your apps, checking permissions, and deleting unused apps. Updates are usually good things, because they come with new security features and improvements. However, when apps are updated, they can often access different data and in different ways. What’s more, many apps, through security bug or design, collect data even when the app is dormant. The Norwegian Consumer Council recently performed an app audit that highlighted how often this happens. If you haven’t used an app in over a month and can easily download it again should you need it in the future, bin it.

This article is part of the cybersecurity self-defense installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month, we’ll choose a new technology and break it down. Future Tense is a collaboration among Arizona State University, New America, and Slate.