WSJ's concerns over app data-sharing may be overblown
Privacy breaches? There’s an app for that. Actually, according to a report by The Wall Street Journal, many popular smartphone apps for iOS and Android devices share at least some of your personal data without your permission.
Just how serious these privacy breaches are would seem to be in the eye of the breached beholder. When the Journal tested 101 popular apps, it found that more than half of them transmitted the phone’s unique device identifier to other companies. While it’s true, as the Journal writes, that you can’t change or disable your phone’s unique identifier, not everyone cares if that ID remains a secret.
Other privacy leaks, however, seem more serious: the Journal found that 47 apps transmitted some details about the phone’s location, and that five shared age, gender, and “other personal details.”
The Journal says that “[t]he findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them.” While the test found that iPhone apps shared more data than Android apps, the WSJ acknowledges that its small sample size means that it’s impossible to draw any real conclusions about which platform’s apps overshare more.
Why are these apps sharing your personal data? The answer, as it so often is: advertising. The Journal found that seemingly innocuous apps like Pandora share age, gender, location, and phone identifiers to multiple ad networks. The casual game Paper Toss shares your device’s identifier with at least five ad companies, the Journal says. Armed with those details, ad networks can theoretically deliver more customized advertising based on what they learn about you.
In the specific case of location, Apple requires apps to ask permission to even access that information in the first place. Every iOS user is familiar with the oft-repeated dialog box that seeks to obtain said permission. The Journal says that it found one app—Pumpkin Maker—that shared your location with ad networks even though the app never asks for your permission to identify where you are.
Before you toss your iPhone in the toilet and switch to an off-the-grid life, take solace in the fact that Macworld contributor and iOS developer Marco Tabini says that such concerns are probably overblown, relying on a somewhat broad definition of “location.” Tabini says that Pumpkin Maker doesn’t seem to be using the iOS's Location Services, meaning that it was likely trying to determine your location via your IP address. That's a notoriously imprecise way to get a device’s location—especially when compared to, say, GPS—which doesn't violate Apple's App Store policies, and happens on the Web every single day. (Take a look at this site to see where one of these services pinpoints your location based on your IP.)
The true significance of the Journal’s supposed exposé seems less sensational than the piece’s tone would indicate. Basically, these apps are sharing the same kind of data as nearly every Website you’ve ever used. Apps can’t share your gender unless you tell them your gender (or unless they make sweeping generalizations based on the number of Justin Bieber-centric playlists you have). Of course, on the Web, you can trash your browser’s cookies to make it somewhat tougher for advertisers to track you, though that tactic is hardly foolproof: the next time you log back in, the Website’s advertisers will know all about you again.
It’s true that there’s no real equivalent of deleting your cookies with mobile apps. But it’s also true that the Journal found no evidence that personally identifying data—your name, for example—is being shared with advertisers by these apps. Even by determining your device’s unique identifier, ad networks can’t identify who you are. They may learn that you use several specific apps in tandem and, if you provide certain details to apps, advertisers may also learn your age, gender, or general location. Again, though, Websites have been doing this sort of thing for years, and it’s not too dissimilar from the demographic targeting for advertisements that run during your favorite TV shows.
Perhaps the real scandal that the Journal should be uncovering is the lack of DVR-esque ability to skip through in-app ads.