/ Technology

Taking control of the personal data on your mobile phone

Smartphone and eye

When you download an app onto your smartphone, do you know what personal data you’re handing over? Anette Høyrup of the Danish Consumer Council has been putting apps to the test.

We’ve all experienced it: yet another popular app has found its way onto our smartphone and with a few clicks it’s installed. It may be a fun game, Facebook Messenger or a health app that reminds you to do your daily exercise.

Whatever the type, apps often ask for access to your location, calendar, contact information, microphone and private text messages. In short, you have to consent to give over some of your phone’s data to use any app. The question is; how much data are you really handing over?

Data harvesting technology

I work as an expert on digital matters at the Danish Consumer Council, and a while ago we tested the policies of 35 apps. We’ve also developed our own app, so we could see with our own eyes how app developers can transfer your personal data to the company’s computer. It’s pretty wild to see your private text messages being copied to a company computer just like that!

Apple or Android?

How you control the data you share with apps depends on your phone. On iPhones, you can go to the phone’s settings and under ‘anonymity’ you can withdraw data from each app.

On Android phones you’ll see a list of the permissions each app requires before you download them, allowing you to accept or decline. The latest version of Android (Marshmallow, 6.0) gives you greater control, allowing you to retrospectively grant or deny permission for each app, similar to on iPhones. However, only a few phones come with this new version, or have so far been updated with it.

Difference between physical and digital world

In the real world, where you stand face-to-face with a salesperson in a shop, you’d be very surprised if you were asked to provide information as a condition of being allowed to buy a pair of pants or a loaf of bread. We decided to see how people would react to this with a hidden camera, so check it out for yourself:

There’s no such thing as a free lunch

It could be argued that your private data is a reasonable payment in return for a free app, compared to a loaf of bread you have to pay for. It can allow the company to use your data for targeted advertising and is therefore of value to them. Other times the data is required for the app to work. For example, WhatsApp asks for access to your photos so that you can send and receive photos in the app.

Your data can also provide added functionality. In this case it’s good to be on your guard. Facebook Messenger can ask for access to your private text messages, reportedly to let you text all your phone and Facebook contacts in one place. If you’re not comfortable with handing Facebook Messenger this data, then make sure not to accept it.

Of course, we’re most concerned about the times that apps ask for personal data they don’t necessarily need. Why should a torch app need your GPS location, for example?

The right to privacy

Although privacy legislation hasn’t kept up with digital developments, there are still rules which say that data collection must be objective and necessary. And these rules also apply to US companies.

Moreover, technology that protects consumers’ privacy as a default is a new important principle included in the upcoming modernisation of the EU Data Protection Act.

But what do you think? Do you think that we often have provide too much personal data to use apps? Or do you think our data is just the price we have to pay for living in a digital world? Would you prefer to pay for apps rather than hand over your personal data to get apps for free?

This is a guest contribution by Anette Høyrup of Forbrugerrådet Tænk, the Danish Consumer Council. All opinions are Anette’s own, not necessarily those of Which?

Comments
Profile photo of Patrick Taylor
Member

A very important subject and Which? should be much more on the front-foot regarding these matters. Reviewing smartphones suggests to me that Which? also needs to highlight downsides in a user-friendly way and this may be by referencing a site that does follow apps and reports on the scandals.

On that basis consumers may be suitably wary and choosy on app adding. A warning board for App happy? : )

I think Which?

Profile photo of duncan lucas
Member

I have been trying hard to find a website / app that doesnt harvest your data the list is enormous ,and even if they dont most are easily hackable especially ones from social networks . I also take it it doesnt apply to the 14 years our “protective services ” have been harvesting all your data on mobile phone. In any case if you use the Internet be it from mobile or computer your data is going to be collected whether you like it or not . This includes your photo , on computer alone Google has the fame (infamy ) of being the number uno of trackers , I have at present 37 trackers from them alone on one blocker ( there are 10,000 of others ) you have to make up your mind -use the Internet ?? then dont be surprised if others use your data for their own ends . Its so bad now that even visiting a website without clicking on anything can download a virus . I would not like the public to think ,if they say no to tracking that covers them ,that would be a grave injustice in information to the public. I am not talking here of solely used website ID tracking(for access to a website ) but info gathering ones that follow you ,the web is full of them ,many hidden from view . I am not being alarmist but if you want to talk on a subject realistically and really help the public they must know the truth.

Profile photo of Patrick Taylor
Member

How very apt. Reported in the Guardian today are the exploits of Facebook who have “form” for manipulating the news through their app in an experiment.

This is one that has just come to light:
” Facebook’s habit of experimenting on its customers has again led to anger, following allegations that it deliberately broke its app for a small number of users to see what they would do.
In a report from tech journal The Information, Facebook is accused of selectively crashing its Android app, for long periods of time, in an effort to discover the threshold at which users just give up and go away. But the lure of Facebook proved too strong: “The company wasn’t able to reach the threshold,” the site says, with someone familiar with the experiment adding that “people never stopped coming back”.
Even if the app was broken for hours on end, people simply used the mobile web version of the site, rather than not use Facebook.”
Article: Facebook accused of deliberately breaking some of its Android apps

Profile photo of DeeKay
Member

Hi all, Duncan I am curious and have been for some time
Is it possible that SKY harvest and use your preferences to direct adverts toward your habits
On the nights wifey works I visit a cousin nearby, maybe more like a brother as I was near brought up with them
They obviously do/view things different to us.
For some reason I feel I see adverts I dont see at home
We have a complete package of Satellite, phone and broadband from SKY for about a year now
I know that the box has and does use the wifi for many things as the symbol comes up when your wanting a view at something you missed but I’m beginning to think that they more about me than I do.
Could they have a few or several different series of add’s for differing types of viewers/web users

Profile photo of duncan lucas
Member

Hello Dee-Well Dee -diesel has put it basically down Sky are getting praise from all quarters of the advertising industry and from many supermarkets / BB,s for its “innovative ” personal targeting of you +family as all the data that tracks you and produces the ads is held digitally on your sky box . I am trying to find a way of “interrogating” a Sky box ,as in Windows/Linux /etc ,if I find a way I will post it. I dont use Sky but Free-sat+ continental satellites ,Germany having a more pro public (free) view of films and sport that is up to date (with government help )

Profile photo of Patrick Taylor
Member

Cisco says
” Sky made substantial commitments, both commercially and in terms of resources, to develop a first-of-its-kind Targeted Advertising solution that would transform the TV advertising industry. Working with innovators across the company’s TV, advertising, and analytics arms, as well as external partners including Cisco and BARB, in January 2014 Sky officially launched the service that was the culmination of this multiyear effort: Sky AdSmart.
Sky AdSmart is not a single algorithm, application, or technology. It is an end-to-end digital delivery chain for personalized advertising, spanning the entire broadcast system including transmission technologies, STB software and hardware, data collection, and reporting, all designed to operate on one-way satellite systems. The solution includes:
● State-of-the-art back-end system that controls scheduling of AdSmart ads, taking into account business rules and regulatory restrictions governing ad placements
● Sophisticated ad-targeting engine that classifies viewers according to 90 combinable audience attributes
● Transparent, frame-accurate ad insertion that can imperceptibly swap targeted ads into linear programs
● First-of-its-kind viewing measurement capability that can measure advertising exposure across 500,000 subscribers, encompassing 40 million viewing events a day (for example, every time a viewer changes channels, pauses, rewinds, etc.)
● Mechanisms to download Sky AdSmart software and advertisements to millions of Sky+ HD STBs without disruption to viewers, converting deployed hardware to dynamic ad servers without the need to replace customer hardware
● Aggregation of third-party demographic data with Sky IQ, Sky’s data analysis division”

And remember you are paying Sky for the adverts : )

Profile photo of alfa
Member

When going from Which? front page to this page, why do I have the following in my cache:
http : // ….
partner.googleadservices.com…..
s3.amazonaws.com…….
tpc.googlesyndication.com…….
wca-assets-which-prod-euwest1.s3.amazonaws.com…….
google-analytics.com……..
googletagmanager.com……….
i-ytimg.com……..
securepubads.g.doubleclick.net…….
static.doubleclick.net/instream/ad_status.js

And I did clear my cache before going from one Which? page to the next.

Profile photo of Patrick Steen
Member

Hello Alfa, all the Amazon URLs relate to our server. We use Amazon Web Servers, based in the EU, to keep the website up for you to access. The Google Analytics is how we track the traffic to the website, which pages are visited and where the traffic has come from. The DoubleClick reference relates to the panels you sometimes see on the right-hand side, showing our nuisance call reporting tool for example. This system allows us to show useful content relevant to the page you’re on. It doesn’t track you or collect information about it, just shows you the right promo on the right page and let’s us know how many people are clicking on them. The i-ytmig.com isn’t to do with us, but it’s when we embed YouTube videos to watch. I hope that explains what those are.

The cache is a bit different to cookies, but if you’re interested to read about our cookie policy, you can here: http://www.which.co.uk/privacy-policy/cookie-policy/

Profile photo of alfa
Member

Thanks for the explanation Patrick.

I did wonder when they made brief appearances on a long running script.

Profile photo of malcolm r
Member

From Wiki ” In April 2015, AWS was reported to be profitable, with sales of US$1.57 billion in the first quarter of the year, and US$265 million of operating income.” (AWS – Amazon Web Servers located in 11 geographic locations across the world).

I wonder if they pay any tax?

I presume that there is no conflict of interest in using AWS, what with convo critics of Amazon for promoting unsafe products.

I wonder when Google, Amazon, News Corporation and the like will be just too influential to argue with?

🙁

Profile photo of duncan lucas
Member

Do you realise your own search engine tracks you from site to site ? and that DDG =DuckDuckGo is no longer totally private but is getting paid by BB to target you with adverts . Two that are used in Europe (European servers ) that I use are ix quick and startpage they are a lot more private and arent accessed by the NSA /GCHQ as stored data is not kept and European law is more pro public . That alone is not enough your own ISP knows every move you make using its DNS server ,I have an auxiliary German privacy DNS server which doesnt log you (most do ) . As regards Google EVERY thing you do is sent back to the US and kept on computer many of the trackers listed are blocked as webtrackers ,not necessarily just for one website. there is a lot more depth to them than meets the eye.

Profile photo of RodBrown
Member

I normally get a warning that the app wants to access a list of data! I am inclined to deny access, but am worried that by denying access, the app will not work! I feel that it is an ‘all or nothing’ decision! Is the decision for each piece of info requested to be individually accepted?
I don’t want to provide much of the information requested, but want to select which data to provide and which not!

Profile photo of gradivus
Member

This is something I’ve felt strongly about for quite some time. But it seems there is nothing we can do about it unless an organisation with some weight behind it, e.g. Which?, takes up the reins.

And it’s everywhere. Why, for example, does the Which? Magazine Android app need access to my contacts?

Profile photo of DerekP
Member

Personally. I use a radical alternative whereby I only use my phone for voice and texts. Then I have PCs from which I can surf the net.

Member

I work in IT security and am all too conscious of this pervasive and frankly nasty trend into an Orwellian snake pit. I started to get annoyed when I noticed that an Android app for a measuring tape wanted something like contacts, GPS, inside leg etc.

I then installed an app that gave me a privacy score for each app. I deleted any apps with poor scores and the result was I left with about 2 or 3 apps. Angry Birds, you know name it went, so my once “Smart” Phone was left with a IQ at near Farage levels. Then Google began to fill up the storage with updates to their apps, so much as I gave up on Android and got a cheap Windows phone instead. I’ve never been happier with a phone. It’s slicker, easier to use and best of all most apps want hardly any extra permissions at all. The few frequent offenders that do, like Facebook Message, Pentagram (Instagram) and What’s App I just avoid like the plague.

The Android app I used to check privacy (or Big Data spying) is called Lookout and is very good.
http://www.androidauthority.com/best-android-apps-privacy-security-98118/ has a good list of 5 apps including Lookout.

Profile photo of duncan lucas
Member

Mike -I am glad you are happy with your Windows phone but it worries me you say you have bought a cheap one .On the Windows 10 system when using Wi-Fi outside when the phone is disconnected from a Wi-Fi network it continues to try to connect to any nearbye wireless network . The data sent out includes your MAC address ,once logged in this info can be used by third parties to track your movement for targeting/commercial gain etc . IN the Lumia 950 + Lumia 95-XL there is a blocking feature called = Activate Random Hardware Address for enhanced privacy . This app can be programmed on the phone so check to see if you have it ,there are instructions on the web .

Profile photo of DeeKay
Member

I love the “Orwellian snake pit.” I just love that one. New to me

Profile photo of duncan lucas
Member

gradivus-If its like other site requests it uses your contact info to auto-populate registration fields when applicable . Due to the design of the Android operating system ,they must ask for certain permissions to give you full functionality . Do NOT take what I said as applying to all requests for permissions only this request as there is deep controversy over allowing a multitude of permissions on Android.

Profile photo of duncan lucas
Member

I am glad Which removed the phishing email from the US it was so obvious that some must take us as fools here in Britain.