If you have any apps installed on your mobile phone — be it games, news or fitness apps — it’s likely that you are sending some kind of data about your identity, preferences, or physical location to Google, Facebook and other companies without even knowing. This alone shouldn’t be news to you, but new research now documents how significant the issue is in scale.
An Oxford University study of nearly 1 million free Android apps in 2018 revealed that the majority of mobile apps contain utilities from companies — including Alphabet, Facebook, Twitter, Verizon, Microsoft and Amazon — that enable them to track and send data about users to these companies. These utilities are incorporated by app developers for a variety of reasons. For instance, the app developer might use them to monitor the use of the app or to display ads.
The researchers make no claims about what data is transferred to companies, but warn that it’s common for them to gain access to data that is not directly related to the app in use. Depending on app permissions, this could be as broad as a contact list or location history.
With transparency lacking about what is tracked by whom, the researchers see potential privacy risks that leave people vulnerable. Data combined from multiple apps, along with other online history and behavior, can be used to generate very detailed profiles of individuals. From the apps on a person’s phone you could estimate interests, sexual orientation, health status and the identities of their children.
Google disputed the negative implications of the study, telling the Financial Times in October that the researchers mischaracterize “ordinary functions” such as an app merely sending a crash report. Reuben Binns, the computer scientist who led the study, says, “Nobody has disputed that the third parties we identify in the study are capable of tracking user behaviour across multiple apps. This includes when data is used for analytics, crash reporting or ––as in 60% of apps with Google’s DoubleClick tracker embedded–– behaviourally targeted advertising.”
On the Web, trackers can log information about what you search, click and type. A variety of browser tools (like Privacy Badger, Ghostery or Lightbeam) exist to see who is tracking you. You can also block access to third party trackers or tracking cookies (see Brave or Firefox, Chrome or Safari) though this usually also means blocking ads because they have the capability to track.
On mobiles, users can turn off or reset advertising identifiers that track them across apps, similar to blocking cookies on the Web. But since many users have no idea this tracking is occurring across apps, they also don’t know they can take control.
In the case of Google, they control what apps are available in the Google Play Store for the Android operating system and also benefit from the data generated by those apps. The Oxford University study found that Alphabet is the ultimate owner of several subsidiaries that together were found to have trackers in more than 88% of the analyzed apps (as shown below).
New research on smartphones sold by more than 200 different vendors points to an additional risk of invasive data collection with some apps that are pre-installed by manufacturers. “Users are clueless about the various data-sharing relationships and partnerships that exist between companies that have a hand in deciding what comes pre-installed on their phones,” says the study, while calling for more transparency and real opportunity for consent about data collection.
Privacy protections could be built into phones from the start, but they are not. With an app ecosystem that is designed for maximum data collection behind the scenes we should not be surprised. As more of us wake up to privacy risks online, we also need to recognize the privacy risks of the smartphones that are now so important to our lives. Knowing is half the battle.
Which companies get data from 959,000 mobile apps?
Subsidiaries of Google’s parent company Alphabet get data from 88% of apps via different types of utilities for ads, traffic analytics and more that can track users.