Science·MARKETPLACE

'We're paying with our data': Why privacy can be a problem with apps

The average Canadian has at least 18 apps on their mobile device according to research group Catalyst Canada: everything from fitness to social sharing to shopping and games. But is the fun and convenience worth all the personal information you could be giving away?

Texts, photos, location — you could be giving up a lot more than you think when you download some apps

Apps are ubiquitous, so CBC Marketplace had one built to test just how much consumers know about privacy and how to protect personal information. (Stefan Wermuth/Reuters)

Odds are you're reading this story on your smartphone — and you've likely used one or more apps on your phone today. 

The average Canadian has at least 18 apps on their mobile device, according to research group Catalyst Canada — everything from fitness to social sharing to shopping and games. But is the fun and convenience worth all the personal information you could be giving away?

CBC's Marketplace worked with experts to create a simple horoscope app as a way to show how much Canadians can unknowingly reveal about themselves when they install an app on an Android smartphone.

In downloading the app, which does little more than provide astrological advice, the eight people Marketplace approached in downtown Toronto gave us access to their location, their phone's camera, even their microphone.

These are just some of the permissions many app designers seek in the lengthy terms and conditions agreements app users are required to accept.

Marketplace followed up with four of the respondents a week later but is not revealing their full names to protect their privacy. One of the testers said the app permissions are "disturbing."

"I feel kind of violated," said Shahbaz.

Popular apps haven't been without problems. Pokemon Go maker Niantic had to make a change to their system after it was found their permissions allowed them to gather more data than they needed about users. (Salwan Georges/Detroit Free Press/Associated Press)

Domingo Guerra, president and co-founder of San Francisco-based Appthority, says apps can be "the perfect spy tool" in some cases. 

"A lot of times, we'll download an app thinking it's a flashlight, thinking it's a game, thinking it's a social media app, but it's so much more bundled into it," he says.

"In general, we see that free apps are not really free ... we're paying with our data."

Third parties can benefit

Some apps need to access data in your phone for some of their functions. For example, Facebook needs to access your location if you want to check in somewhere; Instagram needs access to your camera and microphone in case you want to post a picture or video in the app.

But problems persist for many app makers — ride-hailing service Uber has faced lawsuits over privacy questions and was recently criticized for the way it tracks users in real time. 

And last year, Pokemon Go maker Niantic had to update its permissions after a mistake that allowed "full access permission" to a player's Google account. The company says it wasn't initially aware of the flaw and didn't receive or access the broader data beyond basic user ID or email address.

Domingo Guerra, co-founder and president of Appthority, says 'having not just your name or your playing habits but also maybe your location, is more valuable.' (CBC)

Guerra's company, which specializes in mobile risk management for businesses, helped develop Marketplace's experimental app. He says some companies could be collecting more data than they need so they can sell it to third parties.

A lot of times we'll download an app thinking it's a flashlight, thinking it's a game, thinking it's a social media app, but it's so much more bundled into it.- Domingo Guerra, president and co-founder of Appthority

"If a developer's going to sell your information to a third party, like an advertising network, then having not just your name or your playing habits but also maybe your location, is more valuable."

It took less than a day to design and build the app, called My Daily Horoscope. The horoscope app was available to Android phone users through a third-party website.

Similar to other popular apps, My Daily Horoscope had a lengthy terms of service agreement that testers had to agree to to download the app.

No questions before clicking 'accept'

The participants who downloaded the app skimmed through the hefty contract quickly and clicked on "accept" within seconds. They had a free app — and the Marketplace team behind the app had access to a trove of data.

By accepting the terms of service, testers gave the app access to the phone's microphone, contacts, call logs, text messages, camera and location. 

That meant the app had the ability to track the phone's movements and download photos and text messages. But it also had control: the ability to activate the camera, turn on the microphone.

Marketplace only accessed data to demonstrate to the testers what they had given up. After the test, all information collected by the app, which is no longer available to download, was destroyed.

App stores like Apple's iTunes and Google's Play have guidelines that require apps to disclose what permissions they want and what they do with the data. But it's still possible for apps to push past what you'd expect and ask for data they don't need.

'It's disturbing' 

The most shocking app permission for one of the testers, Shahbaz, was the ability to turn on his camera and microphone unprompted.

"I should have read those terms and conditions," he said.

Same goes for Jason, who said he thinks the government should implement stricter rules and regulations to better protect consumers.

"If you want to do business in Canada, it needs to be regulated. It needs to be watched.... This is their job: to make laws and regulations. This is what they should be doing." 

Daniel Therrien, Canada's privacy commissioner, says he can only give out warnings to companies who run afoul of privacy legislation. While there were few reported cases of privacy breaches involving apps in Canada in recent years, Therrien says it's something his organization is watching.

The Marketplace horoscope app was available only to Android users through a third-party website. After the test, the personal information was destroyed. (CBC)

He says one of the issues is whether "we should have stronger enforcement powers, such as the authority to order companies to change their practices, or even to issue fines" in a way that mirrors the U.S. and some western European countries. 

"This is a very lucrative business, there's certainly a case to be made that companies that make a lot of money with personal data should face important sanctions" if they don't behave as required by privacy laws, he says.
  
There are steep fines from the U.S. Federal Trade Commission, and the agency has fined companies as much as $800,000  US for privacy violations. Europe is cracking down, too, forcing companies to reveal exactly where people's personal data is going.

Bottom line? Consumers need to be aware of how much data they are offering up. The application manager is the go-to spot for users who want to manage their settings. People should also do a "spring cleaning" on their phones and delete the apps they aren't using anymore — because they could still be collecting data.

What about the CBC News app? What we access and why

You might be wondering, what exactly does the CBC News app access on your phone? Here's a rundown of the permissions CBC asks for.

Network connectivity status and type
The CBC News app checks this to prevent the app from crashing if the signal strength isn't good and to help understand why something may be taking a long time to load. 

Location services
The app accesses this to help deliver local news and weather.

Diagnostic and usage data 
This helps the app know how many people are reading stories and when and what ads the user has already seen. It also helps track the stability of the app and diagnose any issues.

For more about what CBC does with the data it collects, read the privacy policy here: http://www.cbc.ca/aboutcbc/discover/privacy.html

Based on an investigation by Nelisha Vellani, Asha Tomlinson, Tyana Grundig and Morna Scott-Dunne