Just a fraction of mobile apps provide clarity about how they collect and use people’s personal information, according to a survey by the world’s privacy watchdogs, including Ireland’s.
A survey by the second annual Global Privacy Enforcement Network (GPEN) privacy sweep carried out by 26 privacy enforcement authorities found just 15 per cent of apps examined were clear about such details on how they dealt with such personal data.
It was published Wednesday by the Data Protection Commissioner, whose office took part in the worldwide 'sweep' in May.
Some 1,211 apps were examined in total, including 20 in Ireland. They included a mix of Apple and Android apps, free and paid apps as well as public sector and private sector apps that ranged from games and health and fitness apps, to news and banking apps.
The team looked at “the types of permissions apps were seeking, whether those permissions exceeded what would be expected based on the apps’ functionality, and most importantly, how the apps explained to consumers why they wanted the personal information and what they planned to do with it”.
The Data Protection Commissioner said that in the case of 13 of the 20 Irish apps checked, permissions “exceeded that which the sweeper would expect based on the app’s functionality after reviewing the app”. It confirmed follow-up action was being considered in four cases.
In Ireland’s case, the sweep involved the examination of apps across various sectors, including transport, retail, media, banking, entertainment and government.
’Most striking’ finding
The commissioner’s office said the “most striking” finding, was that 55 per cent of apps examined by the team were given a score of 2.
This meant the privacy information provided only partially explained the app’s collection, use and disclosure of personal information, with “questions remaining with regard to some of the permissions requested”.
"In terms of best practice, the sweep team examined two apps (10 per cent) in relation to personal finance - Ulster Bank and Tralee Credit Union - and found that both scored highly on how the app explains how it collects, uses and discloses the associated personal data."
The survey found, however that “at the other end of the scale”, just 15 per cent of apps examined failed to provide adequate information to the customer, while a further 5 per cent provided “no privacy information whatsoever”.
Three-quarters of all apps examined in the survey requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts.
The proportion of apps requesting permissions and the potential sensitivity associated with the information highlighted the need for apps to be more transparent, the survey said.
Some 59 per cent of apps left those involved in the sweep “scrambling to find pre-installation privacy communications”.
“Many offered little information about why the data was being collected or how it was being used prior to download, or provided links to webpages with privacy policies that were not tailored to the app itself.”
The participants found that in other cases, the links led to social media pages that “didn’t work or required the user to log in”. “Sometimes it was difficult to determine who the developer or data controller was,” they said.
In the case of almost a third (31 per cent) of apps, the privacy sweepers expressed concern about “the nature of the permissions being sought”.
“Sweepers felt the apps requested access to information that exceeded their functionality, at least based on the sweepers’ own understanding of the app and the associated privacy policy.”
In addition, some 43 per cent of apps did not tailor their privacy communications specifically to the small screen.
“Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages,” the published survey said.
They said the most privacy-friendly apps offered “brief, easy-to-understand explanations of what the app would and would not collect and use pursuant to each permission”.
Privacy implications
The mobile privacy theme of the sweep was chosen because many privacy enforcement authorities had identified mobile apps as “a key area of focus in light of the privacy implications for consumers”.
“As mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used,” the published report said.
“The results of the internet sweep offer some insight into the types of permissions some of the world’s most popular mobile apps are seeking and the extent to which organisations are informing consumers about their privacy practices.”
This year's survey involved 26 privacy enforcement authorities, up from 19 last year. The GPEN network is also engaged in a 'sweep' to examine the use of cookies on websites and apps.
The commissioner’s office said the growth of this year’s sweep showed privacy enforcement authorities were “more committed than ever to working together to promote privacy protection”.
“The GPEN initiative is aimed at encouraging organisations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities.
“Concerns identified during the sweep will result in follow-up work such as outreach to organisations, deeper analysis of app privacy provisions and/or enforcement action.”