A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used.
The survey by the Global Privacy Enforcement Network (GPEN) examined the privacy information provided by 1,211 mobile apps. As a member of GPEN, the UK data protection watchdog the Information Commissioner’s Office (ICO) examined 50 of the top apps released by UK developers.
The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more. The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection, or use, of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when. Overall some three in ten, 30 per cent of apps offered no privacy communications whatsoever.
ICO Group Manager for Technology, Simon Rice, said: “Apps are becoming central to our lives, so it is important we understand how they work and what they are doing with our information. Today’s results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.
“The ICO and the other GPEN members will be writing out to those developers where there is clear room for improvement. We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps.”
The ICO has published ‘Privacy in Mobile Apps’ guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the UK Data Protection Act. The guidance includes advice on informing people how their information will be used.
For the results of the second Global Privacy Enforcement Network (GPEN) Privacy Sweep visit – https://www.priv.gc.ca/media/nr-c/2014/bg_140910_e.asp.
About the GPEN
The Global Privacy Enforcement Network was established in 2010 on recommendation by the Organisation for Economic Co-operation and Development. The informal network is comprised of 51 privacy enforcement authorities in 39 jurisdictions.
Charlie Howe, director, EMEA at Skyhigh Networks, the cloud visibility and enablement company, comments on why enterprises must to take notice of these privacy concerns:
“A mobile device is one of the most frequently used and most relied upon tools in the corporate environment. As such, employees are regularly using mobile applications – in some cases, without the knowledge of the IT department. With this latest report from the ICO exposing the privacy failings of so many apps, it points to a scenario where both individual and company data could face a worrying security risk. This is not to mention that a number of the activities potentially compromising privacy may, in fact, be perfectly legal.
“What’s more, lax password practices where users are re-using the same password multiple times in both their personal and corporate life, means that the security threat is being multiplied. Once credentials in one mobile app have been compromised, a domino effect is caused across other mobile and cloud services where the same password has been used. This could prove extremely costly for enterprises, as vast amounts of confidential company information is suddenly up for the taking.
“To mitigate the risk of these less secure mobile apps creeping into your corporate network and holding the door open for attackers, it is critical for businesses to have a handle on what mobile and cloud services are in use. It is only by knowing the reach of corporate information that businesses can adequately secure it. The bottom line is that not all applications and services were created equal in terms of privacy – and businesses must strike a balance between utilising the flexibility and collaboration gains of these services, while preserving the integrity of sensitive enterprise data.”
Jose Talavera, solution consultant for the UK and Nordics at Keynote, a mobile, cloud and web performance product company, comments: “The GPEN and ICO report highlights just how important it is to optimise sites for mobile devices; it’s not just aesthetics, but personal privacy that is at stake. It is simply unacceptable that site visitors are left in the dark when it comes to being aware of how secure – or not – the sites they’re visiting are. This is a prime example of why sites can’t simply be shrunk to facilitate mobile access. Developers must ensure sites are well thought out and privacy information is made readily available and readable. Failing to do this could not only drive away custom for a business, but could be hugely detrimental to a company’s credibility, not to mention the backlash from users if a site is then breached.
“To ensure consumers are able to access privacy information, developers must regularly monitor and test site performance for both mobile and online sites, in real-time and on real devices. This will help companies understand what their customers are truly experiencing, regardless of their network, handset, device or location. If the text is too small to read, the information is too hard to access, or it cannot be accessed at all, developers will be able to identify these issues and resolve them as quickly and efficiently as possible. Where privacy is concerned, it’s crucial to get it right first time, and testing and monitoring could be the key to ensuring overall brand reputation is not damaged and customers are retained.”
And here’s comment from Roy Tobin, Threat Researcher at Webroot.
“There are a number of concerns highlighted by GPEN’s findings: Applications are storing this information, but is the stored information secure? What if the database or the creator of the application gets hacked? Applications don’t always show what information they are storing or they make it so long that people don’t bother reading it.
“It seems that certain applications are primarily used for data gathering and not actually for their primary purposes, which is the most concerning part of the entire study. Our own research
“The Flashlight application is the go to app example when people talk about permissions and/or data access but realistically speaking if a Flashlight app is asking for sensitive information one should be suspicious. Thankfully Google have made changes to the app store to make it easier for the customer to see exactly what the app is trying to access. Always remember to only get applications from the devices app/play store. While it’s not a 100 per cent guarantee that the app is clean it’s a good start.”