Could Your Boss Buy Your Whereabouts? The Growing Problem of Apps and Privacy

October 3, 2014

Apple’s announcement last week that its new operating system carries with it greater privacy protection brought the company some much needed positive attention. For devices running IOS 8, Apple says that improved encryption now prevents the possibility of it bypassing user-created device passwords to provide law enforcement agencies with the contents of mobile devices. Not to be outdone, Google followed Apple’s announcement by reiterating that their Android OS already includes the same encryption method, which will be enabled by default in future releases.

We all walk around carrying enormous treasure troves of personal information—credit card and bank account numbers, birthdays, contacts, family photos, calendars, not to mention the contents of emails and texts— protected, at best, by a four-digit code we may change once a year, if at all. Our pockets contain quantities of personal information which were unthinkable to transport a decade ago, and we are, by and large, only beginning to concern ourselves with the security of what those devices hold.

The level of public interest in mobile device privacy, however, does seem to be growing. Apple’s announcement was pure marketing—the need to differentiate themselves from the multitude of mobile device manufacturers eating away at their market. Apple positioned itself as a buffer between consumers and government. That has raised some eyebrows in law enforcement, naturally. Former FBI counsel Andrew Weissmann, for example, characterized Apple and Google as “announcing to criminals, ‘use this.’ You could have people who are defrauded, threatened, or even at the extreme, terrorists using it.” That may be hyperbolic, but let’s face it—if you plan on using your phone in the commission of a crime, you’ll want that encryption enabled. Those comments were directly echoed by FBI director James Comey in a press conference last week in which he told reporters he couldn’t understand why Apple and Google would “market something expressly to allow people to place themselves beyond the law.”

The assumption that freedom from intrusion necessarily implies a desire to act illegally is a familiar one. Historically, however, public interest in electronic privacy issues has been fickle, if not entirely transient. Edward Snowden’s revelations of NSA phone surveillance were hardly surprising. Americans have been dimly aware of that kind of surveillance since the Patriot Act came to life in the wake of September 11. Predictably, proposed legislation to restrict NSA access to phone data and metadata has been delayed as the ISIS threat occupied headlines and caused legislators to think twice about advocating for privacy.

If Apple’s and Google’s announcements do signal a trend toward greater public interest in the security and privacy of their mobile devices against the prying eyes of government and law enforcement, a more generalized apathy seems to have set in with regard to protection from privacy intrusions fueled by corporate information gathering. A recent sweep of 1,211 mobile apps by the Global Privacy Enforcement Network (“GPEN”)—a collective of representatives from privacy law authorities around the globe—revealed that a majority of apps raise privacy concerns.

GPEN found that group found that 59 percent of the apps raised pre-installation privacy concerns, meaning the initial disclosures of what would be collected by the app and how that information would be used was inadequate. In addition, 31 percent of the apps appeared to request excessive access to data that was not necessary to its functions, and 43 percent of the apps didn’t tailor their privacy communications to be legible on a mobile screen, making it unlikely that privacy information was fully read and understood by users.

What does it mean that expectations of privacy from corporate information gathering may be lower than our expectations of privacy from our government? That the true scope of commercial intrusions into mobile privacy is unknown to the public. Every level of access we allow, every permission we grant becomes a new point of entry, and we edge further down the slippery slope with no clearly defined limits to what we will allow. One step feels benign, but the step that follows feels sinister. Yes, we want that restaurant finding app to know our location, but do we want it to know our bank balance? At what point will your employer be able to buy a report of your phone’s whereabouts for the past month? When will our government have access to these privately owned databases of our personal lives? Every time we give a piece of ourselves, it becomes harder to get it back.

Indeed, profit-driven data-gathering on mobile devices has reached astonishing levels of precision in direct relation to the depth of the data that is collected. PubMatic, a company that facilitates the sale of all manner of online advertising, provides 70 data points about desktop users and 100 on mobile users, including the mobile device’s precise location.

The digital age and the proliferation of mobile devices have eroded our expectations of privacy from both the government and the private sector. We have grown accustomed to the idea that our preferences, search results, location and phone activity are being tracked. We are not surprised when, after searching for “lemonade” we see a pop up ad for Country Time. We have acceded to the NSA’s insistence that counter-terrorism efforts require constant surveillance of phone activity. We have assumed that if we kept our heads down and lived quietly we didn’t need to worry who knew what we were doing, buying, selling, or hearing.  We no longer know who is watching us or how much they know, but with every passing minute they know a little more.