Combatting Privacy Rights Exploitation: Managing Mobile Permissions Requests

Mobile apps have made life easier and more convenient. But consumers may be compromising their privacy when they sign up for them -- even the most popular apps.

The terms and conditions of user licenses and privacy policies can leave gaping holes, failing to protect customer information from usage that does not have the user’s well-being in mind.

Sometimes this is not obvious.

Consider this now-removed nugget that the music-sharing service Spotify buried amongst pages of innocuous-sounding conditions in its privacy policy:

“With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.”

Responding to criticism, Spotify replaced this statement with another more consumer-friendly one, but users continue to find similar statements for other apps and seemingly endless requests for data by organizations -- in exchange for using their services or otherwise. What’s remarkable is that even in an age of rampant online fraud, users are willing to reveal data about themselves. This willingness to cooperate creates opportunities for organizations and cyber mischief-makers to gain access to private photos, videos, contact lists and media files.

To be sure, some of the reasons for these kinds of data and permissions requests are benign. Spotify’s app needed to access photo albums so that its customers could set their profile pictures. It also provided an offline listening service, if a user allowed the app into their media files. These services added value to the user experience. Still, the pressure behind the scenes to monetize user data for profit could place information and relationships – personal or business-wise – in jeopardy.

Say you have a long-standing relationship with a corporate executive. You go to great lengths to respect their rights as a figure in the public eye. Then one day, you grant an app access to your contacts, files and photos – inadvertently or otherwise. Suddenly, your contact is receiving unsolicited ads, which demonstrate an uncanny knack of knowing their preferences. Or worse, if they are individuals of some fame, your tagged but private – so you thought -- photos of them wind up posted somewhere public.

A security breach is another potential consequence of giving apps too much access to data. While companies may try hard to protect your files, the treasure troves of personal information they collect make them attractive targets for cybercriminals. The information gathered from you could be part of an attacker’s haul and increase the likelihood of fraud and other consequences.

As companies eager to understand consumer behavior enter deeper into our lives, what can be done to protect customers?

It’s important, of course, to read Terms of Service agreements and privacy policies carefully. The wording can be daunting and legalistic, but a few extra minutes can uncover hidden risks. In some instances, it may be better not to sign – not to use the app at all. But for those who want the full capabilities of modern smartphones and privacy without compromise, newer approaches that put control back in the user’s hands can help.

Consider Blackphone’s Silent OS, an Android-based operating system that lets users create multiple, separate virtual phones on one device. As there is no exchange of data between these virtual phones, the user can keep personal and work work information separate. That means when you download an app for personal enjoyment, there is no danger of a company gaining access to work contacts and then spamming them with ads. Similarly Blackphone’s user-friendly Security Center lets users edit app permissions, rejecting permissions requests that seem too intrusive and allowing those that offer a reasonable added value to the user experience. Innovations like these are a new way of dealing with a problem that has increased in scope as the use of mobile devices has grown.

Consumers may feel that to use a wide array of apps, they must compromise their privacy. But technological innovation and other measure have given them options to limit what can be done with their information. Ensuring that the use of these products and services becomes more commonplace will require changing public perception. That can occur if consumers are willing to confront the status quo – and take a stand for their privacy.

- David Puron, VP of Engineering