Privacy Regulators Say Barely Any Mobile Apps Tell Users How Their Information Will Be Used

Over half of all the apps downloaded by privacy regulators as part of an international “sweep” didn’t tell users enough about how their information will be used, according to the Office of the Privacy Commissioner of Canada, which participated in the sweep.

The sweep, conducted in May by the Global Privacy Enforcement Network, saw privacy regulators in 19 countries download over 1,200 apps for evaluation.

Worldwide, almost 60 per cent of the apps raised red flags before they were even downloaded.

“Sweepers often found there was too little privacy information available prior to download. Many apps provided a link to a webpage with a tough-to-read privacy policy that wasn’t designed to be read on a handheld device,” according to the Office of the Privacy Commissioner of Canada (OPC).  “In other cases, the apps linked to social media pages. Sometimes users would have to log in to view the policy or the links were simply broken. A number of apps raised questions about who the developer or data controller was.”

Over 30 per cent of all the apps reviewed gave users no privacy information at all.

Things are better when it comes to Canadian-made and popular-in-Canada apps. Of the 151 apps reviewed by the OPC, as part of its contribution to the global effort, only 42 per cent raised red flags before download and only 11 per cent had no privacy information at all.

“Fortunately, there were few examples of apps collecting the sort of information that would appear to exceed their functionality—like a flashlight app seeking permission to obtain your contacts list,” Daniel Therrien, Privacy Commissioner of Canada, said in a press release.

“But we did find many apps were requesting permission to access potentially sensitive information, like your location or access to your camera functions, without necessarily explaining why. This left many of our sweepers with a real sense of unease.”

The sweep found that 28 per cent of apps did provide appropriate privacy information—including some of the most popular apps.

“Both large and small app developers are embracing the potential to build user trust by providing clear, easy to read and timely explanations about what information they will collect and how they will use it,” Therrien said.

The OPC gave high marks to Shazam for its “clear explanation” that left OPC staff “with a generally positive feeling about how their personal information would be used.”

Trip Advisor: City Guides was also singled out for having easy-to-read and well-structured privacy policy.

Of the apps that were reviewed by the OPC, two were singled out for their failure to communicate how information would be used and why it was being gathered.

Super-Bright LED Flashlight, a popular Android app, “sought permission to access the user’s camera/microphone, device ID/call information and even photos/media/files. Besides the camera flash function, it was not made clear to sweepers why the app would need all that information to operate a flashlight,” the OPC said.

No privacy policy was provided on the Google Play store, while a link to the developer’s website only led to a domain parking service.

Also raising concerns was Pixel Gun 3D. The app has no specific privacy policy and its terms of use was described as “long and legalistic” as well as “very difficult to read.”

“Sweepers ultimately felt the app’s privacy communications left much to be desired and, given the potentially personal nature of the permissions, they were uncomfortable using the app,” the OPC said.