A peer-reviewed study of almost 1m Android apps has revealed how data from smartphones are harvested and shared, with nearly 90 per cent of apps set up to transfer information back to Google.
Researchers at Oxford university analysed approximately a third of the apps available in Google’s Play Store in 2017 and found that the median app could transfer data to 10 third parties, with one in five apps able to share data with more than 20.
This year has seen unprecedented scrutiny over how websites use the data they collect from their users, but little attention has so far been paid to the sprawling and fast-growing world of smartphone apps.
Reuben Binns, the computer scientist who led the project, said that because most apps have now moved to a “freemium” model, where they make revenues from advertising rather than sales, data sharing has spiralled out of control.
Users, regulators and sometimes even the app developers and advertisers are unaware of the extent to which data flow from smartphones to digital advertising groups, data brokers and intermediaries that buy, sell and blend information, he said.
“This industry was growing already on the web . . . when smartphones came along, that was a new opportunity,” he said. “It feels like this legitimate business model has gone completely out of control and created a kind of chaotic industry that is not understood by the people who are most affected by it.”
Data collected by third parties through smartphone apps can include anything from profile information such as age and gender to location details, including data about nearby cell phone towers or Wi-Fi routers, and information about every other app on a phone.
Select mobile apps
in which you are interested
Selected apps
Add more apps
The rapid growth of the app economy has seen almost 10m apps released in the decade since Google created an app store for Android smartphone users, according to App Annie, the research group. As of August, there were 2.8m apps available on the store.
The researchers at Oxford looked at the code in apps that indicates data are being transferred, and showed both how widely data are shared, and how that data often flow upwards to a handful of companies, notably Google’s parent company Alphabet, as well as Facebook, Twitter, Verizon, Microsoft and Amazon.
The concentration of data in the hands of the world’s biggest tech companies is often masked by a network of subsidiaries that collect data from smartphone apps. The analysis showed that as of January last year 88 per cent of apps could transfer data to third parties ultimately owned by Alphabet, while 43 per cent could transfer data to businesses ultimately owned by Facebook.
“This is important if we are to empower individuals and also understand the monopoly and concentration issues surrounding tracking companies,” said Nigel Shadbolt, co-founder of the Open Data Institute and head of the group that carried out the research.
Because data are ultimately transferred to the same businesses, it can be used to create detailed profiles, said academics. If information from a dating app, for example, were shared with the same parent company as data from a banking app, it could be possible to deduce the sexuality of a bank’s customers.
“Mobile phone are stores of sensitive information and if your phone is on, they’re just sending the information all the time to the same third parties,” said Joel Reardon, assistant professor of computer science at the University of Calgary. “Even just the characterisation of what apps you have on your phone is quite an insight into a person’s life, you can learn information about their age, sexual orientation, health and link it back to their device.”
Google disputed the implications of the research, saying it mischaracterised “ordinary functions” such as an app reporting back when it had crashed and its analytics.
“Across Google and in Google Play we have clear policies and guidelines for how developers and third-party apps can handle data and we require developers to be transparent and ask for user permission. If an app violates our policies, we take action,” said Google.
But Mr Binns said the data transfer rights built into the apps often go beyond simple uses such as crash reporting because many apps ask for “excessive permissions” to transfer data and reserve the right to retain it for analysis and resale.
The Financial Times app was one of the apps analysed by the researchers, who found that it sends data to seven third parties. A spokesperson for the FT said: “We send data to these providers to enable services such as push notifications, crash tracking, Google sign-on and personalised advertising.
“We are extremely careful with how we collect and handle customer data, and set out in detail how we use it in our privacy policy. Readers can easily manage their cookie settings for ft.com and our apps.”
News apps, games and apps targeting children were among those with the ability to transfer data to the most third parties, the research found, despite regulations in the US and Europe that limit how children’s data can be processed.
The privacy policies of many apps analysed by the FT shifted the burden of compliance on to users, stating that people under the age of 13 should not use their services.
Most smartphone users often do not realise the extent to which their data are passed to third parties, or repackaged and passed on again, said lawyers and privacy campaigners.
“There is a lot of sharing of data that we cannot as users immediately identify or realise,” said Gabriel Voisin, a partner at Bird & Bird, the law firm. Users cannot easily control who their apps share data with, or the fact that only “two or possibly three super-dominant” companies such as Google sit at the top of the data pyramid. “There are no easily accessible settings or widget to switch this off,” he said.
The Oxford research found that 90 per cent of apps could transfer data to third parties in the US, with 5 per cent able to send data to third parties in China and 3 per cent to those in Russia.
The EU does not consider China and Russia to have adequate data privacy standards, while the US is only considered adequate if companies use extra safeguards. “All we can see is the first hop or step in the process, data going out,” said Mr Binns. “But what happens to it next, we don’t know.”
Both Apple and Google have launched tools to mask data.
“De-anonymisation”, the practice of linking data to a user, is prohibited by the EU’s General Data Protection Regulation.
But Frederike Kaltheuner, head of the data exploitation practice at campaign group Privacy International, said an industry of data brokers such as Acxiom operate in a legal grey area, offering services to link data together, matching offline data such as spending with online data from smartphones. “In practice we know it’s very easy to link data back together,” she said.
Alexander Hazell, data protection officer at Acxiom, said the company insisted data should be legally and responsibly sourced and used by partners in a “legal, proportionate and fair” way.
“Acxiom takes data protection very seriously and goes further than legal compliance by applying an ethical framework to how it processes data for others,” he said.
The introduction of GDPR in May was a watershed moment for privacy regulation, but the world of smartphone data has so far remained largely in the dark.
“The whole ecosystem has grown so much so quickly, it’s got to a scale where it’s very difficult to manage,” said Narseo Rodriguez, professor at Imdea Networks, a publicly funded research institute. “Phone [data] transfers have got to a scale where it’s going to be very, very difficult to manage.”
Adrienne Hall, general manager at Microsoft, said the company “has a different business model than other tech companies that rely principally on advertising revenue”.
LinkedIn, which is owned by Microsoft, said it “places limits on any use or combination of data with third parties or Microsoft”.
Oath said: “The research also appears to account for data that may be shared with us as part of an app’s use of our digital ad technologies. GDPR requires app developers offering services to European users to disclose their privacy policies, including third party data sharing, as well as user data management options.”
Facebook, Twitter and Amazon declined to comment.
‘Third Party Tracking in the Mobile Ecosystem’ was peer-reviewed and funded by the British government’s Engineering and Physical Sciences Research Council.
The researchers used a partly automated “static” analysis method that involves downloading an app, extracting its code and searching for elements that look like website URLs. Any possible URLs were compared with a list of manually compiled URLs judged by the researchers to be used by third party “tracking” companies for analysis and profiling. The list was based on publicly available information about the ownership and business activities of companies. The research might have identified URLs that do not actually always take data from apps. Several apps, including Uber, have been excluded because it was unclear to which parties they send data if they send any