Lives at risk: Excessive data collection in apps

Last month, in January 2020, the Norwegian Consumer Council, an NGO, published a report on collection and sharing of personal data in popular apps. The reassuring title: “Out of Control: How Consumers Are Exploited by the Online Advertising Industry”.

On 186 pages, the researchers analysed the data practices of 10 popular Android apps. Amongst those apps: a children’s app, a period tracker, and various dating apps.

What they found was a blatant disregard for governing data protection legislation, notably the EU General Data Protection Regulation (GDPR).

Vulnerable groups at risk

Grindr, a popular LGBTQ dating app, showed particularly troublesome data practices, for which reason it was singled out in the report.

TrackerControl, an app that helps individuals protect their data and regain their privacy.

The app was found to share users’ exact location, IP address, phone ID, age, and gender directly with 18 third-party companies—including Google Crashlytics, Google Firebase, Tencent, Facebook, and Twitter’s MoPub.

To make matters worse, many of these companies reserve the right to pass this data on to many others in a “cascading data sharing” process. In consequence, potentially thousands of companies can get access to this private information.

In fact, the app was found to employ so-called real-time bidding, by which advertising space on a user’s device is sold to interested advertisers in real-time. To facilitate these auctions, the app developer provides the interested advertisers with information about its users.

I recently explained this business model in depth in another blog post.

We’ve been there..

Grindr has faced similar accusations in the past. Users can indicate on their profile whether they are HIV positive or negative, when they were last tested for STIs, and whether or not they take preventive medication against HIV.

Previously, Grindr was found to share this medical information with two major analytics companies, only to analyse and improve app usage, they claim.

This can put individuals at severe risk. Homosexuality is illegal in more than 70 countries, in 13 of which it may be punished by death.

Alone the use of Grindr, an indicator of sexual orientation, may motivate discrimination or prosecution.

Even in counties without repressive legislative regimes, people are put at risk.

Some people prefer not to disclose their sexual orientation publicly, and may face discrimination.

For many, online services, such as Grindr, are not just about dating. Rather, they provide safe spaces and refuge that are difficult to find in the real world. J. Bryan Lowder, associate editor of the online magazine Slate, describes it as:

I always feel a bit weird describing Grindr or Scruff as dating apps, because they clearly function as much more than match-makers. To my mind, they are more like virtual gay bars or lounges, which facilitate romance and sex, but also offer idle talk, the passive stimulation of the crowd, and at the very least a means of killing time. […] I don’t think so many of us would spend so much time in there otherwise.

Grindr only put an end to sharing health information following an official complaint by the Norwegian Consumer Council.

We’re all affected.

Grindr maintains to “operate with industry standard practices”.

This is true. Similar extents of data sharing were found in many other (dating) apps.

Tinder, a dating app, was found to share users’ GPS location and “target gender”—or data on sexual orientation. In addition to this information, OkCupid, another dating app, shared data on sexuality, political views and drug use with the analytics company Braze.

Concerning data practices were also found in the analysed children’s and period tracker apps.

One can thus very well describe the app ecosystem as “out of control”.

Overall, the bespoke report found widespread violations of data protection legislation. Data is shared, without the user’s awareness, let alone consent.

Is all hope lost?

Having learnt that data protection is being neglected, this raises the question whether data protection can be saved in any way.

Digital abstinence seems like the obvious answer and solution, except that it isn’t. It’s impossible to live a normal life today without using online services. Internet access has essentially become a basic human right, and it must thus be possible to go online without giving up on our data.

Instead, I want to discuss three very different solutions.

  1. More enforcement. It’s not enough to introduce ambitious data protect legislation, such as the GDPR. For the law to be effective, it must be enforced, by equipping the data protection agencies with sufficient funding.
  2. Better data hygiene. This is not about reading all the privacy policies, but rather think a bit harder about what to share. For instance, I like the website, which provides you with fake personal details, including birth date and telephone number. The best thing is that they also provide a working email address for you to use.
  3. Also, you can do something to limit the data sharing in apps. In my PhD, I’m developing an app that allows to disclose and restrict the data sharing of apps with third-party companies. The app is called TrackerControl, and uses a similar technology as the Firefox Browser to reduce such data collection, but operating on mobile. You can download a prototype for Android already.

If you enjoyed this read, you may want it check out this post. It considers the philosophical and legal foundations of data protection and discussed whether and why we need data protection.