Global privacy sweep raises mobile app concerns
Nearly one third (31 percent) of all mobile apps raise concerns about the nature of permissions sought, a global sweep of mobile apps has found. One in three apps surveyed appeared to request access to information that exceeded their functionality.
The New Zealand findings were broadly consistent, with 38 percent of those apps surveyed requesting permissions that appeared to exceed what was necessary for the functionality of the app.
The Global Privacy Enforcement Network (GPEN) Privacy Sweep, ran from 12-18 May this year and examined more than 1,200 mobile apps in total. Twenty-six (26) privacy authorities participated in the sweep, including the Privacy Commissioner’s Office in New Zealand.
The survey included a mix of Apple and Android apps, free and paid apps, as well as public sector and private sector apps ranging from games and health/fitness apps, to news and banking apps.
GPEN identified mobile apps, many of which collect a great deal of personal information, as a key area of focus in light of the privacy implications for consumers.
Among the sweep highlights:
• 75 percent of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions, and the potential sensitivity associated with the information, highlights the need for apps to be more transparent about how the information will be used.
• 59 percent of apps left sweepers scrambling to find pre-installation privacy explanations. Many apps offered little information about why the data was being collected or how it was being used prior to download. Some provided links to webpages with privacy policies that were not tailored to the app itself. In other cases, the links led to social media pages that didn’t work or required the user to log in. Sometimes it was difficult to determine who the developer or data controller was.
• 43 percent of apps did not tailor the privacy statements to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using pop-ups, layered information and ‘just-in-time’ notification to inform users of potential collections or uses of information when they were about to happen.
Only 15 percent of the apps examined provided a clear explanation of how they would collect, use and disclose personal information. The most privacy-friendly apps offered brief, easy-to-understand explanations of what the app would - and would not - collect and use.
Some of the highly popular apps in the e-marketplace were among those that received top ratings, demonstrating that when properly explained to consumers, the collection of information does not negatively impact on downloads.
This year’s sweep involved more privacy enforcement authorities from around the world, with 26 participating authorities, up from 19 international participants during the 2013 event.
The annual GPEN sweep is aimed at encouraging organisations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. Concerns identified will result in follow-up work such as outreach to organisations, deeper analysis of app privacy provisions and enforcement action.
Notes for editors
The Privacy Commissioner has a resource for app developers to help them understand their legal obligations under the Privacy Act when collecting personal information through mobile apps. The Need to Know or Nice to Have guidance is available on our homepage at www.privacy.org.nz.
About the Global Privacy Enforcement Network (GPEN)
GPEN was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 51 privacy authorities in 39 jurisdictions around the world.