Android, iOS apps skirt privacy policy to share user data with advertisers
Modern smartphone apps are resurrecting the spyware trend that plagued the web ten years ago, but today's users are often unable to do anything to block their demographic data from being used to enhance the advertisements they see.
A report by the Wall Street Journal, part of a series examining privacy issues in computing and in particular the web, examined 101 popular smartphone apps for both iOS and Android devices to find what data they were sharing with advertisers.
The study found that more than half (56) sent the devices' unique serial number to advertisers for tracking purposes, while 47 made some use of users' location data. Five of the apps sent users' "age, gender or other personal details" to outside sources.
In some cases, this data is purposely entered by the user for reasons related to the apps' functionality, and some apps do outline that this data is also used for advertising purposes.
The Journal did not specify how it selected the apps that it tested or whether the roughly 50 apps on each platform represented a comparable selection, but it did note that "among the apps tested, the iPhone apps transmitted more data than the apps on phones using Google Inc.'s Android operating system."
The report also pointed out that not all apps were available for Android, including the company's own news app. "Because of the test's size," the report stated, "it's not known if the pattern holds among the hundreds of thousands of apps available." Apple lists over 300,000 apps for iOS devices, while Android's catalog of apps, ringtones and wallpapers is greater than 100,000 titles.
Mobile adware here to stay, hard to avoid
The findings might be news to some smartphone users, who are rarely presented with simple, straightforward information about individual apps' privacy policy. However, the use of unique device identifiers, location and demographic data to "enhance ad results" are have become core foundations of the mobile ad industry.
The report cited Michael Becker of the Mobile Marketing Association as saying, "in the world of mobile, there is no anonymity," and noting that the mobile phone is "always with us. It's always on."
Unlike desktop computers, mobile devices such as smartphones don't generally allow users to delete individual cookies created by advertisers or install firewall security software that can block apps' requests to forward the users' personal data to outside companies.
The significant revenues tied to advertising are also pushing some vendors to relax individuals' privacy protections in order to maximize profits, a situation reflecting the history of adware on desktop PCs.
A history of adware
Adware began infecting PCs in the mid 90s, particularly as the web helped connect users to networks in a way that also made them easy to reach with ads. Platform vendors readily embraced the new avenues for revenues adware presented, with Netscape inventing web browser "cookies" as a way for web site owners to track visitors, while Microsoft's Windows 98 turned the PC desktop into an overt billboard for advertisers.
On page 2 of 3: Ads pop the web
Ads pop the web
In 2001, Apple jumped on the ad-supported software bandwagon by including web-like banner ads within Sherlock, its specialized search engine app for the web. That experiment didn't last long, and the company has since shunned ad banners within its desktop software.
Update: A reader notes: "Sherlock was a parallel searching technology, back in the days before Google you had to search more than one engine to get what you were looking for. With Sherlock you got all your results in one place without even opening your web browser.
"This of course would reduce the number of page views a search engine would get so Apple implemented that if you clicked on a result from a certain search engine, you would be delivered a banner ad from that search engine. If they hadn't most search engines would of blocked Apple from using their sites as they would get no advertising revenue and be unable to survive.
"Apple had their own search channel for searching the Apple.com website and Apple made up their own ads for it, but if you used Sherlock to search your hard drive (Sherlock was the find application for Mac OS 8.5 thru to Mac OS 9.2.2) there was no banner advertising or even a empty box, no ads were displayed on local search results."
Microsoft began bundling Alexa website tracking software on all new Windows PCs and in 2005 opened talks to acquire Claria, the vendor behind Gator, the web's most notorious adware trojan horse. While negotiating the acquisition, Microsoft silently removed Claria's products from the blacklist of malware that Windows AntiSpyware had previously recommended for quarantine.
However, a backlash against adware and spyware tactics began to gain momentum after a series of media reports brought public attention to web cookies and their ability to allow advertising companies to remotely track their activities on the web. Microsoft subsequently broke off talks with Claria as a new kind of subtle, contextual advertising, popularized by Google, fell into fashion as the public largely rejected the idea of being tracked by advertisers.
The controversial subject of user privacy continues to receive attention, with the White House issuing a memoranda this summer that "calls for transparent privacy policies, individual notice, and a careful analysis of the privacy implications whenever Federal agencies choose to use third-party technologies to engage with the public."
However, particularly since Google's acquisition of web cookie-centric ad vendor DoubleClick in 2008, online and mobile advertising has trended back towards user tracking rather than the kind of contextual relevancy Google pursued through most of the previous decade. Advertisers want to reach specific audiences, and the only way to do that effectively involves being able to track users by their demographic identity and by following their activities and location.
On page 3 of 3: iOS 4 attacked for limiting adware creep, Google fights for mobile adware
iOS 4 attacked for limiting adware creep
Recognizing the potential for mobile devices running third party software to exploit users' privacy, Apple has adopted an increasingly strict privacy policy for iOS, which forbids software makers from collecting private information, including location data, and using this for any purpose other than crafting anonymously relevant advertising. Additionally, Apple insists that app makers clearly disclose the information they collect; the company threatens to remove apps that fail to follow its policies.
As a mobile advertiser, Apple also has a privacy policy that it applies to its own platform. It enables users to opt-out of ads that use location data to refine their relevancy. In addition to opting out of iAd location-based ads, Apple also enables iOS users to turn off Location Services universally, or to switch off the ability of individual apps to request location data. Apps must also ask the user for permission to look up their location.
These efforts to protect users, which have not been duplicated by other mobile platforms, were targeted earlier this year in a report by David Sarno of the LA Times, which caused panic after it suggested Apple was tracking iPhone users' "precise" locations in some radical new way that other devices weren't, and incorrectly assumed that users were powerless to do anything about it.
In iOS 4, Apple enabled iAd and other independent ad networks to collect private information, but the company limits this data collection exclusively for use in improving ad relevance. Apple's SDK rules specifically forbid developers from including code in their apps that would forward private user information to third parties for any other reason, something the company's chief executive Steve Jobs characterized as granting users "freedom from programs that steal your private data."
Sarno's report resulted in a US Congressional inquiry into Apple's privacy policy, to which the company responded, "Apple does not share any interest-based or location-based information about individual customers, including the zip code calculated by the iAd server, with advertisers. Apple retains a record of each ad sent to a particular device in a separate iAd database, accessible only by Apple, to ensure that customers do not receive overly repetitive and/or duplicative ads for administrative purposes."
Google fights for mobile adware
Critics of Apple's privacy policy have claimed the company is trying to kill rival ad networks on the iOS platform by preventing other ad networks from harvesting users' private data, such as their GPS location, as they display ads within apps. Google's chief executive Eric Schmidt said Apple's ad restrictions were "discriminatory against other partners," including Google's own AdMob, which competes against Apple's iAd for mobile revenue.
Android does not appear to have any restrictions on the private user data that apps can forward to third parties. Google also does not have an app approval process like Apple's App Store. This has led to malware attacks from apps listed in the Android Market, which have destroyed users' data, installed adware and sent spam to contacts email accounts.
The lack of platform-wide privacy policy enforcement on Google's Android has also resulted in developers collecting inappropriate data, including users' phone numbers and potentially voicemail passwords, without users' knowledge or consent.
Known occurrences of the misuse of private data within Android apps are based on independent testing of individual apps, and is not exhaustive. Apps may reach widespread circulation for months before their actual activities are discovered, as there is no curation of Android Market provided by Google and there is nothing preventing the distribution of malware outside the official Android software store.
Google's Android platform is also more susceptible to pressure from adware proponents because a much greater percentage of Android software is ad-supported rather than purchased outright by the end user.
The developer behind "Angry Birds" noted that ad-supported software is "the Google way," and recent market data by Distimo indicates that Android's app catalog has roughly twice the number of free apps as other popular platforms, thanks to Google's policies promoting ad-supported software.
A report by the Wall Street Journal, part of a series examining privacy issues in computing and in particular the web, examined 101 popular smartphone apps for both iOS and Android devices to find what data they were sharing with advertisers.
The study found that more than half (56) sent the devices' unique serial number to advertisers for tracking purposes, while 47 made some use of users' location data. Five of the apps sent users' "age, gender or other personal details" to outside sources.
In some cases, this data is purposely entered by the user for reasons related to the apps' functionality, and some apps do outline that this data is also used for advertising purposes.
The Journal did not specify how it selected the apps that it tested or whether the roughly 50 apps on each platform represented a comparable selection, but it did note that "among the apps tested, the iPhone apps transmitted more data than the apps on phones using Google Inc.'s Android operating system."
The report also pointed out that not all apps were available for Android, including the company's own news app. "Because of the test's size," the report stated, "it's not known if the pattern holds among the hundreds of thousands of apps available." Apple lists over 300,000 apps for iOS devices, while Android's catalog of apps, ringtones and wallpapers is greater than 100,000 titles.
Mobile adware here to stay, hard to avoid
The findings might be news to some smartphone users, who are rarely presented with simple, straightforward information about individual apps' privacy policy. However, the use of unique device identifiers, location and demographic data to "enhance ad results" are have become core foundations of the mobile ad industry.
The report cited Michael Becker of the Mobile Marketing Association as saying, "in the world of mobile, there is no anonymity," and noting that the mobile phone is "always with us. It's always on."
Unlike desktop computers, mobile devices such as smartphones don't generally allow users to delete individual cookies created by advertisers or install firewall security software that can block apps' requests to forward the users' personal data to outside companies.
The significant revenues tied to advertising are also pushing some vendors to relax individuals' privacy protections in order to maximize profits, a situation reflecting the history of adware on desktop PCs.
A history of adware
Adware began infecting PCs in the mid 90s, particularly as the web helped connect users to networks in a way that also made them easy to reach with ads. Platform vendors readily embraced the new avenues for revenues adware presented, with Netscape inventing web browser "cookies" as a way for web site owners to track visitors, while Microsoft's Windows 98 turned the PC desktop into an overt billboard for advertisers.
On page 2 of 3: Ads pop the web
Ads pop the web
In 2001, Apple jumped on the ad-supported software bandwagon by including web-like banner ads within Sherlock, its specialized search engine app for the web. That experiment didn't last long, and the company has since shunned ad banners within its desktop software.
Update: A reader notes: "Sherlock was a parallel searching technology, back in the days before Google you had to search more than one engine to get what you were looking for. With Sherlock you got all your results in one place without even opening your web browser.
"This of course would reduce the number of page views a search engine would get so Apple implemented that if you clicked on a result from a certain search engine, you would be delivered a banner ad from that search engine. If they hadn't most search engines would of blocked Apple from using their sites as they would get no advertising revenue and be unable to survive.
"Apple had their own search channel for searching the Apple.com website and Apple made up their own ads for it, but if you used Sherlock to search your hard drive (Sherlock was the find application for Mac OS 8.5 thru to Mac OS 9.2.2) there was no banner advertising or even a empty box, no ads were displayed on local search results."
Microsoft began bundling Alexa website tracking software on all new Windows PCs and in 2005 opened talks to acquire Claria, the vendor behind Gator, the web's most notorious adware trojan horse. While negotiating the acquisition, Microsoft silently removed Claria's products from the blacklist of malware that Windows AntiSpyware had previously recommended for quarantine.
However, a backlash against adware and spyware tactics began to gain momentum after a series of media reports brought public attention to web cookies and their ability to allow advertising companies to remotely track their activities on the web. Microsoft subsequently broke off talks with Claria as a new kind of subtle, contextual advertising, popularized by Google, fell into fashion as the public largely rejected the idea of being tracked by advertisers.
The controversial subject of user privacy continues to receive attention, with the White House issuing a memoranda this summer that "calls for transparent privacy policies, individual notice, and a careful analysis of the privacy implications whenever Federal agencies choose to use third-party technologies to engage with the public."
However, particularly since Google's acquisition of web cookie-centric ad vendor DoubleClick in 2008, online and mobile advertising has trended back towards user tracking rather than the kind of contextual relevancy Google pursued through most of the previous decade. Advertisers want to reach specific audiences, and the only way to do that effectively involves being able to track users by their demographic identity and by following their activities and location.
On page 3 of 3: iOS 4 attacked for limiting adware creep, Google fights for mobile adware
iOS 4 attacked for limiting adware creep
Recognizing the potential for mobile devices running third party software to exploit users' privacy, Apple has adopted an increasingly strict privacy policy for iOS, which forbids software makers from collecting private information, including location data, and using this for any purpose other than crafting anonymously relevant advertising. Additionally, Apple insists that app makers clearly disclose the information they collect; the company threatens to remove apps that fail to follow its policies.
As a mobile advertiser, Apple also has a privacy policy that it applies to its own platform. It enables users to opt-out of ads that use location data to refine their relevancy. In addition to opting out of iAd location-based ads, Apple also enables iOS users to turn off Location Services universally, or to switch off the ability of individual apps to request location data. Apps must also ask the user for permission to look up their location.
These efforts to protect users, which have not been duplicated by other mobile platforms, were targeted earlier this year in a report by David Sarno of the LA Times, which caused panic after it suggested Apple was tracking iPhone users' "precise" locations in some radical new way that other devices weren't, and incorrectly assumed that users were powerless to do anything about it.
In iOS 4, Apple enabled iAd and other independent ad networks to collect private information, but the company limits this data collection exclusively for use in improving ad relevance. Apple's SDK rules specifically forbid developers from including code in their apps that would forward private user information to third parties for any other reason, something the company's chief executive Steve Jobs characterized as granting users "freedom from programs that steal your private data."
Sarno's report resulted in a US Congressional inquiry into Apple's privacy policy, to which the company responded, "Apple does not share any interest-based or location-based information about individual customers, including the zip code calculated by the iAd server, with advertisers. Apple retains a record of each ad sent to a particular device in a separate iAd database, accessible only by Apple, to ensure that customers do not receive overly repetitive and/or duplicative ads for administrative purposes."
Google fights for mobile adware
Critics of Apple's privacy policy have claimed the company is trying to kill rival ad networks on the iOS platform by preventing other ad networks from harvesting users' private data, such as their GPS location, as they display ads within apps. Google's chief executive Eric Schmidt said Apple's ad restrictions were "discriminatory against other partners," including Google's own AdMob, which competes against Apple's iAd for mobile revenue.
Android does not appear to have any restrictions on the private user data that apps can forward to third parties. Google also does not have an app approval process like Apple's App Store. This has led to malware attacks from apps listed in the Android Market, which have destroyed users' data, installed adware and sent spam to contacts email accounts.
The lack of platform-wide privacy policy enforcement on Google's Android has also resulted in developers collecting inappropriate data, including users' phone numbers and potentially voicemail passwords, without users' knowledge or consent.
Known occurrences of the misuse of private data within Android apps are based on independent testing of individual apps, and is not exhaustive. Apps may reach widespread circulation for months before their actual activities are discovered, as there is no curation of Android Market provided by Google and there is nothing preventing the distribution of malware outside the official Android software store.
Google's Android platform is also more susceptible to pressure from adware proponents because a much greater percentage of Android software is ad-supported rather than purchased outright by the end user.
The developer behind "Angry Birds" noted that ad-supported software is "the Google way," and recent market data by Distimo indicates that Android's app catalog has roughly twice the number of free apps as other popular platforms, thanks to Google's policies promoting ad-supported software.
Comments
You could also say on iOS there is no guarantee to know how the data is used.
There is just an obscure approval process... hope there are no flaws but nobody knows anyway.
On the other hand on Android you know exactly what kind of data the application is able to access when you install it.
So if one installs an application that wants location access but does not have any location based functionality its pretty obvious what the location access is for
It's a lot more transparent than for example windows (Thinking about worms and address books).
something the company's chief executive Steve Jobs characterized as granting users "freedom from programs that steal your private data."
Programs don't steal data; people do. And because private data are being gathered, unscrupulous people can still steal it, incompetent people can still leak it, and an ignorant, unwitting public can still give it up.
If so does visiting a website containing Flash pop up a window asking for permission to install them and giving details of what they will be used for.
Or are Adobe and the companies that use them hoping that they will fly under the radar and be unnoticed and ignored as they were on PC's before their discovery buried deep in Adobe's applications folders.
If all you have to worry about is making the best cellphone, then no worries. But if you're a huge company with many arms, then you have to make the best cellphone *subject to* it only playing the media from your media arm, and *subject to* having a UUID to keep your advertising arm happy, etc.
And then suddenly you wake up one day and your best is not *the* best, and some small, focussed company is making you look stupid.
Of course people have been able to replicate this functionality for years with 3rd party plug-ins or firewalls, but the idea of a major browser vendor offering specialized "tracking protection" directly in their application is a trend I think will be hard to ignore. Will we end up seeing "tracking protection" baked directly into the OS - both desktop and mobile?
I'm not sure what Google's reaction to this will be. I would assume their revenue model would take quite a hit.
The reason I will never have a gmail account is that I do not trust Google to not track my email, and read it looking for advertising info. This is what they wanted to do when they launched gmail. I am not sure if they ever gave this up or not.
For me the best way would be to use pay software. Everyone wants a free soft but these companies need money and ads is an important source of money.
So pay your softwares to small companies not big ones and you will have less problems
The reason I will never have a gmail account is that I do not trust Google to not track my email, and read it looking for advertising info. This is what they wanted to do when they launched gmail. I am not sure if they ever gave this up or not.
Wow, deja-vu. Don't suppose you just read the 2 posts I posted on the Chrome OS thread yesterday? About how gmail indirectly opts in your friends info as well, whether they like it or not?
This is just one aspect, the whole area of tracking and profiling is a big deal, and Apple is no saint either. I'm tempted to repost here, since that thread was mostly dead and no replies followed, but I'll just post links unless someone thinks a repost is worthwhile.
Post #1: Facebook may be evil, but Google is far more scary. (also forgot to mention google-doubleclick here)
Post #2: Would you give your friend's contact info to a business without asking permission?
Y'know, I'll repost just the main question:
If you walked into, say, Best Buy, and the guy at the checkout counter said: "Hey, I see you're buying an XBox, so we have a special for you today. If you give us the names, addresses, phone #s and emails of 3 of your best friends, we'll give you $10 off your purchase!". I think most of you would laugh in their face, right? Would you even dream of doing this? (I really am curious, if you read this, I'd love your answer or comment )
Is this the right link? I mean it works, but it isn't well formated and looks so web 1.0???
First page of the report didn't specifically state what % of ios and android apps were skirting privacy, so I assume they both were, even with Apple's checks??? Or did I miss it???
Advertisers save money, developers make more money with higher click through rates, and consumers, who have to see ads anyway, get to see ads for products they are more likely to be interested in.
Maybe someone needs to develop a real ad blocker for IOS and Android. Besides protecting your privacy it would cut down on your data usage and keep you from going over your monthly data cap.
"...the iPhone apps transmitted more data than the apps on phones using Google Inc.'s Android operating system."
This is disgraceful. I thought that the App Store was there to protect us against spyware and other malware.
Why is it considered a bad thing for advertisers to get a little bit of data to help them better target their ads?
It's theft, as your information belongs to you, not to Apple, Google, or Facebook (who also pulls these stunts). And when I say it's theft, I mean that literally. I believe they can be prosecuted for it.
Apple's location based services show one way using a customer's personal information can be done legally. They ask your permission first before using the data. That kind of protection needs to be in place for all personal data.
There's nothing immoral or illegal about companies making money off of your information or tailoring your experience based on your information so long as they have your permission to use your information.
But just grabbing your junk is illegal.
It's theft, as your information belongs to you, not to Apple, Google, or Facebook (who also pulls these stunts). And when I say it's theft, I mean that literally. I believe they can be prosecuted for it.
Apple's location based services show one way using a customer's personal information can be done legally. They ask your permission first before using the data. That kind of protection needs to be in place for all personal data.
There's nothing immoral or illegal about companies making money off of your information or tailoring your experience based on your information so long as they have your permission to use your information.
But just grabbing your junk is illegal.
And, I think there's a big opportunity for Apple here: an opportunity for them to get very serious about protecting personal information and championing privacy, and an opportunity to gain a big competitive advantage by positioning themselves on the consumer's side of an issue that's going to become very important to consumers in the very near future. As people become more and more aware of how their privacy is being violated and their every action tracked, the coming backlash against Google, et al. is going to be huge. Better to be in a position to take advantage of it than to get hit by it.
On the other hand, if I'm using an app that has advertising, I might find it beneficial that if I have to look at the ads anyway, that it use my location information to provide me with relevant ads.
If I use a credit card (offline) and the CC company can make money by determining that across the board, people who eat at Joe's Steakhouse also tend to buy Apple Products, I don't really have a problem with that. I think people get over-paranoid about this. What I do have a problem with is taking very personalized information that can be tracked back to me. It's bad enough that sites like Amazon have a pretty much permanent record of every product you ever bought. They really should have a way that you can delete all that information from your profile (and I mean really delete it, not just delete it form your view.)
This is going to go either one of two ways: either people are going to choose to ignore all these privacy issues and the companies will do whatever they want with our data or this is going to blow up and they'll be privacy legislation, which won't get it right because Congress tends to be so dumb (and so influenced) on these matters.
And I think that there should be high school courses about privacy issues in the online world, because I think most people, especially young people, are tremendously naive about these things (until they get their identity stolen).
And I think there should be new naming standards for cookies where file names are easily identifiable and where the contents of cookies are easily readable and contain source identifying information about what program and what company the cookie is associated with that is human readable.
Unbalanced as always
very. 50-100 apps is not really a fair sample, particularly for iOS which has 300k
Also, for ios, were they all iAd using apps or was it a mix. Did any of the apps kick off what the request to send data that is supposed to be there per Apple rules etc
Also of the results, how much in each group is from each OS. 56 out of 101 is not the same as 'all 50 Android apps and 6 iOS apps'. And of that group sending serial numbers, which OS etc. An iAd sending my serial back to Apple is not the same as a google ad sending it to who knows whom