The British Computer Society (BCS) yesterday republished some survey results from January earlier this year. In a review of 400,000 Google Android apps, a huge proportion were found to access information on a user's device that made no sense for the app in question. As well as being concerning in and of itself, this trend also raises EU privacy compliance issues in light of the Dutch stance on WhatsApp. We look at the implications.
What did the survey find?
The survey was carried out by a company called Bit9, who specialise in "trust-led" information security solutions.
According to BCS, the survey found that:
- The majority of Android apps surveyed (72%) used at least one aspect of the Android platform that gives access to private data or gave control over the phone functionality.
- Over 100,000 of the Android apps surveyed (over 25%) accessed private information or performed tasks which were questionnable, given the nature of the app.
These results are obviously interesting to the information security community, especially in a BYOD context, where the apps could be inappropriately exposing business' data.
They also have obvious implications for consumers.
As Bit9 state, in-app advertisers can inherit the same permissions that an app has, so data can become exposed to another third party as well, one of which the user, be it a consumer or an employee has even less knowledge than the app provider itself.
What does this mean for privacy compliance?
The Dutch WhatsApp investigation and subsequent EU guidance on mobile device apps conveyed a very clear message: access to data held on any mobile device, be it a tablet or smartphone, must be with consent of the user.
Consent cannot be "implied" either; it should be explicit, and make use of the functionality that some OS platforms build in (a trend which has also been backed by the US Federal Trade Commission's (FTC) own guidance for mobile apps).
Linking this legal guidance back to Bit9's survey, it looks like over a quarter of Google Android apps currently breach EU privacy laws, and flout FTC guidance.
Whilst this position does not mean there will be a flood of compliance investigations from EU privacy regulators or the typically tougher FTC, it is not an encouraging picture. It means that a lot of app developers are carrying a large contingent risk in their businesses (or handing this risk off to clients for whom they build apps) and it does challenge the trust business and consumers place in their information technology, in an increasingly privacy-conscious world.
It is also a trend that looks set to continue. Google's next major devleoper conference kicks off tomorrow in the US at which its Google Glass project (for those not in the know, Google has developed smart-spectacles) is expected to get revealed to the developer community. Privacy is already being raised as an issue, and as one commentator has already observed, "The mindset of most engineers and developers is not to focus on those privacy questions."
RIP the EU's much discussed, and little followed, concept of "privacy by design"?