CMU data analysis: games worst for phone privacy
A flashlight phone application was forced to shut down in 2013 thanks to a Carnegie Mellon University team that tracks what apps actually do versus user expectation in terms of privacy. Now after trawling through nearly 1 million Android phone applications, the CMU research team is sharing its findings and allowing users to conduct their own research with the website privacygrade.org.
Brightest Flashlight was a popular app-with 50 million downloads-before the team at CMU, headed by Jason Hong, helped the Federal Trade Commission find out the application was logging and sharing personal data with advertisers. The sole developer was let off with no fine, and instead had to prove he trashed the personal data.
“This project isn’t necessarily to go after developers of applications, but to help them as well. Most of the time a developer isn’t evil. A lot of them now borrow code, or open-source plugins to help speed along their development. They’re like Lego bricks everyone uses to make things more efficient,” Hong said.
One problem then, Hong said, is that some developers are sometimes unaware they may be importing a plug-in that automatically collects private user data, or tracks the application user’s location.
“So long as a person knows what the privacy expectations are, they’ll use it. Applications like Instagram and Facebook get A grades despite what people may think is invasive. In short, people know what they’re getting with those. They’re sharing information and often know they’re tagged with location data as well as submitting their own information,” Hong said.
The problem comes when users don’t expect such invasions of privacy. And that’s the metric the privacy grade website uses: what a person believes the application will do in terms of information sharing versus what it actually does. Some of the biggest offenders with the widest expectation-to-reality gaps are games often played by children, like Fruit Ninja, Despicable Me and Drag Racing.
“If a person finds out they’ve been duped in terms of what info they’re sharing, they will often delete the app. This is bad for developers … and it’s bad for consumers and users of technology. It’s a transparency issue. We want to help innovation without compromising security and privacy. Take Facebook’s Newsfeed for example. A lot of people hated it, and lobbied for Facebook to remove it. But I think if Newsfeeds were taken away now, a lot of people would miss it.”
Hong said the CMU team of researchers has only trawled through Android library databases because it’s a more open system. There are some applications in the Google Play store (Android) that are also available in the iTunes store (iPhone), but users will have to cross-reference them on their own. The research, going on since 2010, is funded in part by Google and the National Science Foundation.