Topic: Security / Privacy “Your Apps Are Watching You” Source: The Wall Street Journal Online Presented By: Corey Campbell Article Overview Among our devices, smartphones know us best. Time for an investigation. The Wall Street Journal conducts an investigation: App analysis – iPhone & Android Consumer protection Ad networks Introducing…Your Data Key categories being looked at: CATEGORY PROCESS User name, password Create an account : interact with Facebook Contacts Access to address book : permission Age, gender Captured by a form Location GPS : triangulate with Wi-Fi or cell signals Phone ID Phone’s SSN : hard to delete Phone number Passed to app maker or Facebook Introducing…Your Data The ones that are watching your data: WHO MORE INFO App owner Ones that create or operate the app: Once data is obtained, few restrictions governing the use of it Third parties Marketers and companies that monitor app usage: Create detailed profiles of users What The Investigation Dealt With Examined 101 popular smartphone apps for iPhone & Android Results included: 56 apps transmitted phone’s unique device ID to other companies without user awareness or consent 47 apps gave away the phone’s location 5 apps sent age, gender, and other personal details outside of the app Intrusive behavior of online-tracking companies to append data to your profile How Did The iPhone Do? iPhone sent off more data than Android phones (within 101 app test) An app that shard the most data: TextPlus 4 – iPhone text messaging app sent iPhone’s UDID to 8 ad companies phone’s zip code, user’s age & gender to 2 ad companies Apple & Android Apps Pandora – popular music app sent age, gender, location, and phone identifiers to different ad networks Paper Toss – game of tossing paper into trash can sent phone’s ID number to at least 5 ad companies Some Comments Michael Becker of Mobile Marketing Association – “In the world of mobile, there is no anonymity” Device is always on and with us Apple supports a review of app before being offered publicly Apple & Android protect users from revealing data through permissions Tom Neumayr – Apple spokesman “We have created strong privacy protections for our customers, especially regarding location-based data. Privacy and trust are vitally important. Getting Around The Rules Pumpkin Maker – pumpkin-carving game gave away phone’s location to an ad network without asking permission Apple declined to talk about this violation What Are The App Makers Saying? TextPlus 4 & Pandora: Data passed is not linked to an individual Personal details (such as age, gender) are volunteered by users Pumpkin Maker: Unaware of Apple’s guidelines to seek user approval before sending data Paper Toss: Did not want to comment Consumer Protection Privacy Policies: 45 of the 101 apps did not provide a privacy policy Apple & Google don’t require them WSJ Designs A System System intercepts and records data Decodes data stream Covered 50 iPhone apps & 50 Android apps The Jury Is In The most widely shared item was the phone’s identifier, or UDID for the iPhone. ID is set by phone makers, carriers, or OS makers Difficult to delete or hide Why, Oh Why? Meghan O’Holleran – Traffic Marketplace Track everything by phone ID Apps downloaded Usage frequency Time spent on app Areas used in app Data is combined, not linked to an individual No Standards In Mobile Apple sees UDID as “personally identifiable information” Can be combined with info from App Store and iTunes In contrast, Google and most app makers don’t consider device IDs to be identifying information. Ad Networks An expanding industry Mobclix – an ad exchange Matches more than 25 ad networks with approximately 15,000 apps needing advertising Takes phone IDs, encodes them, and assigns them to interest categories based on users’ usage factors. Does a “best guess” of where person lives to mix location data from Nielsen Co. Powerful system, but categories are still broad enough not to identify people. An Example: Mobclix Inner-workings Within a quarter-second, Mobclix can place a user in one of 150 segments it offers to advertisers Segment types: “green enthusiasts”, “soccer moms” “die hard gamers” segment: 15 – 25 year old males more than 20 apps on phone use an app for more than 20 minutes at a time The Ad Networks Have My Info Claim data is anonymous and brings more relevant advertising Google received most data overall in the tests by WSJ, but says it does not mix data from its ad units: AdMob, AdSense, Analytics, and DoubleClick AdMob gives advertisers access to phone users by locations, device type, and demographics (gender, age group) Apple has its iAd network – only for iPhone Apple uses App Store and iTunes info to target ads.