{Our mobile phones can reveal a lot about ourselves: where we live and work; who our family, friends and acquaintances are; how (and even what) we communicate with them; and our personal habits. With all the information stored on them, it isn\u2019t surprising that mobile device users take steps to protect their privacy, like using PINs or passcodes to unlock their phones.}<\/p>\n
The research that we and our colleagues are doing identifies and explores a significant threat that most people miss: More than 70 percent of smartphone apps are reporting personal data to third-party tracking companies like Google Analytics, the Facebook Graph API or Crashlytics.<\/p>\n
When people install a new Android or iOS app, it asks the user\u2019s permission before accessing personal information. Generally speaking, this is positive. And some of the information these apps are collecting are necessary for them to work properly: A map app wouldn\u2019t be nearly as useful if it couldn\u2019t use GPS data to get a location.<\/p>\n
But once an app has permission to collect that information, it can share your data with anyone the app\u2019s developer wants to \u2013 letting third-party companies track where you are, how fast you\u2019re moving and what you\u2019re doing.<\/p>\n
{{The help, and hazard, of code libraries}}<\/p>\n
An app doesn\u2019t just collect data to use on the phone itself. Mapping apps, for example, send your location to a server run by the app\u2019s developer to calculate directions from where you are to a desired destination.<\/p>\n
The app can send data elsewhere, too. As with websites, many mobile apps are written by combining various functions, precoded by other developers and companies, in what are called third-party libraries. These libraries help developers track user engagement, connect with social media and earn money by displaying ads and other features, without having to write them from scratch.<\/p>\n
However, in addition to their valuable help, most libraries also collect sensitive data and send it to their online servers \u2013 or to another company altogether. Successful library authors may be able to develop detailed digital profiles of users. For example, a person might give one app permission to know their location, and another app access to their contacts. These are initially separate permissions, one to each app. But if both apps used the same third-party library and shared different pieces of information, the library\u2019s developer could link the pieces together.<\/p>\n
Users would never know, because apps aren\u2019t required to tell users what software libraries they use. And only very few apps make public their policies on user privacy; if they do, it\u2019s usually in long legal documents a regular person won\u2019t read, much less understand. <\/p>\n
{{Developing Lumen}}<\/p>\n
Our research seeks to reveal how much data are potentially being collected without users\u2019 knowledge, and to give users more control over their data. To get a picture of what data are being collected and transmitted from people\u2019s smartphones, we developed a free Android app of our own, called the Lumen Privacy Monitor. It analyzes the traffic apps send out, to report which applications and online services actively harvest personal data.<\/p>\n
Because Lumen is about transparency, a phone user can see the information installed apps collect in real time and with whom they share these data. We try to show the details of apps\u2019 hidden behavior in an easy-to-understand way. It\u2019s about research, too, so we ask users if they\u2019ll allow us to collect some data about what Lumen observes their apps are doing \u2013 but that doesn\u2019t include any personal or privacy-sensitive data. This unique access to data allows us to study how mobile apps collect users\u2019 personal data and with whom they share data at an unprecedented scale.<\/p>\n
In particular, Lumen keeps track of which apps are running on users\u2019 devices, whether they are sending privacy-sensitive data out of the phone, what internet sites they send data to, the network protocol they use and what types of personal information each app sends to each site. Lumen analyzes apps traffic locally on the device, and anonymizes these data before sending them to us for study: If Google Maps registers a user\u2019s GPS location and sends that specific address to maps.google.com, Lumen tells us, \u201cGoogle Maps got a GPS location and sent it to maps.google.com\u201d \u2013 not where that person actually is.<\/p>\n
{{Trackers are everywhere}}<\/p>\n
More than 1,600 people who have used Lumen since October 2015 allowed us to analyze more than 5,000 apps. We discovered 598 internet sites likely to be tracking users for advertising purposes, including social media services like Facebook, large internet companies like Google and Yahoo, and online marketing companies under the umbrella of internet service providers like Verizon Wireless.<\/p>\n
We found that more than 70 percent of the apps we studied connected to at least one tracker, and 15 percent of them connected to five or more trackers. One in every four trackers harvested at least one unique device identifier, such as the phone number or its device-specific unique 15-digit IMEI number. Unique identifiers are crucial for online tracking services because they can connect different types of personal data provided by different apps to a single person or device. Most users, even privacy-savvy ones, are unaware of those hidden practices.<\/p>\n
{{More than just a mobile problem}}<\/p>\n
Tracking users on their mobile devices is just part of a larger problem. More than half of the app-trackers we identified also track users through websites. Thanks to this technique, called \u201ccross-device\u201d tracking, these services can build a much more complete profile of your online persona.<\/p>\n
And individual tracking sites are not necessarily independent of others. Some of them are owned by the same corporate entity \u2013 and others could be swallowed up in future mergers. For example, Alphabet, Google\u2019s parent company, owns several of the tracking domains that we studied, including Google Analytics, DoubleClick or AdMob, and through them collects data from more than 48 percent of the apps we studied.<\/p>\n
Users\u2019 online identities are not protected by their home country\u2019s laws. We found data being shipped across national borders, often ending up in countries with questionable privacy laws. More than 60 percent of connections to tracking sites are made to servers in the U.S., U.K., France, Singapore, China and South Korea \u2013 six countries that have deployed mass surveillance technologies. Government agencies in those places could potentially have access to these data, even if the users are in countries with stronger privacy laws such as Germany, Switzerland or Spain.<\/p>\n
Even more disturbingly, we have observed trackers in apps targeted to children. By testing 111 kids\u2019 apps in our lab, we observed that 11 of them leaked a unique identifier, the MAC address, of the Wi-Fi router it was connected to. This is a problem, because it is easy to search online for physical locations associated with particular MAC addresses. Collecting private information about children, including their location, accounts and other unique identifiers, potentially violates the Federal Trade Commission\u2019s rules protecting children\u2019s privacy.<\/p>\n
{{Just a small look}}<\/p>\n
Although our data include many of the most popular Android apps, it is a small sample of users and apps, and therefore likely a small set of all possible trackers. Our findings may be merely scratching the surface of what is likely to be a much larger problem that spans across regulatory jurisdictions, devices and platforms.<\/p>\n
It\u2019s hard to know what users might do about this. Blocking sensitive information from leaving the phone may impair app performance or user experience: An app may refuse to function if it cannot load ads. Actually, blocking ads hurts app developers by denying them a source of revenue to support their work on apps, which are usually free to users.<\/p>\n
If people were more willing to pay developers for apps, that may help, though it\u2019s not a complete solution. We found that while paid apps tend to contact fewer tracking sites, they still do track users and connect with third-party tracking services.<\/p>\n
Transparency, education and strong regulatory frameworks are the key. Users need to know what information about them is being collected, by whom, and what it\u2019s being used for. Only then can we as a society decide what privacy protections are appropriate, and put them in place. Our findings, and those of many other researchers, can help turn the tables and track the trackers themselves.<\/p>\n
Source:Science Daily <\/p>\n","protected":false},"excerpt":{"rendered":"
{Our mobile phones can reveal a lot about ourselves: where we live and work; who our family, friends and acquaintances are; how (and even what) we communicate with them; and our personal habits. With all the information stored on them, it isn\u2019t surprising that mobile device users take steps to protect their privacy, like using […]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[75],"byline":[2491],"hashtag":[],"class_list":["post-35090","post","type-post","status-publish","format-standard","hentry","category-science-technology","tag-homenews","byline-science-daily"],"bylines":[{"id":2491,"name":"SCIENCE DAILY","slug":"science-daily","description":"","image":{"id":0,"url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&f=y&r=g","alt":"Default avatar","title":"Default avatar","caption":"","mime_type":"image\/jpeg","sizes":[]},"user_id":null}],"contributors":[{"id":2491,"name":"SCIENCE DAILY","slug":"science-daily","description":"","image":{"id":0,"url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&f=y&r=g","alt":"Default avatar","title":"Default avatar","caption":"","mime_type":"image\/jpeg","sizes":[]},"user_id":null}],"featured_image":null,"_links":{"self":[{"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/posts\/35090","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/comments?post=35090"}],"version-history":[{"count":0,"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/posts\/35090\/revisions"}],"wp:attachment":[{"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/media?parent=35090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/categories?post=35090"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/tags?post=35090"},{"taxonomy":"byline","embeddable":true,"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/byline?post=35090"},{"taxonomy":"hashtag","embeddable":true,"href":"https:\/\/new.igihe.com\/english\/wp-json\/wp\/v2\/hashtag?post=35090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}