While the technology versus privacy battle rages on, many consumers and businesses are still unaware of how much data can be gleaned from a mobile phone.
Despite the NSA and Edward Snowden being in the news every other day, most people don't realize how much data their most personal device is hemorrhaging at all times. But that doesn't mean you have to shut off your mobile, throw it in the nearest body of water and live a life off the grid.
There are many ways for consumers and businesses alike to protect themselves -- after all, in order for your phone to work it simply must know where you are, in order to receive and deliver texts the operator must know the content, and for an app to be quick and convenient sometimes it needs to access your phone's contact database.
Where does this data come from?
Mobile phones communicate through many different interfaces -- all of which can share data -- including Wi-Fi, GPS, Bluetooth and GSM/CDMA. On top of this, smartphones run a plethora of applications that can access information including but not limited to your location, contacts, calendar, notes, microphone, photos and reminders.
So giving an app access to your phone can reveal a lot more than you might think. Once the app is installed, the phone allows bi-directional communication with the app servers, which means -- if you've given permission -- both the developer and the vendor can access your data whenever they like.
Things like location are interesting because they genuinely provide useful information that certain apps rely on to provide their service -- directions to the nearest Starbucks for example wouldn't work without this. But does a flashlight app really need to know where you are to work properly?
The contacts database is another interesting place where technology capabilities and privacy issues clash. Typically users are just asked if they would like to 'allow' access to the contacts -- permissions are rarely more granular than this. But consider the information you have in your contacts -- names, home and email addresses, phone numbers. This may seem harmless on its own but it can infer everything from your employer and your bank to your doctor and your partner's identity.
Access to your photos might seem innocuous too, but not when you consider the Exif (exchangeable image file format) data that comes with them. This can include the name of the phone, the date and time the image was taken, the type of camera, the GPS location, the altitude, and even the direction the camera was facing. There's a lot of privacy information that's stripped out by service providers, but unless you read the privacy policy you don't know how much Exif data is included in the photos you're posting.
Apple and Android use a different approach
Different platforms give you different privacy options, especially where apps are concerned. Apple can be restrictive over exactly which apps they allow into the App Store, whereas Android is comparatively open, but offers the user more options.
Once an app is installed, iOS lets it see a surprisingly large amount of the data stored on your phone, including your location, contacts, calendar, reminders and photos, as well as granting access to your microphone and Bluetooth connection.
The way Apple protects its customers is by having an explicit permission window that pops up whenever an app tries to access personal data.
Android's model is different in that it allows access to just about everything on your phone, but gives you a very detailed list of data the app will have access to and asks if you're happy with this. This happens when you first install the app and also with apps already installed, just to remind you what you've permitted.
What you can do
The EU is leading the way with new privacy laws -- its Information Commissioner's Office recently insisted that developers comply with the Data Protection Act and properly inform users about what will happen to their personal data if they install an app.
As a consumer, the safest thing to do is to read and understand each app or service provider's privacy policy. That could get pretty time-consuming if you're downloading hundreds of apps though, so start by asking how much access the app needs to sensitive data. If it's a well-established vendor with a clear and understandable privacy policy asking to access your contacts, it's probably worth considering if it will help you better connect with colleagues and friends. But if it's that pesky flashlight app again, think twice.
If you're an app-based service provider, you must be absolutely clear on exactly what information you're collecting and what it will be used for. There are a few basic things that you can do, including:
- Having a privacy policy. Work with a privacy lawyer to create a policy that is clear and easily accessible for users.
- Know what data you're really collecting. Sit down with your developer and have them show you what data is being collected and why, as you're ultimately accountable for this.
- If you're a US company with any sort of presence in the EU, get safe harbor certified.
As technology continues to evolve and consumers become more and more security conscious, changes in privacy policies will see users given more granular control over how their data is accessed and what is done with it. Businesses will need to convince customers to share their data by being transparent and using it to power better, more personal services.
Charles McColgan is CTO of TeleSign
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.