fb-pixelHow to keep data leaks from getting out of hand - The Boston Globe Skip to main content

How to keep data leaks from getting out of hand

The vapor trail we unwittingly give off includes not just our location and personal identity, but those of friends, family, and colleagues. Justin Sullivan/Getty Images

The geeks call it “data exhaust,” the cloud of revealing data bits that spew from nearly every digital device on earth, especially our smartphones.

Few of us understand what — and how much — information on ourselves is being collected and then relayed by all the dozens of apps on our phones, ready to be exploited by unscrupulous companies. Last June, for instance, the Federal Trade Commission fined Singapore-based app advertising company InMobi $950,000 for putting location trackers in video games meant for children.

We’re going to need help protecting our privacy from all these apps — a sort of pollution control system for smartphones that limits leaks of personal data. Privacy-conscious app makers have been working the problem for years, but even the best are still far short of ideal. Now a glimmer of hope dawns in Pittsburgh, where computer scientists are working on software that could automatically identify and block apps from knowing too much about us.

Nearly every app seeks to control certain features on the phone — the camera, or GPS, for example — and also request access to some information, such as your contacts or address book. Apple smartphones and newer Android devices often let users pick and choose these permissions in detail.


For instance, you might let a navigation app track your location all the time, but tell a banking app to track you only when you’re looking for an ATM, and a mobile game not to track your whereabouts at all.

Now repeat that process for 30 or 40 apps. And that’s just for location tracking. Each app may request six or seven such permissions. Most of us give up and say yes to everything.

The vapor trail we unwittingly give off includes not just our location and personal identity, but those of friends, family, and colleagues.


Many apps give the personal information they collect about you to other companies without explicitly asking your permission. David Choffnes, a computer scientist at Northeastern University, uses a program called ReCon to look for leaky apps. He’s found dozens, including a few that transmit the names, locations, and even passwords of smartphone users without their permission.

It’s often surprising to see just what you’ve unwittingly agreed to. I recently found that my Android banking app has access to the hundreds of listings in my phone’s address book, and my Bible app knows my location when I dip into the Psalms. Now I’m trolling through dozens of apps, looking for further erosion of my privacy.

An excellent app called MyPermissions Privacy Cleaner simplifies the process by gathering all permission data in one place. The free app warns you which apps are collecting more than they ought to be. For $10 a year, you’ll get a version that takes you directly to each app’s control page where you can shut off the offending data leak.

But we’ve still got to go through the apps one at a time. There should be a way to automate the process, but it won’t be easy, because our preferences can vary so much.

For instance, I won’t let the Spotify music app contact people in my address book. Other Spotify fans, however, love to share their musical discoveries with friends. “That’s the needle we’re trying to thread,” said Choffnes, “and it’s not easy, because it’s a different needle for every person.”


Norman Sadeh and his team at Pittsburgh’s Carnegie Mellon University are trying to thread that needle, by building artificial intelligence into a new app, called Privacy Assistant. The program asks users a few simple questions to gauge their privacy concerns: do you want banking apps to know your location? Based on your answers, Privacy Assistant analyzes every app, and suggests what information they should and should not get. If the user agrees, Privacy Assistant instantly applies the tighter privacy settings to every app on the phone.

It sounds like paradise, but not yet. At present, Privacy Assistant only works on Android phones that have been “rooted,” a modification that gives the user total control of the operating system. It’s difficult for the average user to pull off, and doing it will void the warranties of most phones. Ironically, rooting a phone makes it less secure against malware. Still, it’s a popular practice outside the United States; Sadeh estimates that 25 percent of the world’s Android phones are rooted.

But there’s hope for privacy-loving Americans. Sadeh’s research is being financed in part by smartphone titan Samsung Corp., and by Google, the creator of Android. He’s hoping one or both companies will incorporate the technology into future phones, a catalytic converter for data exhaust that would help smartphone users breathe easier.

Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him on Twitter @GlobeTechLab.