fb-pixelFacebook is just the tip of the iceberg. Thousands of apps can take your data - The Boston Globe Skip to main content
Hiawatha Bray | Tech Lab

Facebook is just the tip of the iceberg. Thousands of apps can take your data

Researchers find many of the apps we use on our smartphones increasingly invasive. Chandan Khanna/AFP/Getty Images

If you think Facebook was bad for selling out your privacy, wait until you hear who else may be grabbing personal data off your smartphone.

The giant social network has come under fire for offering apps that scooped up vast amounts of sensitive data from its users. But researchers are finding that many common apps for iPhone and Android suffer from data leaks that could undermine users’ privacy.

Serge Egelman, a researcher at the International Computer Science Institute in Berkeley, Calif., built a website, AppCensus , where consumers can find privacy ratings for about 80,000 Android apps. He also built an app called Lumen that lets Android users see what all the apps on their devices are doing.


Egelman told me that app makers routinely violate Android’s privacy policies.

For instance, app developers and advertisers aren’t supposed to obtain the unique digital code that is programmed into every phone. This code could be used to track everything done on a phone for its entire lifetime. And since some apps also ask for a user’s name, those actions could be associated with a specific person. Imagine there’s a record somewhere of every time you’ve played “Angry Birds” at 3 p.m. when you were supposed to be working.

Under federal law, this kind of sensitive data is never to be downloaded from a device used by a child under age 13 without parental consent. But in a report last year, Egelman said that of the 5,000 apps specifically developed for children that he tested, more than half transmitted phone ID codes or other sensitive data that could help to identify the users without permission. This would appear to violate a federal law enacted in 2000 to protect the online privacy of children.

Meanwhile, at Northeastern University, assistant professor of computer science David Choffnes and several colleagues examined about 500 mobile apps released for Android phones, inspecting different versions of each over an eight-year period. During that time, half the apps began sharing more and more information with advertising companies. For example, Choffnes found that newer versions of the photo service Pinterest, which had once been quite privacy-friendly, started sharing with advertisers the user’s gender, location, and unique phone ID, which could be linked to the owner’s name.


Both Egelman and Choffnes tested a fraction of the apps available for smartphones. And because they couldn’t get access to the source code of Apple Inc.’s iOS software, they haven’t figured out a way to run similar tests on iPhone apps.

Moreover, they’ve merely captured a snapshot of the apps’ behavior. To truly measure the privacy threat, you’d have to see all the data an app has collected over days, months, or years.

If you have an Android phone, a feature called Google Dashboard will show all the data the company collects about you. Launch the map feature, and you’ll find that Google has traced your travel routes for every day you’ve used an Android device. My data go back to 2012. Google knows about my trips to Las Vegas, to Chicago, to Africa, and to church. All of it. And, of course, Google has tracked your searches, every video you’ve watched on YouTube, every photo you’ve shot with the Android’s phone.


Google says it will delete this data on request. Facebook offers much the same option. But what about the thousands of app companies that collect similar information yet do not have the same standards — or come under the same scrutiny — as Facebook and Google?

And what about the advertising networks they sell your data to, the ones that clutter our screens with ads that know you’re in Worcester or Washington? They’ve been tracking us for years, even monitoring our activities when we’re not even running their apps. We don’t know what data they’ve compiled and have no say over how they use it.

Ironically, it may be Facebook that comes to our rescue. During his mea culpa last week, Facebook founder Mark Zuckerberg vowed to reform the way the company manages its apps.

Going forward, it will only allow apps access to a user’s name, photograph, and e-mail address — no list of your friends, no ability to read your postings, no location tracking.

The app maker can ask you directly for such information, but will have to agree to contract provisions. Zuckerberg didn’t offer details, but it ought to include a guarantee that users can see their recorded data, obtain a copy of it, and demand its erasure.

Facebook will also add a feature that makes it easier to manage and uninstall apps.

One more thing: Apps will stop collecting data if they haven’t been activated by the user in the previous three months. So an app you installed and forgot about won’t keep spying on you.


There’s room for improvement here. And clearly it’s Zuckerberg’s attempt to make us forget about all the data collected by Facebook’s other activities. Still, these rules would set a new standard for app privacy that the rest of the industry should emulate and build upon.

I was so dismayed about the recent Facebook revelations that I deleted about five dozen apps that have access to my account. If Facebook follows through on its reforms, I may start putting them back.

Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him on Twitter @GlobeTechLab.