Mobile apps and the consent game
Apps are fashionable, and more and more businesses are creating me-too mobile phone apps and nagging potential customers to install them, instead of focusing on building a better website that works on all devices. The problem with many of these apps is that they have a blatant disregard for privacy.
Some apps do things which a website couldn't easily do, and which would be meaningless on anything but a mobile anyway. For example, Transport For London has developed an app which uses the location obtained via your GPS to work out where you are in relation to bus stops and buses so that you can see at a glance when your next bus is expected. The app also allows you to find out how to get from where you are to where you want to be, and allows you to pre-purchase tickets on your phone, much like you could use a smart card. That is a great example of a mobile app in action.
Another example of a genuinely useful mobile app is the AA app. If you break down in a country lane somewhere, this app lets you contact the AA to request assistance without having to wait for an operator to become free. It uses the GPS system in your phone to very accurately pinpoint your car so that the AA can get a van to you quickly, and gives you real-time updates on how long it will take for the van to arrive. It also includes other motoring-related features such as sending you a reminder when your MOT is due, traffic alerts, journey planning etc, and generally offers the convenience of putting all this functionality together into one easily-accessed place on your phone.
Other apps are more questionable though. For example, I recently looked at an app for a London shopping centre. When you visit a shopping centre you need information, which shops are there, and what are the opening times? You might wonder why a shopping centre needs an app to do this, in addition to its website? Do people really go to a shopping centre and then use their phones to see what each shop sells? So why does it need yet another app to clutter up your home screen?
Permissions and the illusion of informed consent:
When you install an app, it will ask for a lengthy list of permissions, and we all know that when a user is presented with any sort of terms and conditions box, they will blindly click yes, especially when the only alternative is to not use the app at all. Even those who look carefully at the permissions requested will be left scratching their heads wondering what some of them mean. So I looked at the official documentation for the London shopping centre app on the Google store to see what permissions it needs, and this is what is listed, along with Google's explanation of what the request permits.
Calendar: read calendar events plus confidential information, add or modify calendar events and send emails to guests without owners knowledge. Location: read precise location using GPS and network. Phone: directly call phone numbers. Photos, Media, Files, Storage: read, modify, or delete the contents of your USB storage. Camera: take pictures and videos. Microphone: record audio. Other: receive data from Internet, full network access, control vibration, prevent device from sleeping.
Is this just another invasion of privacy?
What possible right does a shopping centre have to read your calendar, which could include doctor's appointments, for example, and to add events to your diary without even asking you. Why should it know where you are 24 hours a day, when you are nowhere near its property? What reason is there to prevent your phone from ever entering its battery-saving sleep mode? The sinister interpretation of these permissions is that it is not about the app being useful to you, it is about you being useful to the shopping centre, allowing your phone to nag you every time they have a sale on, to allow it to mail your friends in your name with their spam, to profile your life and sell your data to adbrokers, and so on.
Legitimate reasons, but how can you tell?
There might be a more gentle explanation. Take sleep mode, Maybe it isn't so that the app owners can keep track of you 24 hours a day and use your phone to spam people in the middle of the night. If you are using an app for a payment transaction, for example, you don't want the phone to go to sleep in the middle of the transaction, so the app needs to be able to temporarily suspend sleep mode activation. One explanation is quite innocent and acceptable, and the other is sinister, but the user is asked to give consent with no way of knowing what consent implies. Informed consent is an illusion.
The "don't worry about it" explanation
Another explanation often put forward is that this is nothing malicious, simply an oversight by the developer. The argument goes that when building the app, it is easier to ask for all permissions to avoid a lot of pop-ups while debugging code, and the developer just forgot to reset it when the project was finished. So although an app might ask for permission to read your address book and send emails, it doesn't actually do so. Again, there is no way for you, the app user, to know if this is the case, and the advice "probably not worth worrying about", probably isn't worth the pixels it is written with.
The "of course you can trust us" explanation:
Finally, there is the "you can trust big companies" argument. Imagine the bad PR that a shopping centre would suffer if it came to light that they were involved in spying on customers, collecting personal data without permission, and so on, so of course we can trust them. But that argument is deeply flawed. I have no reason to trust someone who runs a shopping centre and who can point to a tick box on the app and say "but I haven't done anything wrong, you explicitly gave me permission to do all these things when you installed the app, and if you had properly read the thirty three pages of terms and conditions on your mobile phone screen, you would have seen that you gave me blanket permission to collect any data on you that I wanted in order to give you a better shopping experience."
Now even if we believed the argument that big companies are honest, trustworthy, and bound by privacy regulations and the GDPR, remember that many companies do not develop their own apps. They have simply bought one from an online app supplier, possibly from outside the EU, to jump on the app bandwagon. They may have no idea what its inner workings are, what the developers motives are in requiring so many app permissions, or what happens to all the personal data the app is collecting on you.
Everyone knows we live in an era of fake news. Few realise we are living in an era of fake trust as well.
29th January 2018
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content. If you would like to receive the newsletter direct to your inbox each month, please SUBSCRIBE here. It is free, and you don't get added to any other mailing lists. It uses best-practice confirmed opt-in only, and you may unsubscribe at any time.