Monitoring software used by The Washington Post on an ordinary iPhone found that no fewer than 5,400 app trackers were sending data from the phone – in some cases including sensitive data like location and phone number.
It’s 3 a.m. Do you know what your iPhone is doing?
Mine has been alarmingly busy. Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same — and Apple could be doing more to stop it.
On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.
In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic. According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.
The report does need to be viewed in context, however.
App trackers in context
First, while there is much breathless reporting of data being sent to companies like Google and Facebook, the vast majority of it is innocuous. It’s simply developers using app analytics services provided by these companies, and they are learning things like which app features people do and don’t use.
Second, the Privacy Pro app that The Washington Post was using to monitor the tracker traffic was provided by a company that would like to sell you in-app purchases to block this traffic, so the company concerned has a vested interest in making the situation sound scarier than it is.
“This is your data. Why should it even leave your phone? Why should it be collected by someone when you don’t know what they’re going to do with it?” says Patrick Jackson, a former National Security Agency researcher who is chief technology officer for Disconnect […] “I know the value of data, and I don’t want mine in any hands where it doesn’t need to be,” he told me.
There are several answers to that first question.
Most app tracking is legitimate
Necessity: some apps need to be sending tracking data in order to function. That Uber or Lyft car can only collect you if it knows where you are, for example.
Immediate user benefit: Many ecommerce and credit card apps use a variety of signals to detect fraudulent transactions, for example, and it’s in all our interests to block misuse of our cards.
Indirect user benefit: The more an app developer can learn about the way that real users interact with their app in the real world, the better they can make the app. Features that are used frequently can be prioritized for enhancement over ones that aren’t, and there are in-app behaviors that can identify problems with the functionality or user interface. App trackers play a key role in software quality.
Ad-serving: Yep, no-one likes ads (well, maybe some), but whatever we think of them, they make it possible to enjoy everything from free apps to free websites. If we want those things to continue to be free, it’s in our interests to at least have the ads we see be relevant ones.
But there is legitimate cause for concern
But Jackson does make two good points about app trackers. First, transparency.
[His] biggest concern is transparency: If we don’t know where our data is going, how can we ever hope to keep it private?
With literally thousands of trackers transmitting data, it’s simply not practical for anyone to monitor that traffic and figure out which uses are legitimate and which aren’t.
Second, clear consumer protection policies.
To him, any third party that collects and retains our data is suspect unless it also has pro-consumer privacy policies like limiting data retention time and anonymizing data.
The problem is, the more places personal data flies, the harder it becomes to hold companies accountable for bad behavior — including inevitable breaches.
Jackson may be angling for an Apple acquisition.
Jackson suggests Apple could also add controls into iOS like the ones built into Privacy Pro to give everyone more visibility.
But the point is a fair one. Apple does more than anyone else to protect user privacy, but this is an area where it’s impossible for users to get any kind of steer on what’s really going on under the hood. We either need Apple to do more, or for the law to do so.