Professor Jason Hong, Carnegie Mellon University
Listen Now Download as mp3 from the show Your Smartphone: What's it Saying to Cyber-Criminals?
You’ve probably heard the phrase “there’s an app for that” - be it Facebook, Angry Birds, Google Maps, WhatsApp... there are thousands of apps available online. You download them to your phone or tablet computer and your every need can be catered for at the swipe of a screen… And it’s big business. Each of us uses - on average - 25-30 of these phone applications. So it’s no wonder we tend to just hit ‘accept’ when an app asks for permission to use our device’s camera, have access our contacts, or even look at our location.
But why does a game app need to know this information? And what exactly are these apps doing with this unrestricted access? Could some of them be recording private conversations, or logging where we go for coffee every Tuesday morning to sell the data to third parties? It sounds scary, but it’s real: several app developers have already been fined in America for doing just this.
Carnegie Mellon University’s Professor Jason Hong has set up a website to grades apps based on their threat to our privacy and he told Chris Smith why apps collect this personal data...
Jason - There's lots of different kinds of data that these Smartphone apps can store. So for example, they might gathering your phone’s unique ID, might be getting your current location, or they might be trying to get access to your contact list.
Chris - The big question is, well, why do they need that information?
Jason - Well, in some of these cases, the apps are trying to use these kinds of data sources in new ways. So for example, we’ve seen apps that are games that are using your location data to create location base kinds of game. But other times, they're using it for advertising purposes or they're also trying to bootstrap their social network by getting your entire contact list, and then spamming your friends to see if they're interested in joining as well.
Chris - But this is illegal, isn’t it?
Chris - When you install this software on your phone because your phone is often quite a powerful computer at the end of the day, isn’t it? can it leave a sort of vestige of itself there even if you get rid of it so that there is always a danger that it’s done something to your phone that means someone somewhere could still nonetheless have access to the information even though the app is no longer there?
Jason - Yes, that's right. Whenever you use a lot of these free apps, they're primarily funded by advertising. And so, what happens is that these advertisers are trying to collect a lot of data about you. So, even if you remove a specific app, you might still be using other apps or using the same kinds of advertising services.
Chris - So, you are motivated to setup your website to try to point the finger at some of the worst offenders and also highlight some good practice?
Jason - That's right. and so, what we did is we downloaded about a million different android Smartphone apps and we started analysing them to try to understand what the behaviours were. So for example, right now, you can easily tell that an app is using location data but you can't tell why it’s using that data. So what we did is we try to infer the purpose. So for example, is it using location data for social networking, advertising or analytics? And then for the second part of the work, we also used a whole bunch of these crowd sourcing techniques. You can imagine this being a very large scale kind of survey where we’re asking a lot of people how they felt about these kinds of behaviours. So for example, people are very unhappy about contact lists being used for advertising but are mostly okay with contact list being used for social networking.
Chris - Can you give us some physical examples of the kinds of apps that you think behave appropriately and perhaps some examples of ones that have been downright malicious?
Jason - So, one app that has a very surprising kind of behaviour but is sort of fun, there's this dictionary app where you can actually look up what other words that people around you are looking up. And just sort of as a funny joke, one time, I was in Washington DC and I was showing some other people this app and the word that was being shown nearby was ‘corruption’.
Chris - Don't do that in Westminster either. You might catch one or two MPs on that one. I was looking at an example because I saw this newsflash come around and excuse the pun on ‘flash’ but it was about this flashlight app. Because I've downloaded this myself. You can turn the flash on your camera phone into a steady light source that you can use as a sort of torch in the night. There's evidence that some of those are being used to do things like turn on the microphone in your phone when you don't want to so that people can eavesdrop on your conversations even though the phone isn’t making a phone call.
Jason - That's right. There are some really unusual kinds of behaviours. So, we’ve seen some flashlight apps that requests internet access. They're trying to get your phone’s unique ID and they're also trying to get your current location. Now, the reason that they're trying to do this again is mostly for advertising purposes. So right now, this trade-off that's, “You can download me for free, but we, the developers need to make revenue off of it. and so, we’re going to try to show you ads. But to show you better ads, we’re going to try to get more data about you” so for example again, your location data and your unique phone ID.
Chris - Sounds pretty scary doesn’t it? Looking at the trajectory of this, where does your research suggest the next threat is coming from or where are we going to be in the future because more and more, these phones and these devices are becoming a dominant part of our lives?
Jason - Yes. I think in the near future, our Smartphones probably will know almost everything about us. I think in many ways, this will actually be a good thing because our Smart phones will be able to help us with healthcare, transportation and sustainability. But these same technologies might also offer a lot of kinds of privacy problems as well.
It would have been really helpful to link to include a link to his website privacygrade.org Kevin, Sat, 7th Mar 2015