Will Cathcart, global head of WhatsApp, clarified the update “does not affect the privacy of your message with friends or family in any way” but provides “further transparency on how we collect and use data”. However, users, worried their chats wouldn’t be private anymore, shifted to apps that are seen as respecting user privacy better.
What most users might not be aware is that apps collect and share a lot of information about them. The banking, food ordering, stock market, ecommerce, cab-hailing, social media and other apps routinely gather more information than they need. This is par for the course in this corner of the software world. “This intrusive behaviour is alarming,” says Anurag Jain, cofounder & CTO of conversational AI platform ORI. “A famous app took my permission to access text messages, and after a few hours informed me my income, expenditure and how much insurance cover I could get.”
On the pretext of two-factor authentication, some apps take permission to access text messages. Once this access is given, these pieces of software can read users’ salary details, credit card dues and other information in the messaging inbox. Applications also seek permissions to photo library, contact list, location, call logs, camera and others. For example, to upload photos on Twitter, the micro-blogging site asks users’ permission to access their entire photo library.
“The moment a user gives permission to access SMS, which the app might say is only to read OTP (one time password) for a transaction, it can check your salary, expenses and the brands you interact with,” says Rakesh Deshmukh, cofounder and CEO, Indus OS. “It is a double-edged sword — apps give convenience and end up doing more than is needed.”
This is clearly more info than they need, say experts. Why should a bank want to know a user’s location when it is not needed to deliver services, or why should a gaming app ask for access to a user’s photo library?
Apart from this, apps that run in the background — often on the pretext of keeping systems running and updated — collect data about a user even if they are not being used. Applications that come embedded on phones are one such category.
It has become an industry norm to ask for all permissions even if app owners don’t know what to do with the data, says Ritesh Chopra, director, sales & field marketing (India & Saarc), NortonLifeLock. “Their long-term business model could be to monetise user data.”
Deshmukh points out other unfair practices. For example, all permissions, terms and conditions are usually in English. That puts it out of reach of a large number of the 600 million and growing internet user base in India. That apart, lack of understanding among users makes it easy to breach privacy. For instance, Chopra has made it a habit to enable and disable photo library access every time he has to share a photo. Millions of users would find this cumbersome.
Besides, apps often use proxies to get information. Says Jain of ORI, “Several apps interact with other apps like Google, Facebook, Instagram for logging in and then get access to data (using hidden tactics on the permission page).”
Newer versions of Android (10 & above) and Apple iOS empower users to restrict permissions — like limiting location use only when a person is using maps actively or limiting SMS access to OTPs or ensuring apps deactivate when the user exits them. Google did not share the number of Android 10 & 11 users, citing that it does not break up such data. According to Statista, in the first half of 2020, only 8.3% of worldwide users were on Android 10, while the rest were using the less feature-rich Android 9 and earlier versions of the dominant mobile operating system.
As for the software running in the background, Google says its policy allows apps access only if it is critical to the application’s core functionality and provides clear user benefits. In November, Google said if an app uses background location data, developers must submit a form for review and receive approval to comply with the policy.
The strategy for most apps, Chopra says, is “acquire users, have all their data and figure out how to monetise it later”. “WhatsApp is being talked about because of the size of the Facebook.”
Apps might do this to make money but users should be aware of the data they are sharing, says Faisal Kawoosa, founder, techARC. “Users have to be savvy enough to go to their device settings and control what all apps access.”
This might be a tough ask for a large number of users. But it is time they realised how vulnerable they are.