Keep It Secret, Keep It Safe: Mobile Apps and Your Data

A new study out of Carnegie Melon University suggests that how a mobile app claims it will use your personal data is not always aligned with what it actually does:

An analysis of almost 18,000 popular free apps from the Google Play store found almost half lacked a privacy policy, even though 71 percent of those appear to be processing personally identifiable information and would thus be required to explain how under state laws such as the California Online Privacy Protection Act (CalOPPA).

Even those apps that had policies often had inconsistencies. For instance, as many as 41 percent of these apps could be collecting location information and 17 percent could be sharing that information with third parties without stating so in their privacy policy.

“Overall, each app appears to exhibit a mean of 1.83 possible inconsistencies and that’s a huge number,” said Norman Sadeh, professor of computer science in CMU’s Institute for Software Research. The number of discrepancies is not necessarily surprising to privacy researchers, he added, “but if you’re talking to anyone else, they’re likely to say ‘My goodness!’”

Sadeh’s group is collaborating with the California Office of the Attorney General to use a customized version of its system to check for compliance with CalOPPA and to assess the effectiveness of CalOPPA and “Do Not Track” legislation.

The automated system combines natural language processing and machine learning to analyze privacy policy text, then compares those results to the actual code for the app. It also flags anything in the code that would warrant a privacy policy for apps that don't already have one.