The Dangers of Apps

Mary DeRosa by Mary DeRosa, The Chertoff Group
Monday, April 28, 2014

The explosion of smartphones and their apps has improved lives in many ways:  greater convenience, more information, and far less boredom, to name a few. But the dangers of apps are beginning to get more attention. Apps access massive amounts of personal data, but they lag far behind other technologies when it comes to protection of privacy and data security.  

One reason that privacy and security concerns are more acute with apps is that it is relatively easy to enter the app business. App development requires a small budget as compared to most other technologies. The lower barrier to entry means that small companies are turning out new apps in huge numbers.  Many of those companies are relatively unsophisticated about privacy concerns, legal requirements, and the best privacy practices.  Developers tend to write apps that access data broadly because it is easier to do than writing something more specific, and it also provides more flexibility if they want to change the app later.  In addition, the small screen size of mobile devices and the manner in which users download and use most mobile apps makes communication of data collection and privacy practices challenging. 

As a result, the FTC and others estimate that less than a third of apps make a privacy policy available within the app itself.  Others make the information available in the app store or on a mobile browser, but approximately 20-30% of apps do not have a privacy policy available at all, much less a mechanism for obtaining genuinely informed consent.  When policies are available, they are often inadequate or simply wrong.  And once the app developers have the data, they usually have no policy about how long they will keep it.   

At the same time, the type of information apps collect can be particularly sensitive.  Many mobile apps, for example, collect locational data, which can say a great deal about a person’s habits and activities.  As many as half of top mobile apps collect or share user location data without users affirmative consent.  Health apps, which track a user’s sleep, weight, and exercise, among other things, are increasingly popular.  The transfer of this type of personal data to third parties potentially opens app users to insurance or employment problems as well as targeted advertising that references personal health struggles.  And many apps ask users to log in through or permit access to their social media sites.  This provides some advantages for users, but it opens all of the information on those sites to the app developer as well. 

Mobile apps are also notoriously vulnerable to hackers.  Recent studies suggest that as many as 80%-90% of these apps do not have basic information security features that would defend against common attacks.  In addition, apps have become a popular avenue for hackers to introduce malware into a device or network.  This is particularly true with the Android platform, but the problem exists for iOS apps as well.  

One area of particular concern is the use of apps by children. The Federal Trade Commission (FTC) has reported that the apps and app stores provide inadequate information to parents about what data is collected from their children, how it is being shared, or who will have access to it.  The FTC found that “most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data.”  This was true even when the app shared sensitive data, such as location and phone numbers, with third parties. Educators, public officials, and advocates have raised similar concerns about the use of education-related apps.  These concerns are centered on the use of student data for commercial purposes and the potential for long-term harm to children when companies collect, analyze, and store data obtained from these apps. 

There have been some government efforts to address concerns with mobile apps. In addition to its reports on app use by children, the FTC last year produced a staff report on mobile privacy disclosures generally, which recommended greater transparency on the part of app developers and the platforms that make apps available to consumers. More recently, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) developed a voluntary code of conduct for app developers to follow in informing consumers of data collection and sharing practices with mobile apps.  And The U.S. Department of Education issued voluntary guidelines on education privacy and apps in February.  Some legislation has been introduced in the U.S. Congress on apps privacy generally as well as specific bills on location and education data.

The voluntary guidance is a welcome step, and there are indications that the developer community is becoming more aware of its responsibilities with user data.  In addition, mobile operating systems are doing a better job lately at providing information to users about the data apps seek to collect.  But changes must come more quickly.  Currently far too much responsibility is on the user to seek out and make sense of information about data collected and security concerns.  Developers, mobile operators, and the app platforms must do more to limit data collection, improve security, and provide users with clear information and choices.  This includes developing clear and specific commitments to delete data, particularly sensitive information and data from education-related apps and others that are popular with children.


Mary DeRosa is a senior advisor to The Chertoff Group, a global security advisory firm that advises clients on cyber security. She also serves as a Distinguished Visitor from Practice at Georgetown Law School, where she focuses on national security law and teaches courses on national security and cyber security. Previously, Ms. DeRosa served as Deputy Assistant and Deputy Counsel to the President and National Security Council Legal Adviser in the Obama Administration.