We all use smartphone apps to help us through the day, whether that’s to check the weather, shop online, or keep healthy. But a Which? investigation of popular apps has shown that, despite the introduction of new data rights, many are using clever tactics to get more information than you may want to share.
We may trust these apps, but do we really fully understand what we’re getting into when we click ‘download’?
It’s often unclear what exactly happens with your data after it’s been collected, including whether your information goes towards making money through digital advertising.
Mobile phone reviews – looking for a new handset? Read our in-depth verdicts on all our tested models.
Which? investigation: key findings
When we last ran an investigation into apps, we were shocked that many popular ones were failing to properly encrypt user data.
Thankfully, all 29 of the Android and iOS apps we tested in summer 2018 used encryption to some degree. However, the flipside of that is it’s harder to know exactly what they’re doing with your data. What we could see, though, still gave us cause for concern.
Some apps undermine your privacy by bundling multiple requests into a single option. Others hide their most privacy-friendly settings through sneaky design, and force users to accept advertising before they can even see who those advertisers are.
In some cases we feared that apps didn’t quite match the spirit of the GDPR (General Data Protection Regulation), which came into force in May. In others, their practices were probably lawful, but had disturbing implications for the future of privacy.
You can read all of our findings in the October issue of Which? magazine. Below are some notable examples.
When we downloaded the iOS version of Amazon’s hugely popular shopping app, it knew that the test phone was in Brighton, displaying a ‘BN2’ area code under the search bar. It didn’t explicitly ask to know our general location and the address we used for the Amazon account was in Bristol, suggesting Amazon is taking the location from the user’s IP address.
The weather service lists 18 ‘unaffiliated providers’ of advertising with whom it shares data about users and their devices. An alarming pop-up on AccuWeather’s website states that it shares data with 199 partners. Ironically, the message appeared when we were trying to read the list of third-party advertisers. At that stage, it also asked us to pay to avoid having targeted advertising based on our data.
AccuWeather said an updated version of the app will be released in September, and will give users more control over ‘who may access user data and for what purposes’.
Flo Period & Ovulation Tracker
Despite hosting sensitive data on women’s menstrual cycles or sexual activity, the Flo app isn’t password protected by default – its security measures are tucked away in the settings. So, if a user hasn’t protected her phone, anyone could pick it up, open Flo and view health data.
Flo said that most users use the app purely to track their menstrual cycle, but added that it plans to release a password-setting feature at the registration screen in upcoming versions of the app.
Longer than flying from London to Sydney
If you want to download all 29 apps in our investigation, the combined T&Cs and privacy policies amount to 333,336 words of text.
That’s longer than Crime & Punishment by Fyodor Dostoyevsky, nearly twice the length of Catch 22 by Joseph Heller, and almost four times as long as 1984 by George Orwell.
Based on average reading speed, it would take 22 hours 21 minutes to read all the policies in one go. That’s longer than it takes to watch all the Harry Potter films and fly from London to Sydney.
Google and location tracking
You may not be aware that your smartphone is likely to be packed with advanced sensors, such as GPS and a digital compass, barometer, gyroscope and accelerometer.
These are essential to make location and movement-based apps (such as pedometers) possible, but they can also give a pinpoint view of where you are, and, through inference, potentially even what you’re doing.
In various recent reports, including by Associated Press, Google has been accused of using location data in Android to make highly accurate inferences about the two billion users of the operating system. It uses this, it is alleged, to finely target digital advertising.
Google claims that location history in Android is ‘entirely opt in’. However, it does admit that even when the user turns location history off, it continues to use location to improve the Google experience when they do things such as performing a Google search or using Google for driving directions.
Which? calls for digital ads market investigation
The digital advertising market is worth more than £10bn in the UK alone, powered in part by the huge proliferation of mobile devices such as smartphones.
Most apps ask for permission to access functions of your phone or your data. This is often to provide you with a particular service, such as directions, train times or the latest news and weather forecast.
However, some apps can also use these permissions to power their advertising, and that can feel like an intrusion of your privacy.
Our recent Control, Alt or Delete? report sets out our concerns about this, and calls on the Competition and Markets Authority (CMA) to conduct a market study into how the digital advertising market operates.
Control your app privacy
Both Apple’s iOS (on iPhones and iPads) and Google’s Android operating systems now give you more control over what apps can and can’t access.
If you installed a calendar app, for example, it may request access to your photos for a feature where you can add a photo to an invite. If you’ll never use such a feature, you don’t need to let it access your photos.
Head over to our in-depth step-by-step advice on how to manage app permissions in iOS and Android. That way, you can enjoy the benefits of the apps that make life easier, while also protecting your privacy.