A Ravenous Ability to Collect Personal Data

Share with others:

Print Email Read Later

BERLIN -- Angry Birds, the top-selling paid mobile app for the iPhone in the United States and Europe, has been downloaded more than a billion times by devoted game players around the world, who often spend hours slinging squawking fowl at groups of egg-stealing pigs.

While regular players are familiar with the particular destructive qualities of certain of these birds, many are unaware of one facet: The game possesses a ravenous ability to collect personal information on its users.

When Jason Hong, an associate professor at the Human Computer Interaction Institute at Carnegie Mellon University, surveyed 40 users, all but two were unaware that the game was noting and storing their locations so that they could later be the targets of advertising.

"When I am giving a talk about this, some people will pull out their smartphones while I am still speaking and erase the game," Mr. Hong, an expert in mobile application privacy, said during an interview. "Generally, most people are simply unaware of what is going on."

What is going on, according to experts like Mr. Hong, is that applications like Angry Birds and even more innocuous-seeming software, like that which turns your phone into a flashlight, defines words or delivers Bible quotes, are also collecting personal information, usually the user's location and gender and the unique identification numbers of smartphones. But in some cases, they cull information from contact lists and pictures from photo libraries.

As the Internet goes mobile, privacy issues surrounding phone applications have moved to the front lines of the debate over what information can be collected digitally, when and by whom. Next year, more people around the world will gain access to the Internet through their mobile phones or tablet computers than from traditional desktop personal computers, according to Gartner, the research group.

The shift has brought consumers in the United States, Europe and other parts of the world into a new gray legal area, where existing privacy protections have failed to keep up with the technology. The move to mobile has set off a debate between privacy advocates and online businesses, who consider the accumulation of personal information the backbone of an ad-driven Internet.

In the United States, the data collection practices of application makers are loosely regulated, if at all; some do not even disclose what kind of data they are collecting and why. Last February, the California attorney general, Kamala D. Harris, reached an agreement with six leading operators of mobile application platforms that they would sell or distribute only mobile apps with privacy policies that consumers could review before downloading.

In announcing the voluntary pact with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, whose distribution platforms make up the bulk of the U.S. mobile app market, Ms. Harris noted that most mobile apps came without privacy policies.

"Your personal privacy should not be the cost of using mobile apps, but all too often it is," Ms. Harris said at the time.

But simple disclosure, in itself, is often insufficient.

The makers of Angry Birds, Rovio Entertainment of Finland, discloses its information collection practices in a 3,358-word policy posted on its Web site. But as with most application makers around the world, the terms of Rovio's warnings are more of a disclaimer than a choice.

The company advises consumers who do not want their data collected and advertisements to be directed at them to visit the Web site of its analytics firm, Flurry, and to list their details on two industry-sponsored Web sites. But Rovio notes that some companies do not honor the voluntary lists, which are run by the ad industry.

As a last resort, Rovio cautions those who want to avoid data collection or behavioral advertising simply to move on: "If you want to be certain that no behaviorally targeted advertisements are not displayed to you, please do not use or access the services," according to the company's policy, last updated Oct. 8.

Despite multiple requests by phone and Internet over five days, Rovio did not respond to questions or offer an interview for this story.

Policy practices in disclosures like Rovio's often do little to inform consumers. Most people simply click through privacy permissions without reading them, said Mr. Hong, the Carnegie Mellon associate professor. His institute is developing a software tool called App Scanner that aims to help consumers identify what types of information an application is collecting and for what likely purpose.

The software monitor will not be available until next year, Mr. Hong said.

In Europe, lawmakers in Brussels are planning to bring Web businesses for the first time under stringent data protection rules and to give consumers new legal powers, the better to understand and control the information that is being collected on them.

Proposed revisions to the European Union's General Data Protection regulation now before the Civil Liberties, Justice and Home Affairs Committee of the European Parliament would require Web businesses, including app makers, to get the explicit consent of consumers before collecting data. A proposal would also give consumers the ability to choose what information an app can store on them without losing the ability to use the software.

But the drafting of the revisions, which is not expected to be completed until late 2013 at the earliest, has set off a concerted lobbying battle by global technology companies, most of which are based in the United States, to weaken the consent requirements, which could undermine the advertising- funded business models that drive many free applications.

In a July 11 position paper sent to European lawmakers, the American Chamber of Commerce to the European Union urged E.U. legislators to back away from plans to enforce an "explicit consent" requirement, which it argued would hamper online businesses.

"Requiring explicit consent will require that a range of common practices will need to be reconsidered and re- architected, imposing potentially significant costs on data controllers, processors and third parties," the group said, according to a copy of the letter obtained by the International Herald Tribune.

Jan Philipp Albrecht, a member of the European Parliament from Hamburg, who is the lead sponsor of the data protection revisions, said U.S. business groups had been more vocal than their European counterparts in lobbying on the issue in Brussels.

"I have the impression that they would like to convince the Parliament to change to a system that is more the U.S. approach, which is more or less that it is a competition issue and consumers can complain to the Federal Trade Commission," Mr. Albrecht said in an interview. "But Europeans don't want that. They want individual consent and control from the outset, and increasingly I think most American consumers do, too."

Privacy advocates in Europe have gained an unusual ally -- the Continent's powerful telecommunications network operators, who want stricter control of U.S. Web businesses, which are increasingly in direct competition with them.

Since 1995, European telecommunications operators have had to obtain prior consent from their own customers before being able to use private customer information for marketing purposes. Now, in Brussels, lobbyists for the European operators' industry are pushing lawmakers to apply the same strict privacy rules to Web businesses.

"If these types of rules should apply, then they should apply to everyone equally in a technologically neutral fashion," said Pat Walshe, the privacy director of the GSM Association, a group in London that represents operators.

Mr. Walshe was a member of the California attorney general's advisory panel that helped draft the voluntary disclosure agreement with U.S. mobile application distributors. He said a trans-Atlantic approach on privacy was needed to assuage consumers' anxiety and allow the mobile Internet economy to flourish.

Simple disclosure, the approach in the United States, may not be enough to protect consumers if Europe chooses stricter controls.

"This doesn't help create consistent privacy experiences or protections or help mobile users understand or manage their privacy in meaningful ways," Mr. Walshe said.


This article originally appeared in The New York Times.


You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here