Findings

The secret sharers

Are your favorite apps watching you?

Gregory Nemec

Gregory Nemec

View full image

It’s not just Facebook and Google tracking you anymore. Many of the most popular apps in the Google Play store contain trackers: you download the app, and the trackers sweep up a variety of data—possibly including personally identifiable, even sensitive, information, as well as location and behavioral data. Researchers with the Yale Privacy Lab, working with the French nonprofit Exodus, identified Android apps that contain clandestine tracking software with ulterior motives. (And Android apps aren’t necessarily the only Trojan horses. For legal and technical reasons, the team hasn’t yet analyzed Apple iOS apps.)

Among the apps cited: Weather Underground (12 trackers) and Duolingo (13). A tracker in the Baby+ app may allow third parties to find out your baby’s name. A tracker called Braze, embedded in apps like Airbnb and Lyft, records a host of user data that may be used as Braze sees fit. Some precisely record shoppers browsing in brick-and-mortar stores.

Such tactics create a “power asymmetry” for marketers, say Michael Kwet and Sean O’Brien, authors of the study. They are visiting fellows with the Yale Privacy Lab, part of the Yale Law School’s Information Society Project. The research appeared on the site GitHub.

Despite its promises that the individuals tracked will remain anonymous, O’Brien says, the industry can create “a probable guesstimate of who each individual is,” simply by compiling the data. Imagine, he says, being denied health insurance because of data your parents recorded when you were an infant.

Opting out can be onerous. App users first have to identify the trackers in their phones. If Braze is tracking them, they have to find out what e-mail to use for an opt-out request. Even then, says Braze’s website, “your information will be deleted from our active database but may remain in our archives.”

What to do? O’Brien says that “getting software directly from advertising brokers,” such as Google Play, is “about the worst thing you could do.” Instead, he and Kwet suggest using free and open-source apps from the software repository F-Droid.

1 comment

  • tim calf
    tim calf, 6:40pm March 16 2018 | Ico flag Flag as inappropriate

    this is alarming and i would have thought that it would be a good idea to list all the compromised apps you have found. otherwise this just becomes another scare piece of journalism which the tech unsavvy can not deal with. a list would at least offer us the opportunity to delete the app.

The comment period has expired.