Last fall’s Global Privacy Enforcement Network (GPEN) Mobile App Privacy Sweep is continuing to yield positive results for consumers in 2015.
As you might recall, the Office of the Privacy Commissioner of Canada (OPC) coordinated an assessment of the privacy communications of 1,211 popular mobile applications (apps) in conjunction with 25 national and international privacy enforcement partners. Our office alone assessed 151 apps.
Sweepers around the world found that 85 per cent of apps they looked at failed to clearly explain how they would collect, use and disclose personal information.
Our office decided to share our concerns with the developers – both the large corporate ones and the small-time basement genius types – behind some of the apps we swept.
Aside from the “l-APP-luster” and “dis-APP-ointing” apps we wrote to last fall before identifying them in a blog post, we sent letters to dozens of other apps outlining a number of our privacy concerns.
Our concerns ranged from not being able to find a privacy policy prior to download on the app marketplace or the developer’s website, to not being able to read it properly because it wasn’t designed for the small screen and either cut off words or required zooming in or horizontal scrolling.
Other times, we raised concerns about the lack of in-app privacy communications, or the fact that the so-called privacy policy didn’t actually address key issues such as the app’s practices regarding the collection, use and disclosure of personal information.
We’ve now heard back from the developers behind 31 of the apps we swept. The vast majority of them were grateful for our feedback and have committed to making improvements to their privacy communications.
For example, within just 34 minutes of receiving our letter via email, the developer of one health app added a privacy policy to its website. Another developer from Northern Europe with 14 apps to its name, thanked our Office for our letter, agreed to make privacy communications an immediate priority and is now ensuring that a privacy policy link is included in each of its marketplace listings. We also received positive feedback from one of the world’s largest online gaming companies, as well as a leading social networking app.
Other developers indicated they would improve privacy communications in future versions of their app, fix broken links to privacy policies or follow up with our Office once suggested changes have been implemented. Several Canadian news media apps committed to wholesale changes, from making privacy policy links more prominent to making them more user-friendly on the small screen.
Sweepers were particularly impressed with the response received from the popular game Farmville 2: Country Escape. The developer, Zynga Inc., fixed broken links and vowed to remove a permission that it no longer required from future versions of the game. The company also launched an abbreviated mobile privacy notice that summarized its lengthy privacy policy in an easier-to-read format on the small screen. But it didn’t just do this to address our concerns about Farmville. The developer has more than 70 other apps to its name and is making sure the privacy notice is available on the app marketplace for all of them. Bravo!
In fact, our outreach efforts have led to positive changes to the privacy communications and practices of some 136 apps.
We take from the overwhelmingly positive response to our letters of concern that many app developers want to protect the privacy of their customers and may simply be unaware that their practices were falling short.
The feedback we’ve received shows that education and outreach can often effect change without the need for more costly and time-consuming formal investigations. We see this as a testament to the success of the annual privacy sweep initiative.
Unfortunately, we could not reach the developers behind six apps despite significant effort. We’ve decided instead to name those apps here in the hopes that their creators might see our comments and make positive changes for their customers – starting with providing adequate contact information.
Here’s what we found:
Emoji Keyboard 2: Animated Emojis by Shishi Li
This app allows users to add emojis to their text messages. According to sweepers, no privacy communications were available before or after download. The data controller’s website was little more than a link to a Facebook page in the name of “John Smith.” Sweepers say the app appeared to link to Facebook, Twitter, email and SMS functions, but it did not ask for permission. Users are also asked to login to social media, but it’s unclear if personal information is being collected as a result.
Hide N Seek: Mini Game with Worldwide Multiplayer by Wang Wei (FingerLegend)
This app is a cartoon hide-and-seek game. According to sweepers, the app has no privacy policy and the developer’s website is an unused Twitter account. There was no explanation as to why the app wanted access to the user’s photos.
Smashy Birds With Blood by Bitcage Europe, Ltd.
Aside from its, ahem, interesting name, sweepers raised concerns about this game app because it has no privacy policy prior to or after download. The developer’s website, bitcage.com, is a template that has not been filled out. Sweepers raised concerns because the developer has seven other apps available in the app marketplace. While it’s not clear all the apps collect personal information, some appear to link to the user’s Instagram or Facebook account, calendar and contacts. Sweepers were disappointed to discover that Bitcage’s website was devoid of even the most basic of information, let alone a privacy policy that outlines if and how personal information is collected, used and disclosed. In fact, our Sweepers got an error message when they clicked on the part of the website where the privacy policy was supposed to be.
Can You Escape – Tower? by Kaarel Kirsipuu (MobiGrow)
This app is a puzzle game. Sweepers could find no privacy communications prior to download or within the app itself once it was on their device. The developer’s website is a Facebook page that includes no privacy information whatsoever. Sweepers raised concerns because the developer has 10 similar apps available in the Google Play Store. Some of the apps appear to collect and disclose, among other things, information about the user’s location. Some also seek access to external storage, which could contain the user’s photos, videos and other stored data. Sweepers felt MobiGrow should provide a proper privacy policy that explains what personal information is collected and how it is used and disclosed. Even if an app does not collect personal information, an assessment our Sweepers had difficulty making when there were no privacy communications, it is a best practice to say so.
Belly Fat Workout FREE: 10 Minute Ab Exercises by Pro Code Media
This is a fitness app that walks users through a variety of exercises. Sweepers were unable to find any communications explaining the app’s privacy practices prior to installation, or within the app itself. Nothing was found on the app marketplace listing nor was anything initially found on the developer’s website. Later, a mock privacy policy was found. It was written in Latin and had nothing to do with privacy, leaving our sweepers with a serious case of Confusus Maximus. There now appears to be a privacy policy of sorts on the appandaway.com website which is listed as the seller of the app in the app marketplace. The policy, however, does not include any information about consent for the collection, use or disclosure of personal information.
2048 by Estoty Entertainment Lab
This app is a highly addictive math game that, according to the developer, has been downloaded more than 35 million times. Our Sweepers have found no privacy communications whatsoever in the app marketplace or on the developer’s website. There were also no in-app privacy communications which left sweepers with a sense of unease over whether personal information was being collected and if so, how it would be used and disclosed. This developer also has other apps available in the app marketplace, at least one of which appears to link to Facebook, and Sweepers felt a best practice would be for Estoty Entertainment to be upfront about its personal information handling practices.
Update:
It’s been eight months since we publicly raised concerns about four apps for their l-APP-luster or downright dis-APP-ointing performance when it comes to privacy communications.
We are happy to report that Super Bright LED Flashlight, an app that dis-APP-ointed our sweepers, is now asking for fewer permissions. It has removed its request for permission to access photos/media/files and ID/Call information. The app has also added a link to its privacy policy in its Google Play Store marketplace listing.
Note to developers: Click here for great tips on how to communicate your privacy practices to app users.