There’s no shortage of cool new apps, from one that turns your camera into an emergency flashlight to one that spontaneously materializes a taxi or groceries at your doorstep. Or the one that tracks your rapidly depreciating investments in real time. As cool as these apps look, they’re probably all spying on you.
Unscrupulous companies could create seemingly innocuous apps that harvest your text messages, contacts, and call history, while potentially texting and making calls you may never be aware of. They can even use your phone’s camera to take photos or your phone’s microphone to record audio. And worst of all, if they are, it’s because you let them.
While the public consciousness is occupied with the tech policy battle after battle – from net neutrality to encryption policy to Microsoft-Ireland to Apple vs. the FBI – the estimated 1.8 billion users of the Android operating system may have already lost a battle that has been around for as long as it has been hidden from public view. And like many other battles in technology, it’s about user data. Only this time it’s not stolen or secretly collected data, it’s data you’ve “agreed” to hand over to companies on a platter.
What are Android “permissions”?
Whenever a user installs a new app on an Android device, they consent to certain “permissions” being granted to the app. These “permissions” allow applications to interface with the operating system to access information, use system resources, hardware, and perform different operations. For example, a taxi call app would require permission to use a phone’s GPS receiver to acquire the user’s location data to transmit to the driver, etc. These permissions are granted by users when installing a new app on most devices. Users accept permissions for apps the same way they “accept” End User License Agreements (EULAs) when installing software on Windows – in most cases, with nothing more than a just a glance.
Permissions are required to ensure the app is able to function as advertised (to hail a cab, buy groceries, or send a message). But if apps only looked for the permissions needed to perform essential functions, there would be no debate. When an app to track the stock market requires access to your phone’s microphone to record audio, questions need to be asked.
A quick look at the app permissions on my Moto G revealed that 27 apps had access to my camera, 57 to my contacts, 45 to my GPS location, and 20 to my microphone. Some obvious red flags were the Moneycontrol and BigBasket apps being able to record audio through my microphone; BigBasket, PepperTap and Grofers can all access my camera; and the HDFC app can access my GPS location – all with no advertised uses for this type of data. While this does not mean that these apps actually exploit or even use these permissions, it is the responsibility of the developers to clarify why each of the permissions is wanted.
This status quo is all the more worrying because of the lack of transparency around app permissions. In order to address this information asymmetry, developers must be incentivized to disclose what permissions their apps need and why. If an e-commerce application has the ability to read all your contacts and acquire GPS data without any advertised reason for the same, it should be required to disclose what it plans to do with that data and most importantly, if this access is required for the application’s core functionality.
Transparency should be a minimum requirement. Confidentiality becoming a criterion of product differentiation, it may even be in the interests of developers to offer clear information.
Need for awareness
In today’s information economy, collecting user data for advertising purposes can be a significant, even legitimate, source of revenue for developers, but this trade-off must be made in a consensual way. For this, the prerequisite is not only transparency but also awareness. Although Android attempts to be transparent about what permissions an app seeks (at install time), users should be aware of the risks of granting permissions that allow the collection of sensitive data.
In the Indian context, with a number of individuals connecting for the first time, this need is even more accentuated. Both novice and experienced users should be given the opportunity to understand the conditions under which they are using a particular application. The lack of availability of disclaimers, terms of use, privacy policies and other documents in local languages is another pressing issue where progress is needed.
At the same time, all this is not to say that there are no legitimate purposes for which sensitive permissions can be requested or granted. For example, applications requiring payments may require the ability to scan incoming text messages to extract bank-generated one-time passwords (OTPs) to facilitate two-factor authentication. But even in such cases, users should be able to opt out and choose manual OTP entry rather than unrestricted access to their data. Additionally, developers should provide detailed information on the scope of scanning/processing activities – e.g. do the activities take place only when the relevant application is open or do they always run in the background? plan. Privacy compromises may be justifiable and necessary these days, but that doesn’t mean they have to happen in such a way that user consent is tainted by digital illiteracy, lack of technical skills or information asymmetry.
Law enforcement
Broad enforcement permissions also provide law enforcement with creative ways to hunt down criminals or, alternatively, conduct mass surveillance. Given the lack of judicial review of user data requests in India, the latter outcome is more likely. Either way, app permissions can present a new, uncharted avenue for conducting covert surveillance, investigating cybercrimes, and exploiting previously unavailable data points to catch criminals.
If you haven’t already, it’s only a matter of time before authorities realize (to their advantage) that there may be Indian developers with access to as much actionable user data as their foreign counterparts often inaccessible. This could simply mean approaching an Indian app maker whose app is allowed to make a call, send a text message, record audio, or send GPS data. This has a significant advantage over the flawed MLAT procedure for requesting data from foreign companies. After all, who would suspect that your flashlight app is the one that got you arrested?
Post Scriptum: In addition to efforts by OEMs such as Xiaomi and software vendors such as Cyanogen to include permission managers in their software, with the latest version of Android (Marshmallow or 6.0), users have an option simple to revoke every permission granted to an installed user. application. Additionally, users are notified each time an app requests the use of a sensitive permission for the first time. Although this is an extremely positive development, it is not (yet) a complete solution. Initially, Android 6.0 penetration is around 2.3% of all existing Android devices (as of March 2016) – a metric excluding a large number of devices for which Google does not keep official usage statistics. While that number is expected to increase over the next few months, a large number of users will continue to use previous versions of Android for years to come. To get an idea of the permissions granted to different apps on your pre-Marshmallow phone, you can ironically download another app – such as MyPermissions.
Tarun Krishnakumar is a technology and public policy lawyer based in New Delhi.
Disclaimer: The opinions expressed in this article are the personal opinions of the author. Gadgets 360 is not responsible for the accuracy, completeness, adequacy or validity of the information in this article. All information is provided as is. Any information, facts or opinions appearing in the article do not reflect the views of Gadgets 360, and Gadgets 360 assumes no responsibility for them.
Tech
