The Wall Street Journal has continued its excellent work on data privacy. The WSJ is reporting that like many Facebook applications, many popular mobile apps are sending user data from phones to third parties. They found that most of the popular apps running on Apple (AAPL) iPhone‘s and Google (GOOG) Android systems, had sent the phone’s unique device ID to other firms without asking the user’s permission.
TechEye says that the iPhone was much worse than Google’s Android, although both Apple and Google have promised not to let such practices take place. Michael Becker of the Mobile Marketing Association told TechEye there is no anonymity. Alex Deane, director for Big Brother Watch, said “This is alarming news. Most users of these apps don’t know this is happening and many of them wouldn’t use the app if they did know,” Mr. Deane told IT PRO. “Importantly, lots of these apps are mainstream ‘normal’ apps. It’s not just shady operators doing this ”
The WSJ reports that mainstream mobile productivity, games, and music apps are sending user data elsewhere. The data is mostly sent to ad companies so they can tailor ads to the user’s history for better results. The paper found that 56 of the apps in the investigation sent unique information to other companies without the user knowing or agreeing to the sharing. 47 of the apps sent the mobile phone’s location to third parties, and five of the apps sent age, gender, and personal details to outsiders. Eighteen of the 51 iPhone apps sent information to Apple.
The Journal found:
The app that shares the most personal info is an iPhone app called TextPlus 4. The app sent the unique ID of the device to eight ad companies and sent the zip code, user’s age, and gender to two more firms.- The free and paid versions of the wildly popular Angry Birds app on an iPhone. The apps sent the phone’s UDID and location to the Chillingo unit of Electronic Arts Inc., which markets the games.
- The popular music site Pandora was a big offender, sending age, gender, location, and phone identifier to various ad networks.
Both Android and iPhone versions version of Paper Toss sent the phone ID number to at least five ad companies.- The Android app for social networking site MySpace sent age and gender, device ID, user’s income, ethnicity, and parental status to Millennial Media, a big ad network.
Among all the mobile apps tested by the WSJ, the most widely shared detail was the unique ID number assigned to every mobilephone. It is effectively a “supercookie,” says Vishal Gurbuxani, co-founder of Mobclix Inc., an exchange for mobile advertisers. The “UDID,” or Unique Device Identifier is set by the phone makers, carriers or makers of the operating system and typically can’t be blocked or deleted.
The WSJ has released a short video explaining its investigation,
“The great thing about mobile is you can’t clear a UDID like you can a cookie,” Meghan O’Holleran of Traffic Marketplace told the WSJ. Traffic Marketplace which is an Internet ad network that is expanding into mobile apps uses UDID’s, “That’s how we track everything.” Ms. O’Holleran told the WSJ that Traffic Marketplace monitors smartphone users whenever it can. “We watch what apps you download, how frequently you use them, how much time you spend on them, how deep into the app you go,” she says.
According to the WSJ, Mobclix matches more than 25 ad networks with 15,000 apps seeking advertisers. The company collects mobile phone IDs, encodes them, and assigns them to interest categories based on what apps people download and how much time they spend using an app, among other factors. By tracking a phone’s location, Mobclix also makes a “best guess” of where a person lives, says Mr. Gurbuxani, the Mobclix executive. Mobclix then matches that location with spending and demographic data from Nielsen Co.
Mobclix uses the data to place a user in one of 150 “segments” it offers to advertisers, from “green enthusiasts” to “soccer moms “to “die-hard gamers.” “Die-hard gamers” are 15-to-25-year-old men with more than 20 apps on their phones who use an app for more than 20 minutes at a time. “It’s about how you track people better,” Mr. Gurbuxani told the WSJ.
Google was the biggest data recipient in the WSJ tests. Its AdMob, AdSense, Analytics, and DoubleClick units collectively heard from 38 of the 101 apps. Google’s main mobile ad network, AdMob lets advertisers target phone users by location, type of device and “demographic data,” including gender or age group. Google, whose ad units work on both iPhones and Android phones, says it doesn’t mix data received by these units.
Apple operates its iAd network only on the iPhone. Apple targets ads to phone users based largely on what it knows about them through its App Store and iTunes music service according to the WSJ article. The targeting criteria can include the types of songs, videos, and apps a person downloads, according to an Apple ad presentation reviewed by the Journal. The presentation named 103 targeting categories, including karaoke, Christian/gospel music, anime, business news, health apps, games, and horror movies.
According to the WSJ, the ad networks offer software “kits” that automatically insert ads into an app. The kits track where users spend time inside the app. A developer quoted in the WSJ article says ads targeted by location bring in two to five times as much money as untargeted ads. In its software-kit instructions, Millennial Media lists 11 types of information about users that developers may send to “help Millennials provide more relevant ads.” They include age, gender, income, ethnicity, sexual orientation, and political views.
The WSJ also claims that most of the apps don’t have written privacy policies. Forty-five of the 101 apps didn’t offer privacy policies on their websites or inside the apps at the time of testing. Neither Apple nor Google requires app privacy policies. Both Google and Apple say that they require apps to ask permission to send information to third parties. However, many app developers skirt the rules the WSJ reports.
Apple says iPhone apps “cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.” Many apps tested by the Journal appeared to violate that rule, by sending a user’s location to ad networks, without informing users. Apple declined to discuss with the WSJ how it interprets or enforces the policy.
Google doesn’t check the apps running on Google’s Android operating system because third parties build the phones. Google requires that before users download Android apps that the developer identifies the data sources the app intends to use. Possible sources include the phone’s camera, memory, contact list, and more than 100 others. If users don’t like what a particular app wants to access, they can choose not to install the app, Google says. Google told the WSJ that app makers “bear the responsibility for how they handle user information.” “Our focus is making sure that users have control over what apps they install, and notice of what information the app accesses,” a Google spokesperson says.
rb-
The trade in your personal information grows as technology evolves. The WSJ says that Apple has recently filed a patent for a system for placing and pricing ads based on a person’s “web history or search history” and “the contents of a media library.” For example, home-improvement advertisers might pay more to reach a person who downloaded do-it-yourself TV shows, the document says. The patent application also lists another possible way to target people with ads: the contents of a friend’s media library.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
What you divulge can have an unintended impact. “We’ve seen this with applicants not getting jobs and employees getting fired for their Facebook and Twitter-based escapades,” financial personality Clark told CreditCards.com, “so we shouldn’t imagine this to be any different.” There are steps to take to guard your privacy. “I think it is crucial that everyone visit the privacy notices for the sites they use, read them, and change their settings to limit who can see their information,” says Clark. “For example, on Facebook, you can change your privacy settings so that only your acknowledged friends can see the majority of your information.” You can also enable “private filtering” on your browser. Do so and your activity will be entirely out of the Web profiling system.
– Updated 03-19-2011 – After the recent discovery of some 50+ malicious applications on the official 
