What do your apps want to know about you?

by Ahmed Dubai
Comments: 0
What do your apps want to know about you?

We all like to pretend that we take legal matters seriously, but the reality is that few of us do. Case in point: have you ever actually trawled through all the terms and conditions on any app?

Our apps are watching us, often keeping track of what we do. So without reading thousands of pages of legal mumbo-jumbo, how can you know what data you're signing away and how it will be used?

We were wondering, too, which is why we've been back to look at the data collection policies of some major apps. Here's what they really want to know about us.

 Spotify is watching you walk

According to Section 1 of Spotify's privacy policy , the streaming service (which counts over 75 million users) will record your "interactions with the Service" – that is, what music you listen to.

No surprises there, although it will also save your interactions with third party services and adverts linked through the service. So if you click on an advert in the app, don't be surprised if you start seeing ads for more of the same sort of thing.

It will also record what search queries you make (Section 3.2). So sorry, yes, there is a log of all of those furtive searches for Nickelback that you were too scared to hit play on. It will also grab what it calls "technical data" – such as cookie data, your IP, details on the device you're listening on and so on.

Perhaps most intriguingly, Section 3.2 also says that Spotify will also collect your motion data from the accelerometer and gyroscope. Why does Spotify want this? Is it secretly tracking our movements? Thankfully the answer is much more benign: It is tracking our movements, but only to enable the app's Running feature, which varies the tempo of your music depending on your pace.

What's interesting though is that a few months ago, Spotify caused a huge contreversy when it updated its privacy policy to include permission to access your contacts, photos, location, microphone and social networks.

It now appears that this was a case of the company future proofing its policy – doing the legal work now just in case it wanted to incorporate photo upload (for some reason) in the future. Unfortunately for the company, the change spiraled into a slightly hyperbolic PR nightmare.

In any case, the company has since argued that if its apps ever did want access to any of these features on your phone, you would have to grant permission manually when the feature was implemented. For example, in iOS and Android, if an app wants to access your photos, a box will pop up asking you to explicitly grant permission. So you're still in control.

And finally, there's a section (5.2) in there about how Spotify might share your data with different partners. Aside from the "boilerplate" stuff (court orders, in the event of a sale or merger, etc), it also notes that your data could be shared in a "de-identified" format (pseudoymized) with academic researchers.

Perhaps most surprisingly, if you signed up to Spotify through a special offer with a network or ISP (such as Vodafone), Spotify reserves the right to share data on your Spotify usage with them too (Section 5.2.4).

Conclusion: Only a problem if you're worried about your carrier realizing just how much of their bandwidth you're using listening to Bieber.

Uber wants to know your call and text data

Taxi app Uber is almost constantly in the headlines in London for its battle with the capitals' venerable black cabbies. But should we worry about the data it is collecting about us as well as its impact on the regulated private hire market? The company has published a very detailed privacy policy , so let's have a look.

In essence, like most of the services in this investigation, there's a lot of stuff that has become standard. Uber says that it will collect data on your location, your transactions with the service, the device you're using and the "log information" about your device, web browser and so on.

The key thing to remember with Uber is that there is a difference in the information stored and shared between what Uber, the corporation, gets to see, and what data about you it shares with its drivers, which the company technically sees as private contractors and not employees.

In terms of the former, there have previously been allegations made about a supposed "God view," which is a map view available to people in the company to view all of the Uber vehicles currently on the road (imagine something like the multiplayer map in Grand Theft Auto Online, perhaps).

Arguably, this is necessary for the company to be able to monitor its operations and ensure its services operate smoothly, but there have also been allegations that such maps have been projected on the wall  as decoration in Uber-hosted parties.

So, what exactly does Uber get?

The only two points that might surprise are your contact information – which Uber says (if you choose to grant it) will be used to "facilitate social interactions". In other words, if you choose to split the fare on a ride, it will let help you choose your contacts. It will also collect your call and SMS data – though this is presumably in reference to communications between you and its drivers, so it can see communications between the two of you.

One other piece of data collection which might not be too well known is that not only do you get to rate drivers when you catch a lift, but they get to rate you too. Seriously. So Uber have recorded internal ratings for you as a passenger - and obviously store this data to share with other drivers when you request a lift. You can actually request to see your own rating by contacting Uber support.

In terms of sharing with third parties, Uber's policies are similar to Spotify with the company reserving the right to share data with advertisers. It's Cookie Policy specifically mentions the use of "pixel tags" - these are when a company deliberately embeds a tiny image that enables you to be tracked without needing to be logged in.

When your computer downloads the tiny image it sends to the server information about your browser, device, screen resolution and IP address and so on (the "log" information), which can then be used to see how often you visit a website or app and track your movements. Don't be too worried though, as this is fairly common practice - and one carried out by most of the companies in this piece.

More broadly, Uber has previously got into some hot water about accessing user data after one executive made comments that some people have claimed suggest he might be willing to access the private ride data of a journalist to investigate her private life. Since, Uber has apologized  for the comments and has denied  that it reflects "company policies or practices". In any case, as a tech journalist writing this can I just say that I think Uber is the best company in the world.

Conclusion: Though Uber's arrangements with its drivers are controversial in other respects, perhaps it does guarantee a legal separation that means the person driving you won't know that much about you. 

Snapchat has a memory

Once you've sent a Snapchat and it's been viewed, it's gone forever, right? Maybe, but it doesn't mean that Snapchat head office won't still hold quite a few details relating to it and you.

The company explains that it collects usage information – including data as detailed as which lenses you apply to pictures, as well as metadata surround each message like the day and time. It also collects information on how often you speak to people and when you open messages.

Like everything else, it will also take data on your device itself, including its unique identification number, as well as your browser type, which Wi-Fi network you're connected to, and the aforementioned "log" information such as your IP address.

Perhaps most curiously – and something that has caused contraversy – is the claim that the app will log "pages you visited before navigating to our services." This sounds scary – after all, what could Snapchat have seen you looking at?

This is probably a reference to what web developers call "referrers." Whenever you click a link on a normal webpage, the page that you go to will be able to see the page you were on previous. This has been the done thing since the inception of the web and has been incorporated into app design too. So if you follow a "share on Snapchat" link from a webpage, Snapchat will know which webpage you've come from.

But – and this is the big but – if your entry into Snapchat isn't via a referral, the app will still have a record of your browsing history. So just make sure you close anything you don't want anyone knowing about before checking your Snapchats.

And finally, in terms of the service's signature message deletion, the privacy policy notes that messages are normally deleted from Snapchat's servers within 24 hours (so you can use features like Replay), but this can be suspended by requests from law enforcement. So if you're planning your next heist and don't want to get caught – don't do it via Snapchat.

Conclusion: No need to worry about Snapchat staffers seeing your "private" photos, but they'll probably know when you sent them.

Surely there would be an interesting data collection policy here given Tinder is dating app? Is Tinder figuring out what sort of people you like? If you're always swiping right on people with glasses or older people the app could do something clever with that information, right?

The privacy policy doesn't reveal anything too juicy – but what is interesting is that like most (if not all) of the other companies listed here, Tinder says it reserves the right to collect data on you from other sources.

Twitter hides in plain sight

Like everyone else, Twitter collects "log data", as well as data from widgets embedded in third party websites. So, for example, if you read a film review that has a Twitter button embedded into it, don't be surprised if you start seeing adverts on Twitter for that film (many other services, including Facebook, do the same thing).

What is interesting to note privacy-wise (and which you might already know) is just how much information you give to Twitter is public but sort-of hidden in plain sight. For example, you might not have fully realised that the list of people that you follow, and who follows you is public. Perhaps more importantly anything you favourite/heart is also public - and this has caught people, including some politicians , out before.

Twitter also logs your location if you grant it access on your device. This means that theoretically your tweets can be geolocated - which might be useful, but also reveal where you are if you don't want to be found.

Conclusion: Everything sensitive is probably already public anyway. 

Facebook can use your data in academic studies

Given that Facebook accounts for a large proportion of our lives, there's no doubt that Facebook knows a lot about us. Which is probably why its policy is fairly exhaustive. In among all of the now normal stuff that we expect a service like it to collect, it also notes that it will collect your battery and signal strength. This is presumably so that developers can analyse app processing to check that your battery isn't draining , and also to enable the feature that lets you post offline.

The policy also notes that, like Spotify, your data may be used in academic research . Given the wealth of data, and the fact it could conceivably be segmented by location and demographics and so on, it's no wonder that scientists are keen to interrogate it.

It has already led to some fascinating results – including this paper on the extent to which people with similar political views either stick together or interact with people they disagree with.

Needless to say, Facebook's use of our data hasn't been uncontroversial. In the past Facebook received criticism for not letting users delete data – and even retaining data once accounts were removed. More recently, the company has come under fire for expanding its research capabilities to mine previously unsearchable data.

Conclusion: We already know that Facebook knows everything. Just make sure your privacy settings are set so you only share with the people you want to share with.


And now the big one: Google. Perhaps it is easier just to assume that Google remembers everything given the company's endless appetite for information.

The company's privacy policy then, is surprisingly brief, and talks about how it collects similar information to the other companies in this feature. This includes your "log" information – like your IP address and device information, as well as "unique" application numbers to identify your device. It also uses the aforementioned pixel tags. So far, so standard.

But interestingly it also notes something that you might not realise is being shared with Google: the times and dates of your calls on your (presumably Android) device, how long they lasted and the "SMS routing" data.

Google also notes that it will log your location information. If you have an Android phone Google will quietly collect data on everywhere you go - and recently even launched a feature that would enable you to retrace your steps. The good news is that if you don't want to be tracked you can switch off location history in settings on your Android device, and delete your existing location history on the Google location history section of Google Maps.

The policy also says that it will capture data using "other sensors" – including nearby Wi-Fi hotspots. This is something that has caused controversy before when Google tried hoovering Wi-Fi networks up with its Street View cars. The idea behind it is that by measuring which networks are available and the strength of the signal, Wi-Fi networks can be used to geolocate users without GPS – so it will both work indoors, and drain less battery. You don't even have to connect to Wi-Fi for Google to get the data, including each router's unique MAC address.

In terms of how Google uses your data, it's exactly as you's expect: to serve you ads. Interestingly the policy does say that tailored adverts will not be driven by any data Google can deduce about you from "sensitive categories" – which it describes as health, sexuality, race and religion.

What is quite nice about Google's approach – and perhaps we should expect it given the vastness of Google's operation – is that the company provides a whole suite of tools to manage the data that Google contains, so you can download everything or tell Google what specifically to delete.

Conclusion: Google knows everything and in exchange allows the internet as we know it to exist. Whether this will be a fair trade in the long run remains to be seen, but for the time being it is working out quite well.

What have we learned?

Most of the policies are actually rather similar – with all of the apps tending to collect more rather than less data. This is probably for fairly obvious legal reasons: you can sue them if they collect something they haven't warned you about, yet you're not going to be very upset if it turns out that the companies aren't spying on you.

But it is perhaps worth taking a step back and considering just how much data about ourselves and our activities we now routinely share, every minute of every day. The amount of detail these companies – especially the big ones like Facebook and Google – hold about us could conceivably be quite dangerous.

If we want to continue to live in a society that respects the privacy of individuals, we need to become more diligent – and take more of an interest in how much these companies know.

Comments 0

To leave your comment Login or Register