What to keep in mind before you download.
ADVERTISEMENT | SEPTEMBER 24, 2019 | |
|
 | | Getty Images |
|
By now you probably know that your apps ask for permission to tap into loads of data. They request device information, like advertiser IDs, which companies use to build marketing profiles. There's data the companies explicitly ask for via a pop-up window, like access to contacts or your camera roll. And then there's tracking that is especially invasive, like access to your microphone or your phone's gyroscope or location tracking data. |
What you probably didn't know is that by downloading those apps and entering into those contracts, you're also exposing your sensitive information to dozens of other technology companies, ad networks, data brokers and aggregators. Sometimes the information is shared with global tech giants; other times it's with small companies you've never heard of. |
The data is transmitted — or in some cases leaked — via software development kits (SDKs). They are essentially developer shortcuts, a set of tools or a library of code that developers can import from a third party so that they don't have to build them from scratch. |
Because they're so useful to app developers, SDKs are embedded into thousands of apps, ranging from mundane weather services to mobile games and even in some health apps. Facebook, Google and Amazon, for example, have extremely popular SDKs that allow smaller apps to connect to bigger companies' ad platforms or help provide web traffic analytics or payment infrastructure. In exchange, the SDK makers receive user data from that app. Just how much data is often unclear. And once the companies have it, there are no restrictions on what they can do with it. Theoretically, they could turn around and sell that data for profit. |
Last December I reported on how Facebook's SDK was collecting information from apps like Tinder and Grindr as well as various pregnancy and religious apps. Among the information sent to Facebook: your device IP address and type, the time of use and your advertising ID. While the data is supposedly anonymized, the advertising ID makes it extremely easy for bigger companies like Facebook to identify and link third-party app information to existing Facebook users (if you've logged into Facebook on your phone or downloaded the app, Facebook can theoretically match that advertising ID with the ID transmitted through the SDK). |
SDKs become particularly concerning when embedded inside apps that contain sensitive information. This month BuzzFeed News reported that period tracker apps were sending highly personal data to Facebook via SDKs, including when women last had sex. And it's not just Facebook; small tech companies and ad networks with unknown business practices provide SDKs to apps, and hoover up and potentially expose information. In 2018, a researcher for Kaspersky Labs "found 4 million Android apps were sending unencrypted user profile data, such as names, ages, incomes, phone numbers and email addresses — and, in one example, dates of birth, user names and GPS coordinates" from the app to the advertisers' servers. |
To get a sense of how prevalent SDKs are, I used Mighty Signal, a tool that tracks the SDKs embedded inside tens of thousands of apps to search around for sensitive categories. I quickly found Period Tracker, an Android app with more than 100 million downloads, according to the site. Mighty Signal listed 26 SDKs embedded in the app from Facebook and Google as well as smaller tech companies, each one transmitting potentially sensitive information. Feeld, an app that originally started as a way for couples and singles to participate in group hookups, currently has 42 installed SDKs and 52 previously installed SDKs on its iOS app. While its unclear exactly what information is being shared, each third party that's receiving sensitive information is a potential vulnerability. In the case of some SDKs, which belong to ad networks or smaller analytics firms, the companies may be bought or sold, so the data could change hands without its owners knowing. |
Nearly every advertising industry source I've spoken with requested anonymity to speak about SDKs, in part because their companies were using them in some way to collect data. One described the industry, which isn't meaningfully regulated or monitored, as the Wild West. "It's the industry standard," an online ad industry veteran told me. "And every app is potentially leaking data to five or 10 other apps. Every SDK is taking your data and doing something different — combining it with other data to learn more about you. It's happening even if the company says we don't share data. Because they're not technically sharing it; the SDK is just pulling it out. Nobody has any privacy." |
SDKs are not, by nature, nefarious. But their prevalence can turn almost any application, no matter how mundane, into a data harvester. Beauty apps and smart TVs have SDKs. Even cars have them. A 2015 report from Tech Crunch describes an early car SDK as "streaming real-time data from a car's computer and sensors to apps running on your phone." |
None of this data transmission is illegal. The companies transmitting and receiving data via SDKs don't try to hide the practices, though they are often buried in fine print. And yet the technology operates largely in the shadows. In my reporting, it's this lack of transparency that's most troubling. Even those aware of the SDKs inside their apps have little way of tracing their data, and three ad industry sources described the selling and repackaging of user data via SDKs as a "black box." |
With that in mind, I'll end this by enlisting your help. As smartphone users, we deserve transparency, either via regulation of the industry or from those on the inside. If you work in the advertising industry and have information about the use and abuse of data transmitted through SDKs or other means, I want to hear from you. You can email me here. Or via encrypted email. Or use one of The Times's secure tip lines and ask for me. |
From the Archives: 'That Game on Your Phone May Be Tracking What You're Watching on TV' |
This week's pick is recent by archive standards. But this 2017 piece by Sapna Maheshwari is relevant to the above discussion about SDKs. The piece describes how smartphone games are capturing extraneous information and using them for elaborate advertising purposes. |
| The apps use software from Alphonso, a start-up that collects TV-viewing data for advertisers. Using a smartphone's microphone, Alphonso's software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely and to try to analyze things like which ads prompted a person to go to a car dealership. |
Again, this information can be quickly de-anonymized and combined to form complex and revealing marketing profiles. |
| The disparate viewing information is tied to IP addresses, which can be matched to characteristics like age, gender, income and more through big data brokers like Experian without using personally identifiable information like names and addresses. |
Tip of the Week: Privacy Spy |
 | | A screenshot of Privacy Spy's website.Privacy Spy |
|
Privacy policies are long, boring and extremely consequential documents. If you've been reading this newsletter or keeping up with the Privacy Project, you probably know that buried inside these tomes of legalese are details about how your personal data will be collected, used and potentially shared. |
If you're like me, you feel a pang of guilt now every time you're confronted with one of these policies. Should you read it? Ideally, yes. Do you have the time, energy or legal/technical acumen to do so? Probably not. So we click "accept" and sigh deeply and move on. |
Which is why I am fascinated by Privacy Spy, a newly launched site that makes privacy policies more convenient and accessible. It's a little like Wikipedia but for figuring out how a company is using — and misusing — your information. Currently the site has 72 major companies' policies (full disclosure: The Times is included) listed. The website has analyzed each company's policy and assigned a score out of 10 using 12 individual scores across four categories: collection, handling, transparency and warnings. |
Even if you've accepted a company's policy in the past, this is a great reference to see how it's handing your information. Better yet, it's completely open source, supported by a nonprofit, and there are no trackers on the site. Check it out here. |
Send me your pressing questions about tech and privacy. Each week, I'll select one to answer here. And if you're enjoying what you're reading, please consider recommending it to friends. They can sign up here. |
歡迎蒞臨:https://ofa588.com/
娛樂推薦:https://www.ofa86.com/
沒有留言:
張貼留言