Last fall’s Global Privacy Enforcement Network (GPEN) Mobile App Privacy Sweep is continuing to yield positive results for consumers in 2015.
As you might recall, the Office of the Privacy Commissioner of Canada (OPC) coordinated an assessment of the privacy communications of 1,211 popular mobile applications (apps) in conjunction with 25 national and international privacy enforcement partners. Our office alone assessed 151 apps.
Sweepers around the world found that 85 per cent of apps they looked at failed to clearly explain how they would collect, use and disclose personal information.
Our office decided to share our concerns with the developers – both the large corporate ones and the small-time basement genius types – behind some of the apps we swept.
Aside from the “l-APP-luster” and “dis-APP-ointing” apps we wrote to last fall before identifying them in a blog post, we sent letters to dozens of other apps outlining a number of our privacy concerns.
We’ve now heard back from the developers behind 31 of the apps we swept. The vast majority of them were grateful for our feedback and have committed to making improvements to their privacy communications.
In fact, our outreach efforts have led to positive changes to the privacy communications and practices of some 136 apps.
We take from the overwhelmingly positive response to our letters of concern that many app developers want to protect the privacy of their customers and may simply be unaware that their practices were falling short.
The feedback we’ve received shows that education and outreach can often effect change without the need for more costly and time-consuming formal investigations. We see this as a testament to the success of the annual privacy sweep initiative.
Unfortunately, we could not reach the developers behind six apps despite significant effort. We’ve decided instead to name those apps here in the hopes that their creators might see our comments and make positive changes for their customers – starting with providing adequate contact information.
Here’s what we found:
Emoji Keyboard 2: Animated Emojis by Shishi Li
This app allows users to add emojis to their text messages. According to sweepers, no privacy communications were available before or after download. The data controller’s website was little more than a link to a Facebook page in the name of “John Smith.” Sweepers say the app appeared to link to Facebook, Twitter, email and SMS functions, but it did not ask for permission. Users are also asked to login to social media, but it’s unclear if personal information is being collected as a result.
Hide N Seek: Mini Game with Worldwide Multiplayer by Wang Wei (FingerLegend)
Smashy Birds With Blood by Bitcage Europe, Ltd.
Can You Escape – Tower? by Kaarel Kirsipuu (MobiGrow)
Belly Fat Workout FREE: 10 Minute Ab Exercises by Pro Code Media
2048 by Estoty Entertainment Lab
This app is a highly addictive math game that, according to the developer, has been downloaded more than 35 million times. Our Sweepers have found no privacy communications whatsoever in the app marketplace or on the developer’s website. There were also no in-app privacy communications which left sweepers with a sense of unease over whether personal information was being collected and if so, how it would be used and disclosed. This developer also has other apps available in the app marketplace, at least one of which appears to link to Facebook, and Sweepers felt a best practice would be for Estoty Entertainment to be upfront about its personal information handling practices.
It’s been eight months since we publicly raised concerns about four apps for their l-APP-luster or downright dis-APP-ointing performance when it comes to privacy communications.
Note to developers: Click here for great tips on how to communicate your privacy practices to app users.