Personal Data: Permissions, Leaks & Protection

by Shadab Farooqui

I was in the process of installing an app that replaces my home screen on Android. Until the following (screenshot below) data access screen made me take a step back and think for a bit:


The app was requesting permission to have access to my SMS with the ability to receive, reply and delete without my permission. Out of curiosity, I tweeted them asking the reason for such access (no response yet), and then went about searching for the privacy and data policy for the app (which was kinda scary).

In another instance, this time for a web service, I was looking into a service that lets you sort out all marketing email and neatly sort it into different folders - seemed like a cool service. While signing up, I got to this page where it was requesting access to my email - DOH - should've thought about that. Spent 20 mins reading their privacy policy which reaffirmed my skepticism that granting access to my email is not worth the value given by the service. So - No Thanks, I'll scan the emails myself in exchange of keeping my email private. Another similar experience when I was hoping to sign up for a service that reminds me to connect with individuals for nurturing the relationship. 

I'm sure all these services are great, and provide a lot of value to the user, and do not have any ulterior motives with the data. Yet there are enough reasons to be skeptical and I'd like to think there are more people like me who feel the same way. Way too often, I never read through the  permissions I'm granting to the apps downloaded to my android device, or services I'm singing up with online.  I almost never read through the privacy policies and terms of use until recently. 

Think of the various data leaks there are online:

(1) All the apps on your smartphone devices with access to SMS, FB, LinkedIN, Email

(2) Any other web based 3rd party service that integrates with Facebook, LinkedIN, Gmail etc.

I know for a fact that I have signed up with a ton of apps and services, that have persistent and often unnecessary access to my private data, including but not limited to email, SMS and social.

 My thoughts in addressing the concerns raised by granting persistent personal data permissions:

(1) Every app needs to have a data policy in plain english, not hidden in the footer under privacy policy but clearly linked in the header under the title "Data & Privacy Policy"

(2) Apps need to make it easy for current and ex users to OPT OUT of data collection, use and storage.

In the future, access to personal data will be a deliberate and informed decision, making users aware of the implications of ignorance”

The service should do the following (at the least):

(1) Track the WHO has access to WHAT data and HOW it will potentially be used by scanning apps on your phone + access given by your social networks 

(2) Ability to send email to the app company requesting to delete data or OPT-OUT

(3) Keep users up to date via alerts and action items related to their data.

Similar to how ad-tech companies have opt-outs (think Evidon), there needs to be a delete-outs for apps companies and any company that integrates or pulls personal information. From a business perspective, this service is akin to a virus scanner for the consumer - while this "app scanning" service is the privacy scanner of the data sharing world. The personal data protection market is up for grabs -- I'd use, and likely pay for a service like this, would you?


To prove the point of this blog post, this just came in on TechCrunch a few hours after I published this post:

Facebook Reading Android Users’ Texts? Well, Hold On

A Techcrunch users comment:

"I haven't updated Facebook app on my Android for a long time due to ridiculous permissions they ask for:

  1. Read SMS
  2. Add or modify Calendar events.
  3. Send emails to guests without my knowledge
  4. Connect/Disconnect WIFI
  5. Draw over other apps
  6. Retrieve running apps
  7. Direct call phone numbers, read phone status and identity
  8. Modify contacts
  9. Read call log
  10. read contacts
  11. write call logs
  12. Find accounts on the device
  13. Reorder running apps
  14. Read sync settings
  15. Change network connectivity.
  16. Download files without notification
  17. Set wallpaper

Yep, all this to connect with my friends on Facebook? No thanks.

Sadly, after Android removed AppOps, I can no longer control permissions, and hence I am not updating any apps that asks for ridiculous permissions till the guys at Google bring back AppOps, and if they don't I am switching to CyanogenMod or start using my iPhone only.