Ominous Privacy Implications of Ad-Supported Cloud Apps

Ominous Privacy Implications of Ad-Supported Cloud Apps


When you pull out your smartphone to bring up an app, how many screens do you scroll through to find the one you want?

If it’s more than one or two, that makes you a typical smartphone user. And once you open the app, you’ll likely need to connect to the Internet to access the app’s features. A recent Nielsen analysis found that, on average, U.S. smartphone users access 26.7 apps a month, and this represents only a quarter of what people actually have installed on their devices.

Mobile Ad Supported Apps
Mobile Ad
Supported Apps

Over the past few years, mobile app downloads and usage have exploded. With more than 1.5 million apps in each of Google’s and Apple’s app stores, there’s no shortage of choices. Apple alone says there have been more than 100 billion app downloads from its store since 2008.

Over the same time period, the penetration of smartphones in the mobile phone market has gone from 2% in 2005 to 75% by the end of 2014. By 2017, 80% of the world’s mobile phone users will have a smartphone.

Consumers love the convenience of using mobile devices to access their favorite apps, and the proliferation of the “freemium” model has gotten them used to getting free applications. About 75% of the software available in the app stores is free to download, which makes these apps easy to install and try without a cost, but according to Gartner 75% of mobile apps also fail security tests

In truth, there is a cost, whether you’re aware of it or not. When you download a free app, you pay with your privacy if not your wallet.

The ad-supported business model

The people who develop all those mobile apps need a way to make money. Their revenue obviously isn’t coming from selling the apps to users who don’t pay money for them. Instead, they are part of a rapidly growing mobile advertising business model that offers financial incentives for developers to distribute their apps for free. Here’s how it works.

A developer creates a useful or entertaining application that he makes available for free in an app store. A consumer chooses to download the app and install it on her smartphone. During the installation process, the app may or may not notify the user that it wants to collect information and asks for permission to do so. Once installed, the app harvests this information and sends it over the Internet to an unseen ad network, which builds a profile of the smartphone user. Based on this profile, brand companies may bid to send ads to the user’s smartphone. The application developer is paid for each ad that is served via his application if the ad network runs a cost-per-thousand impression model (CPM). If the user clicks on an ad, the developer may garner a premium payout from the ad network.

For developers, advertising has proven to be a highly effective way of monetizing their free apps. Mobile ad spending in the U.S. is expected to top $42 billion by 2018. According to a BI Intelligence report, mobile is growing faster than all other digital advertising formats in the U.S. as advertisers allocate their dollars to reach the lucrative and growing demographic of “mobile first” users—people who turn to their smartphone before any other form of media.

The accurate profiling of app users primarily drives this ad-supported economy. A successful ad campaign requires access to personal information that can potentially be considered private. Academic researchers refer to a person’s smartphone as “an avatar of the individual in the digital world.” The phone is the gatekeeper of one’s mobility patterns, contact details of friends, social networks, and more. Exploiting this device and the information it holds can be good for advertisers but potentially bad for the consumer as privacy lines are crossed.

Getting to know you

Ad networks want to know you as intimately as possible, so they encourage developers to collect information like your geographic location, which can be quite explicit; your phone state, which includes your service provider, phone number, and your phone’s unique identifier (the IMEI); who you know (i.e., your contact list); and even your SMS messages. More data means more targeted ads and higher ROI for the brands placing the ads as well as the ad networks.

Apps often ask permission to collect categories of data or to perform actions with your phone, but the permission requests might be so nebulous as to confuse you or distract you from caring. Many users don’t pay attention to the permissions they allow during an app download or installation process.

Among the most commonly requested permissions are: Internet access from the device; write to external storage; read the phone state; access the user’s location information; read the contact list; call the phone; access the camera; read or write SMS messages; get the user’s calendar or task list; and write to the device’s settings file.

Quite often the permissions an app requests don’t seem to be justified for the app category. For example, an app in the “comics” category might ask to collect your current location. While the app might not need that information, the ad network does.

94% of free apps request access to the Internet. After all, most mobile apps that require an internet connection are really just cloud apps by another name. During the app download, sometimes it’s just the icon that gets placed on the phone. The rest of the app is accessed in the cloud once the app is fired up. It’s this Internet access that enables your data to be sent to the unseen third parties.

Protecting your privacy Apps

Your right to privacy is at stake. Too many apps fail to make clear their data collection and use practices. According to the Global Privacy Enforcement Network (GPEN), one in three apps tested provide no privacy information at all other than the permission requests. This is oftentimes due to the fact that the data isn’t collected for the purpose of providing you with a better service or end user experience, but rather to give additional information to advertisers for targeting.

A June 2015 study by the Annenberg School of Communication at the University of Pennsylvania reveals that most Americans do not believe that “data for discounts” is a good deal. 91% of people surveyed disagree – 77% of them strongly disagree – with the statement, “If companies give me a discount, it is a fair exchange for them to collect information about me without my knowledge.” Ignoring this sentiment, advertising networks argue that people would not download the free apps if they strongly felt that the tradeoff of information for the benefits of the app was unfair.

The Annenberg study researchers say that people seem resigned to giving up their private information because they are essentially powerless to stop it.

In a recent speech, Apple Corporation CEO Tim Cook said that consumers shouldn’t have to make tradeoffs between privacy and security. Cook believes people have become complacent about their personal privacy because too many companies try to monetize everything they learn about you.

Indeed, it’s a delicate balancing act. Consumers love their free apps, but striving for total privacy by starving those apps of the vast amounts of data they collect breaks the ad-supported business model that makes the apps free in the first place.

Still, there are steps that can be taken to preserve at least some level of privacy.

Normally encryption is one of the most reliable ways to protect private data, but encryption isn’t feasible in this case. It’s not practical to attempt to encrypt data such as text messages on a smartphone. Rather than apply technology like encryption to address the issue, a better approach is to improve personal and industry practices.

Individuals can become more aware of the ad-supported nature of free apps and be diligent about trying to understand what information they are surrendering. If a person objects to the data collection practices, he should shop for another app with less intrusive practices.

The mobile app industry needs to step up to take some amount of responsibility as well. Companies that control app distribution through their stores have some leverage with developers if not the ad networks. This industry can require that apps provide clear privacy policies and just-in-time notices to remind users that the app will collect certain information just before the user agrees to provide this information. The app can be required to obtain affirmative express consent for certain categories of data collection and dissemination as appropriate. And finally, an app’s privacy policy should link to a page that can be read on a mobile device.

These measures show respect for user privacy without killing the ad-supported business model. With greater transparency of what apps are really doing, consumers can make better choices to protect their own privacy.

Sekhar Sarukkai is a Co-Founder and VP of Engineering at Skyhigh Networks, where he is responsible for engineering and operations. He brings more than 20 years of experience in enterprise networking, security, and cloud services development.


Comments are closed.