I ran across a disturbing article in The Verge about mental health apps that were oversharing user data. As usual, I’m not surprised, but still really angry. This is wrong and has to stop.

The study by JAMA Network Open on 36 apps for smoking cessation and depression found that 29 of them shared some marketing data (mostly with Google- and Facebook-affiliated firms) – but few of those accurately disclosed this sharing in their privacy policies. And we don’t even have to talk about how many people actually read those policies and were able to decipher them. (Only 25 of the apps even had a privacy policy!) Here… just check the results for yourself:
Twenty-five of 36 apps (69%) incorporated a privacy policy. Twenty-two of 25 apps with a policy (88%) provided information about primary uses of collected data, while only 16 (64%) described secondary uses. While 23 of 25 apps with a privacy policy (92%) stated in a policy that data would be transmitted to a third party, transmission was detected in 33 of all 36 apps (92%). Twenty-nine of 36 apps (81%) transmitted data for advertising and marketing purposes or analytics to just 2 commercial entities, Google and Facebook, but only 12 of 28 (43%) transmitting data to Google and 6 of 12 (50%) transmitting data to Facebook disclosed this.
JAMA Network Open study
The Wild Wild Web
The problem is that we have no meaningful regulation around data collection and sharing. This allows these companies to sell you out without even telling you they’re doing it. The invisible hand of the market can’t function if consumers can’t objectively compare the relative security and privacy of Product A vs Product B. You can’t make an informed choice if you’re not informed.
Due to political debates in recent years, the term “regulation” has become a dirty word. Regulation means government overreach and meddling in our daily lives. But regulation is what keeps your airplane safe and your pilots sober when you fly. Regulation keeps the food and drugs you buy from poisoning you. Regulation makes you much more likely to survive when your car crashes. (I had a great conversation with Bruce Schneier about this.)
Trust But Verify? How?
The Verge article encourages users to ‘trust but verify’ their apps. I would amend that: never trust and always verify.
The sad thing is, there’s no good way for you to verify. Yes, you can scour the privacy policies. But that’s just not practical. For one thing, they’re too long. According this article, the iTunes terms of service are longer than Hamlet. PayPal’s agreement is longer than MacBeth. Who is ever going to read that?
And that assumes you can understand what the terms are saying. Much of the language is legalese. The true purposes of data collection and sharing are obfuscated by euphemistic language about “improving your experience”.
Worse yet, these apps (as this study shows) may not even tell you what they’re doing. Again… this is why we need regulations with teeth.
So, what are we to do? Here are a few tips.
- First of all, you can check out Terms of Service;Didn’t Read to help you quickly evaluate policies for popular sites and services. This site reads the terms of service for you and distills the key elements into a simple rating system.
- Second, you should clean up your apps. Remove any apps you no longer use or truly need. You can always re-install them if you change your mind later.
- Finally, dial back the permissions on any remaining apps. Don’t overshare. Why would a flashlight app need to know your location? Does that to-do list app really need access to your address book?
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!