The Privacy Risks of App Trackers: Can You Stop Them?

As the medical and public health communities scrambled to mount a response to the coronavirus epidemic, Apple, Google, and other tech companies rushed to help. A flood of mobile COVID-tracking apps were released, apps that would notify people when they’ve been in contact with someone who later tests positive for the virus. Installing and using these apps is strictly voluntary, and they have been designed to protect the users’ privacy. And yet, experts are still concerned about hackers using the apps to track people’s movements or causing a public panic by breaking in and flooding the system with false COVID cases.

So, here’s a more general question: if apps designed by tech giants to be absolutely private and secure aren’t necessarily safe, what about the apps you use every day, built by hundreds of little companies that aren’t in the public eye? The answer: they may not be secure and certainly not private! If you value your privacy, apps need to be chosen and used with care. Let’s look at the issues and what you can and can’t do to help ensure your safety. (If you’re a MyIDCare member, let us assure you that our identity protection app does NOT use app trackers. We don’t gather, share, or sell your data.)

While we generally think of mobile apps as sources of entertainment or helpful tools, most are built as vehicles for both gathering data on the user and selling ads through their apps to you, the user. As an article in DigitalTrends explains, most mobile apps are put together using software building blocks from companies such as Facebook and Google. Some of these embedded software pieces gather behavior, location, and other data that is used to target in-app advertising to the user. For instance, if you have installed a fitness app, Google or Facebook can show you ads for diet products tied to your fitness goals or fitness stores near your location. It sounds harmless, but here’s what can go wrong:

• The companies that run app trackers claim that the information they gather and share is anonymous, but that’s not necessarily true. A researcher at Kaspersky Lab found that 4 million Android apps were sending unencrypted user data, including names, incomes, phone numbers, email addresses, and even GPS coordinates to advertisers’ servers. And even if user data doesn’t contain names, big advertisers often have enough data on consumers that they can put facts together and identify a person.
• Free apps sell targeted advertising to make money. Scammers and con artists can buy targeted advertising spots and use them to trick people into handing over money or personal information. (Interestingly, a study of Android apps found that many paid, ad-free versions of apps still use the same trackers to gather user information.)
• The fact is that any stored user information can be breached, and tech giants that gather these massive amounts of user information are frequently breached. So even if the app maker intends to keep your data private, it can still fall into criminal hands and be used for identity theft.
• Many mobile apps have poor security. When you get an app for free or for a couple of dollars, you can bet that the people who built that addictive little sudoku puzzle or farm game are not high-powered cybersecurity experts. So, many apps can easily be hacked to spy on users.

Unfortunately, there’s very little you can do to control app security and tracking. There are no settings in the iOS or Android operating systems that let you turn off or block app trackers. And you can’t predict what information is being gathered by trackers. For example, Wall Street Journal investigation found that many apps send info to Facebook, even if you’re not logged into its social networks.

However, there are some steps you can take to protect your privacy and identity, and we’re here to let you in on those well-kept secrets:

• Research the developer before downloading an app. Do they sell lots of apps with high ratings from thousands of satisfied customers, or do they offer a few obscure apps with very few ratings? Apart from potential poor security, obscure apps are more likely to conceal spyware or other malware.
• Read the apps privacy policy. It may not be 100 percent accurate about what’s tracked, but it’s a start.
• The Privacy Rights Clearinghouse advises you to assess the “creepy factor” before installing an app. Think about what information the app requires you to share, and what the negative impact could be if it were made public.
• When you install a new app, immediately turn off location-sharing unless the app truly depends on that information. If it does, set it to use location services only when you’re using the app.
• Go into the app’s privacy settings and set them for the strongest privacy that you can. This excellent and entertaining Wall Street Journal video gives a great overview of privacy settings and what they can and can’t do to protect you.
• Turn on encryption on your device to at least protect personal information that’s stored there.
• Finally, if you stop using an app, delete it and try to delete or request the app maker to delete any user profile they kept on you. You don’t need Bumble keeping your information on file, if you’re not looking for love now, do you?

The bottom line is: if you use apps, you’re going to be tracked. And there’s always the risk that the personal information gathered by app trackers could be used against you. Stronger privacy laws and industry oversight could help. But, ultimately, you need to do your own risk vs. benefit analysis. Does the benefit you get from a given app outweigh the risks to your identity and privacy if your information fell into the wrong hands. It’s a personal question.