Shocking news reveals a privacy breach that will make you want to throw away your phone. Your data is legally traded in a $300 billion ecosystem
Arha Surve, 7, says his parents Himshree and Amit use the apps for two hours a day for maths, letter writing, language learning and gaming. Pic/Nimesh Dave
Arha Surve is a spirited seven-year-old whose tablet is loaded with educational apps to help him with math, letter writing, languages, musical instruments and all the games expected to interest a child obsessed with creating the world’s longest, most expansive games. intricate marble run. While his parents, Himshree and Amit, ensure that screen time is limited to two hours during the school year, three hours are allowed during vacations.
Like most parents, they don’t know* that most apps have built-in components that suck up data that determines user habits and manufacturers’ behavioral traits. Most apps also have access to your camera and location. Yes, even kids* apps. Data – often unencrypted – is legally traded in an ecosystem that* is worth $300 billion.
Laws banning the collection and use of children’s data* have come into force internationally. But right now, as cyber experts like to say, your phone is a massive surveillance device. It happens that you also call from time to time.
Earlier this year, Arrka, a start-up that empowers organizations to better protect their privacy, released its 2022 Privacy Report. The research studied the apps and websites of 189 organizations, including 100 Indian firms across 25 industries. Part of this report, which focused on 30 children’s apps, revealed some disturbing facts – 67 percent of Android apps and 50 percent of iOS apps have access to at least one permission that falls into the Dangerous* category. This includes camera, microphone, contact list, location, files in storage and device details.
Arha*’s parents say they take every precaution possible, such as using a dedicated email ID that verifies his age and restricts access to inappropriate content, linking his devices via Google Family Link to track time spent on the device and keeping a close eye on apps , which downloads. . However, Arrk’s study gave them food for thought.
“Before, I didn’t think much about privacy,” says Himshree, “but now I’m more aware of potential security threats. As a working parent, these gadgets help me buy an hour or two for myself. My child’s* safety is a top priority, but I can only so much can be done. Some issues should also be addressed at the political level.”
The overall results of the study are no better. Of the 189 apps that Arrka analyzed, 76 percent of Android apps have access to the user’s exact location, 76 percent to the camera, and 57 percent to the microphone. For iOS, those stats were 59 percent for location apps even when the app wasn’t in use, 81 percent for camera, and 54 percent for microphone.
And that* isn’t the only thing out of nightmares: In addition to access permissions that fall into the Dangerous category, they also install trackers—tiny files silently stored on your device that track what you do online.
“This data is typically used primarily to create a detailed profile of user behavior,” says Shivangi Nadkarni, co-founder and CEO of Arrka. “It’s* built over time with data collected over the years across different apps, devices, channels and sources, which is constantly being enriched and improved. These profiles include how you usually spend your day, who your other family members are and who you hang out with, everything you do online, and so on. Sophisticated algorithms scan you in depth and even predict future behavior. This data is then traded between different entities. There’s a huge adtech ecosystem – a $300+ billion industry and it’s growing fast.”
To top it all off, it’s completely legal. Currently, India has no privacy law to restrict this practice. There are rules under the Information Technology Act that only cover very sensitive data, but the rest of the data, including that included in the Arrka* study, is free for all.
“One of the big steps that India’s privacy legislation has taken,” says Kayzad Vanskuiwalla, director of cyber threat detection and analysis, Securonix, “is the decision that all sensitive personal data must be kept in India and not* transferred outside the Govt. and other regulatory bodies, however, should be established to define how this data is stored, accessed, and what strict measures will be taken if any company violates these policies. The EU*s General Data Protection Regulation (GDPR) keeps big corporations like Google, Facebook and Apple under scrutiny for privacy laws. Many of these practices can be implemented in India as well.”
Nadkarni says that while there is no one-size-fits-all solution to protecting the privacy of Indian users, the Privacy Bill, which is expected to be discussed in Parliament during the monsoon session, would go a long way in this regard.
“To give you perspective,” he says, “the law specifically prohibits behavioral profiling of children or serving ads. It’s a global trend where countries are cracking down on the collection and use of children’s data to ensure it remains preserved.” protected.”
Even on the transparency front, Indian firms were found to score a dismal 30 out of 100 for readability, half the acceptable score by international standards. Furthermore, Arrka found a huge discrepancy between what apps declare they have access to in their privacy policies and what they actually do. For example, 76 percent of Android apps have access to a user’s location, but only 46 percent of them declare it. The same difference was seen in categories such as camera, microphone, contacts, photos and text messages.
Internationally, too, the issue of privacy is a growing concern, with cyber security experts and agencies repeatedly highlighting the fact that apps have access to permissions they have no business with.
In 2019, Russian cybersecurity solutions and services provider Kaspersky published a report on its findings regarding applications and permissions. He gave the example of a selfie camera app with five million downloads from Google Play. Kaspersky found that the app uses four ad trackers and requires not only access to the user’s camera, but also the location of their device, which is not absolutely necessary for it to work, as well as phone and call data, which was “anything but necessary for this kind of application”.
Further analysis of the same app found that it not only accesses the location of the phone or tablet, but also sends this information along with IMEI, MAC address (a unique code that can be used to identify your device to the Internet or local network) and Android ID to a Chinese IP address, all without encryption. “Forget about good intentions, there is no good reason,” wrote Kaspersky Sergey Golubev in a blog.
Application for Android
Access to the camera
Access to the microphone
App for iOS
Access to the camera
Access to the microphone
(Of the 189 apps Arrka analyzed for its 2022 Privacy Report)