While the technology versus privacy battle rages on, many consumers and businesses are still unaware of how much data can be gleaned from a mobile phone.
Despite the NSA and Edward Snowden being in the news every other day, most people don't realise how much data their most personal device is haemorrhaging at all times.
But that doesn't mean you have to shut off your mobile, throw it in the nearest body of water and live a life off the grid.
There are many ways for consumers and businesses alike to protect themselves – after all, in order for your phone to work it simply must know where you are, in order to receive and deliver texts the operator must know the content, and for an app to be quick and convenient sometimes it needs to access your phone's contact database.
Where does this data come from?
Mobile phones communicate through many different interfaces – all of which can share data – including WiFi, GPS, Bluetooth and GSM/CDMA. On top of this, smartphones run a plethora of applications that can access information including but not limited to your location, contacts, calendar, notes, microphone, photos and reminders.
So giving an app access to your phone can reveal a lot more than you might think. Once the app is installed, the phone allows bi-directional communication with the app servers, which means – if you've given permission – both the developer and the vendor can access your data whenever they like.
Things like location are interesting because they genuinely provide useful information that certain apps rely on to provide their service – directions to the nearest Starbucks for example wouldn't work without this. But does a flashlight app really need to know where you are to work properly?
The contacts database is another interesting place where technology capabilities and privacy issues clash. Typically users are just asked if they would like to 'allow' access to the contacts – permissions are rarely more granular than this. But consider the information you have in your contacts – names, home and email addresses, phone numbers. This may seem harmless on its own but it can infer everything from your employer and your bank to your doctor and your partner's identity.
Apple and Android use a different approach
Different platforms give you different privacy options, especially where apps are concerned. Apple can be restrictive over exactly which apps they allow into the App Store, whereas Android is comparatively open, but offers the user more options.
Once an app is installed, iOS lets it see a surprisingly large amount of the data stored on your phone, including your location, contacts, calendar, reminders and photos, as well as granting access to your microphone and Bluetooth connection.
The way Apple protects its customers is by having an explicit permission window that pops up whenever an app tries to access personal data.
Android's model is different in that it allows access to just about everything on your phone, but gives you a very detailed list of data the app will have access to and asks if you're happy with this. This happens when you first install the app and also with apps already installed, just to remind you what you've permitted.
What you can do
The EU is leading the way with new privacy laws – its Information Commissioner's Office recently insisted that developers comply with the Data Protection Act and properly inform users about what will happen to their personal data if they install an app.
If you're an app-based service provider, you must be absolutely clear on exactly what information you're collecting and what it will be used for. There are a few basic things that you can do, including:
- Know what data you're really collecting. Sit down with your developer and have them show you what data is being collected and why, as you're ultimately accountable for this.
- If you're a US company any sort of presence in the EU, get safe harbor certified.
As technology continues to evolve and consumers become more and more security conscious, changes in privacy policies will see users given more granular control over how their data is accessed and what is done with it. Businesses will need to convince customers to share their data by being transparent and using it to power better, more personal services.
Charles McColgan is CTO of TeleSign