Where does my data go?

Tom Fox-Brewster investigates the growing global problem of mobile transparency and discovers some worrying developments

Verizon customers in America got a nasty shock in October. They learnt a piece of tracking software, labelled by critics as a “permacookie”, was being foisted upon them. It contained a unique identifier, which would be sent to websites and advertisers on those sites. They could then track customers’ web activity and potentially create informative profiles. The permacookie was undeletable. And Verizon had been doing this without clearly informing users for two years.

This, understandably, had pro-privacy folk out with their pitchforks. Normal cookies, the tracking files that transmit data from people’s computers and mobiles to website owners, can at least be deleted or switched off altogether. Fortunately for Brits, some quick tests carried out for Raconteur, by Canada-based British researcher Lee Brotherston, indicated UK operators aren’t doing anything as intrusive.

That’s not to say they aren’t siphoning off people’s data in other ways, which though legal would upset anyone who cares about their privacy, Mr Brotherston notes. For example, in May last year, The Sunday Times revealed mobile and internet operator EE was passing “anonymised and aggregated” user data to research firm Ipsos Mori, which was then planning to sell the information, which included gender, age, postcode and location, to other parties.

Within many mobile apps, especially free ones, lie adverts which can take various forms of data from people’s phones

In an increasingly mobile world, where technology vendors, advertising networks and data brokers collaborate to make billions from people’s information every year, customers might expect a high level of transparency when it comes to their data. They don’t get it.

Within many mobile apps, especially free ones, lie adverts which can take various forms of data from people’s phones. Though they have become less intrusive, many are still borderline aggressive, says co-founder of Lookout Mobile Security, Kevin Mahaffey. Lookout research suggests as many as 6.5 per cent of free apps on Google Play contain adware, defined as exhibiting “intrusive behaviour without gaining appropriate consent from a user”. Mr Mahaffey says this is a concern for individuals and businesses. For instance, if a sales person’s contacts, which are very sensitive because they’re part of the business’s “proprietary value”, are accessed by a third party, this could lead to a damaging data leak.

BIDDING PROCESS

Research into the lightning-fast advertising bidding process provides a glimpse into how quickly people’s data is moved around without the user’s knowledge. Lukasz Olejnik, a PhD candidate at Grenoble research institute Inria, explains real-time auctions begin as soon as a visitor lands on a website, regardless of what device they’re using. Ad exchanges then send out bid requests, which typically contain “versatile information” about the users, Mr Olejnik says, including location, gender, age and even income, as well as identifiers based on cookies. Bidders evaluate all this information, often comparing it to their own databases and cross-linking user profiles, before making an offer. This all takes under 100 milliseconds.

Mobile data factfileThere’s further opacity in the data brokerage market, where people’s information is traded among monolithic, yet little understood, organisations. While the US Federal Trade Commission has called on the Obama administration to force more transparency on brokers, such as Acxiom and Datalogix, there’s little impetus for action in the UK.

As many of these activities happen on the server side rather than on people’s phones or PCs, it’s difficult to detect and stop what’s happening, says Mr Olejnik. He recommends users change their mobile settings to limit sharing of location data, while ad blockers, though not available through Apple and Google’s official mobile app stores, can be downloaded from the web.

Mozilla chief technology officer Andreas Gal blames the likes of Apple and Google for creating closed-off operating systems that don’t allow outsiders to properly probe their technology for potential privacy abuses. He suspects both of these industry giants don’t open up their code because they don’t want people to know what is going on in the background as they use their mobiles.

On the open web we all know how the architecture works, it’s open and extensible. In the mobile world, unfortunately we are facing a very different environment,” Mr Gal adds. “There are proprietary ecosystems, completely controlled by commercial entities.”

It’s apparent that not enough is being done to illuminate the darker corners of our connected world. And solutions remain elusive. “I think mobile privacy is one of the largest unsolved concerns for people across the world,” Mr Mahaffey concludes.