Thanks to Facebook, we're back to talking about app permissions. And it turned out that their 'appetites' have grown significantly and there is something to think about …
Last month, it became known that Facebook stores call logs of users Android – devices that have granted the appropriate permissions in the era before Android 4.1 Jelly Bean. Most recently, during Mark Zuckerberg's testimony in the Senate, two representatives asked if Facebook could listen to their private conversations via a microphone on the device and use the data to provide them with frighteningly specialized advertising applications.
Zuckerberg answered a question about conspiracy theory around device microphones with a categorical 'no' and clarified that Facebook does not have access to audio when people record videos for Facebook on their devices: 'In my look, it's pretty obvious. But I just wanted to make sure that my explanation on the matter was complete. '
But following the results of Zuckerberg's scrambling before Congress, albeit seemingly clear and comprehensive, people are really confused about what information applications on their smartphones have access to. This is partly due to app permissions: they are oversimplified and designed to offer a minimum of information while permissions are requested. Yes, apps have improved, and so have permissions, but that's not enough to keep up with the sophisticated information-gathering technologies that fill the world around us.
It may seem obvious at this stage, but mobile apps (not only Facebook) can gather an incredible amount of information from every interaction. Apps for iOS and Android are able to access the device's microphone and camera, photo feed, location, calendar, contacts, motion sensors, speech recognition, and social media accounts.
Some permissions are required: the photo processing app won't work without access to the camera, just like Uber won't work without access to geolocation. Refusing to grant permissions will cause the application to malfunction. But when certain patterns appear, information from sensors can reveal more than users might think.
One app developer Android, who wished to remain independent so as not to speak on behalf of the company, noted that once you provide location access, app developers can collect coordinate and elevation information in addition to the location of single objects. In other words, the application will be able to find out which floor of the high-rise building you live on. Ish Shabazz, an independent developer under iOS, says that once an app has permission to access a location, an 'API' is activated that tracks how often you visit a location. This information can be used lawfully and for friendly purposes. However, if you are engaged in illegal activities, I am confident that the information can be used against you. '
Arnaud Setliur, a former head of development at Yahoo, now owns the Silicon Valley-based think tank Auryc. He says that one of his clients, a travel app, has found interesting behavioral patterns for its users based on how they hold their devices.
Setlure: 'We found that during the night during spikes in app usage, the device was rotated a lot to change its orientation. At first, people used it vertically, then they turned the device horizontally. We realized that people were planning their next trip and were looking at the photo, lying in bed and turning the smartphone horizontally. '
These are just conclusions, which marketers love to chat about, but there are also obvious 'kinks' in apps. The Path social app uploaded users' contact lists to its servers, the Pokemon Go client was able to view and modify almost any information in your Google account, and Meitu (the app to create an anime version of your avatar) required GPS and SIM access. It is after the publicity of such privacy breaches that app permissions are on the agenda. Permissions should exist as a practical barrier between developers and specific sets of information on your device. Here comes a request for permission from the application, and the owner of the smartphone decides whether to 'open this door'. Sometimes they are accompanied by explanations, in fact, the platform itself encourages this. This is what the developer documentation says under Android: 'It is best to explain to the user the need for application permissions before issuing the requestPermissions () command.'
But they may not be enough. The explanation for the need to allow access to the camera in the app on Facebook on iOS reads as follows: 'Ability to take photos and record videos'. Some of the more advanced technologies that get information from the photos you have posted are not mentioned. Some developers just add the phrase 'and so on' to the explanation. Geolocation explanations: 'Facebook uses this information to operate some functions, help users find places, and more.' Snapchat uses a microphone 'to record audio, video chats, and more'.
Apple and Google define how ecosystems work and how app permissions work. But, by and large, they rely on the developers for the implementation of the principles. Developers do not want to overwhelm users; they rely on consumers' understanding (or misunderstanding) of these principles.
Application permissions for iOS and Android have evolved along with application catalogs for each OS. Three years ago, with the release of Android 6.0, Google began obliging developers to ask people for permission to access permissions outside of the immediate post-installation phase (when they would most likely click Accept and forget all the information they gave). In the same update Android, users were able to manage each permission individually, rather than in bulk. In Android 7.0, developers were prevented from embedding overlays on permission signs so that people would not accidentally click on them.
Apple is usually more demanding than Google. As in Android, in iOS you can control permissions both in the privacy settings and at the application level. With the release of iOS 11 last year Apple offered a 'Write Only' option for developers who need photo access. Thus, viewing of images is excluded. The company also redesigned the permission to access the location: in the application, it is now mandatory to display the option 'only when using the application' when granting the said permission. Apple never gave developers under iOS access to calls, so the recent scandal around Facebook on Android is not possible for OS from Cupertino.
There is still room for improvement in permission management, according to Norman Sadei, professor at the Carnegie Mellon School of Computer Science and creator of the Privacy Assistant app for managing privacy permissions. He is still critical of combining multiple resolutions into one.
Sadei: 'The number of control settings has grown, but they, by and large, combined several solutions and force users to make impossible decisions. Apps may need permissions to run certain functionality, but information may leak to marketers and ad providers. '
People are also not at all clear what happens when a permit is revoked. For example, you gave the app permission to access a photo, uploaded one image, and revoked the permission. Or a year ago they gave access to contacts, and then canceled it. The main point is that developers can store user-provided information, subject to privacy and other laws.
“Permits are now sorely lacking not just consent and informed consent, but continuous consent,” said Jenny Gebhart, a privacy researcher at the Electronic Frontier. –If Facebook wants to keep a log of your calls and messages, then this requires more than a simple click. '
Until stricter rules are established, much of the responsibility for understanding permissions still rests with the user. And in the matter of providing access to the camera, photos, location and life. And in trust in the transparency of the developers' work.
By John Brandon
Indeed, the app permissions story has come to the fore again after the Facebook and Camridge Analytica scandal. It still rattles and promises long echoes. This is exactly the case when applications want to be smarter than users, but the latter have come to their senses. From now on, developers will have to more transparently tell users what and what applications they allow, and most importantly – why.
Each such case hits the credibility of a specific developer and applications in general. It is clear that this is all just the tip of the iceberg, but in order not to run after the foil for hats, I would like to see order with privacy within the framework of the largest platforms, or at least without such gaping holes that can be found now.