Modern field guide to security and privacy
Mirella Sanches waited to be picked up at an Uber stand in Rio de Janeiro, Brazil.
Peter Prengaman/AP | Caption

How app makers increasingly track your every move

Privacy advocates say tech companies are becoming more brazen about collecting users' location data and personal information.

For just a few days last month, a photo filter app called Meitu, which turns selfies into pearl-skinned, doe-eyed Anime characters, enthralled the social media world.

But Meitu faded as quickly as it rose to internet fame after cybersecurity researchers exposed what was really behind the app.

Meitu’s application program interfaces (API) revealed code that collected a bevy of personal data that goes far beyond what typical photo apps gather. It amassed users' precise locations, call information, carrier information, and Wi-Fi connections. The company explained that it collected all that data to "optimize app performance" and better engage users.

As smartphones become ubiquitous, app makers are becoming more brazen about collecting personal data, say experts and privacy advocates. And while iPhones and Android devices have limited privacy settings, most consumers remain in the dark about what companies are collecting and how they are using that information. 

"With business models focused on advertisements and sharing information of others, we've seen massive amounts of tracking," says Norman Sadeh, a computer science professor at Carnegie Mellon University in Pittsburgh. "There's been erosion of privacy over the past few years."

In 2015, he cowrote a study that found a dozen or so popular Android apps – from companies such as the Weather Channel and Groupon – collecting location data about every three minutes. 

Claire Gartland, a consumer privacy attorney at the Electronic Privacy Information Center (EPIC), compared the smartphone app marketplaces to "the Wild West" when it comes to privacy regulations and says consumers are left on their own to protect their own personal data.

"When we go shopping at a grocery store, the [Food and Drug Administration] doesn't allow poison in our food," says Ms. Gartland. "But the current situation is like reading every ingredient on every box [to avoid something harmful]."

Instead, she says, the lawmakers should create a basic, easy-to-understand privacy framework that spells out what app makers can and can't collect. 

EPIC has had mixed success taking on Silicon Valley giants on privacy matters. It was able to push Facebook to settle with the Federal Trade Commission in 2011 for breaking its own privacy policy, which stated that photos and videos from deleted profiles would remain inaccessible and that it would not share private information with advertisers. As part of the settlement, Facebook agreed to be submit to independent privacy audits for the next 20 years.

EPIC has also taken aim at Uber. In 2015, the privacy watchdog filed a complaint against the ride-sharing company, charging that Uber’s then-revised privacy policy was an unlawful and deceptive trade practice. In the complaint, EPIC argued that Uber’s promise that "users will be in control" was not true since Uber can access their location data without their permission. A year and a half later, the case is still pending

Last December, Uber faced scrutiny after its new app update asked users if it can collect precise location data for five minutes after the ride, when the app is no longer in use. Previously, Uber offered the choice of collecting the data only when the app was in use. Uber took that option away but insisted the tracking will stop after the five-minute limit.

An Uber representative told Passcode that the new app update "helps us improve ETAs, pick-ups, efficiency on POOL, and passenger safety" and that any user uncomfortable with location tracking can turn it off and still use the app by manually putting in the pick-up address.

Uber’s expansion in data collection alarmed many privacy-oriented consumers such as Silicon Valley-based engineer Michael Fischer. He penned a letter in the tech blog HackerNoon, urging Apple to stop Uber’s app update and prevent other apps from behaving like "stalkerware" – a word Fischer coined to describe software which tracks users 24 hours a day.

Uber and Apple did not respond to Mr. Fischer’s plea. In Apple's mobile operating system settings, Uber’s latest edition only allows location-sharing settings to be on "Always" or "Never."

"The only thing you can resort to now to turn the location setting on, then turn on the Uber app, and then turn off the setting once you are done," Fischer told Passcode. "But this is very inconvenient. And the Uber app developers aren't stupid. They know this is inconvenient."