For just a few days last month, a photo filter app called Meitu, which turns selfies into pearl-skinned, doe-eyed Anime characters, enthralled the social media world.
But Meitu faded as quickly as it rose to internet fame after cybersecurity researchers exposed what was really behind the app.
Meitu’s application program interfaces (API) revealed code that collected a bevy of personal data that goes far beyond what typical photo apps gather. It amassed users' precise locations, call information, carrier information, and Wi-Fi connections. The company explained that it collected all that data to "optimize app performance" and better engage users.
As smartphones become ubiquitous, app makers are becoming more brazen about collecting personal data, say experts and privacy advocates. And while iPhones and Android devices have limited privacy settings, most consumers remain in the dark about what companies are collecting and how they are using that information.
"With business models focused on advertisements and sharing information of others, we've seen massive amounts of tracking," says Norman Sadeh, a computer science professor at Carnegie Mellon University in Pittsburgh. "There's been erosion of privacy over the past few years."
In 2015, he cowrote a study that found a dozen or so popular Android apps – from companies such as the Weather Channel and Groupon – collecting location data about every three minutes.
Claire Gartland, a consumer privacy attorney at the Electronic Privacy Information Center (EPIC), compared the smartphone app marketplaces to "the Wild West" when it comes to privacy regulations and says consumers are left on their own to protect their own personal data.
"When we go shopping at a grocery store, the [Food and Drug Administration] doesn't allow poison in our food," says Ms. Gartland. "But the current situation is like reading every ingredient on every box [to avoid something harmful]."
Instead, she says, the lawmakers should create a basic, easy-to-understand privacy framework that spells out what app makers can and can't collect.
Last December, Uber faced scrutiny after its new app update asked users if it can collect precise location data for five minutes after the ride, when the app is no longer in use. Previously, Uber offered the choice of collecting the data only when the app was in use. Uber took that option away but insisted the tracking will stop after the five-minute limit.
An Uber representative told Passcode that the new app update "helps us improve ETAs, pick-ups, efficiency on POOL, and passenger safety" and that any user uncomfortable with location tracking can turn it off and still use the app by manually putting in the pick-up address.
Uber’s expansion in data collection alarmed many privacy-oriented consumers such as Silicon Valley-based engineer Michael Fischer. He penned a letter in the tech blog HackerNoon, urging Apple to stop Uber’s app update and prevent other apps from behaving like "stalkerware" – a word Fischer coined to describe software which tracks users 24 hours a day.
Uber and Apple did not respond to Mr. Fischer’s plea. In Apple's mobile operating system settings, Uber’s latest edition only allows location-sharing settings to be on "Always" or "Never."
"The only thing you can resort to now to turn the location setting on, then turn on the Uber app, and then turn off the setting once you are done," Fischer told Passcode. "But this is very inconvenient. And the Uber app developers aren't stupid. They know this is inconvenient."