Why You Can‘t Trust Apps Today – And How To Fix It
Every day, over 4 billion people around the world use mobile apps for everything from communication to banking to booking travel. We entrust these apps with our most sensitive personal information, often without a second thought. But the truth is, the vast majority of apps and online services today are not worthy of that trust.
The Staggering Scale of App Data Collection
The average smartphone user has over 80 apps installed, each of which can access a trove of personal data. This includes obvious things like your name, email address, and phone number, but also much more invasive information.
A 2019 study by pCloud found that over half of apps on the Android store have access to a user‘s precise location, and can track every place you go. 30% can access your camera and read all of your photos. 1 in 5 apps can read your private messages and emails.
And popular free apps are the worst offenders. 96% of free apps contain at least one third-party tracker, with some including dozens. For example, an investigation by Exodus Privacy found that the Uber app contains an astonishing 32 different trackers from third party companies. Every ride you take feeds data to dozens of advertising and analytics firms without your knowledge.
The Risk of Data Abuse and Breaches
With this much sensitive data being collected, the potential for misuse and exploitation is high. Unscrupulous app developers can compile detailed profiles of our daily routines, purchases, interests, and social connections and sell it to the highest bidder, whether that‘s advertisers, political campaigns, or even foreign governments.
There have been numerous high profile cases of apps abusing user data for profit:
-
In 2018, it was revealed that consulting firm Cambridge Analytica had harvested the personal data of 87 million Facebook users without consent and used it to target political ads.
-
Several popular women‘s health apps, including Flo and Ovia, were caught sharing sensitive data on users‘ menstrual cycles, sexual activity, and pregnancy plans with Facebook and other third parties.
-
Just this year, a devious barcode scanning app with over 10 million downloads was found to be secretly signing users up for expensive subscriptions without consent, raking in millions of dollars a month.
Even when app developers aren‘t actively misusing data, lax security practices put it at risk. Data breaches are now so common that they barely make headlines unless the scale is truly massive. In the first half of 2022 alone, there were 817 reported data breaches affecting over 53 million individuals.
Some of the biggest app data breaches in recent years include:
-
In 2018, Marriott revealed that hackers had accessed the reservation system for its Starwood subsidiary and stolen the personal details of over 500 million guests, including names, addresses, phone numbers, email addresses, passport numbers, and travel details. The breach went undetected for four years.
-
Facebook has had numerous breaches and leaks affecting millions of users, including a breach in 2019 where 540 million records were exposed on an unsecured Amazon cloud server. This included account names, IDs, and interaction details.
-
In 2021, personal data from over 700 million LinkedIn users, including full names, email addresses, phone numbers, and job details, was posted for sale online after scraping the platform. This represented over 90% of LinkedIn‘s user base.
The Failure of Privacy Policies and Regulations
In theory, apps are required to disclose their data practices in privacy policies and give users certain rights over their information. In practice however, these policies offer little real protection.
A 2019 study conducted by the New York Times found that just 1% of mobile apps have privacy policies that are comprehensible at a high school reading level. The average policy is almost 4,000 words long and would take 18 minutes to read. They are often filled with broad, vague language that gives apps essentially a free pass to collect and use data however they want.
Regulations like Europe‘s GDPR and California‘s CCPA aim to give users more control, but enforcement has been lackluster. Companies regularly flout requirements around obtaining consent and honoring deletion requests, with few consequences. The fines that are occasionally levied, while seemingly large, are a mere cost of doing business for tech giants that make billions in profits from user data.
The Openly Operated Solution
Clearly, the status quo around app privacy is broken. We need a fundamentally different approach – one based on radical transparency rather than blind trust.
Enter Openly Operated, an emerging certification standard that requires app developers to fully open source their code and infrastructure for public auditing. To be certified, apps must:
- Publish all frontend, backend, and infrastructure code in a public repository
- Provide documentation detailing their data practices, security setup, and third-party integrations
- Undergo an audit by independent security researchers to verify claims
This allows anyone with technical expertise to vet exactly what an app is doing with user data. It shifts power back to the user and creates accountability in the event of any misrepresentations.
While open-sourcing proprietary code may seem unthinkable to many companies, there are compelling business reasons to embrace transparency:
-
Increased user trust and adoption. In an era where people are increasingly privacy-conscious, being Openly Operated can be a huge differentiator. A 2021 Cisco survey found that 84% of consumers care about data privacy and are more likely to buy from companies that handle data responsibly.
-
Improved security. Open source code allows "many eyeballs" to audit for vulnerabilities and suggest patches, ultimately resulting in more secure products. A study by Synopsys found that open source codebases have fewer defects per 1000 lines of code compared to proprietary projects.
-
Developer recruitment and retention. Many of the best developers today want to work on open source projects that contribute to the public good rather than locked-down corporate code. A 2019 Stack Overflow survey found that 65% of developers feel that open source is "the future."
-
Opportunities for bounties and sponsorships. Openly Operated apps can engage their communities to find bugs and suggest improvements through bounty programs, which are an increasingly popular model. Open source projects can also receive financial support from companies and foundations that want to support transparency.
Some pioneering apps are already leading the way with Openly Operated, including:
-
Proton Mail, an end-to-end encrypted email service, has open sourced its web and mobile apps. Their code has been audited and verified by independent security firms.
-
Bitwarden, a popular open source password manager, provides full transparency into their platform and has been audited by third party security researchers.
-
Signal, an encrypted messaging app, is fully open source and has been reviewed by cryptography experts from around the world.
The biggest challenge is getting more companies to embrace this model, rather than just paying lip service to privacy while continuing opaque data practices. But as more high profile apps adopt Openly Operated and prove its benefits, it has the potential to become the expected standard – something all apps need to do to earn user trust.
A Call for Transparency
We are at a pivotal moment when it comes to digital privacy. Revelations about unchecked data collection and careless security practices have shattered many people‘s trust in the apps they use every day. But we have an opportunity to change course and rebuild that trust through radical transparency.
As app users, we need to start demanding openness from the services we rely on. Before downloading an app, do your research to see if they have open sourced their code or undergone any public audits. Reach out to your favorite apps and ask them to consider Openly Operated certification.
As app developers, embracing transparency can seem like a leap of faith. But on the other side is a stronger relationship with your users, a better product, and a more sustainable business in the long term. You‘ll be able to say with confidence that you have nothing to hide.
We must reject a world in which we simply have to blindly hope that apps aren‘t misusing our data behind the scenes. We deserve to know exactly what‘s being done with our information, and to have the power to hold companies accountable for their claims.
Openly Operated provides a path forward – a way to create an app ecosystem built on openness, trust, and accountability. It won‘t happen overnight, but with each new app that embraces transparency, we take a step closer to making it the norm.
The future of app privacy is open. Let‘s make "show me, don‘t tell me" the new standard, and give users the transparency they deserve. It‘s time for a new era of trust in tech – and it starts with open code.