Recently I was reading an article on Vox by Sara Morrison that explained how some of the hidden trackers in modern smartphones work and how they are used to capture and sell your data. This article was written in the context of the growing awareness of location data tracking in smartphones as that data has been used to map COVID-19 responses by the public:
In the earlier days of the coronavirus pandemic, an animated map from a company called Tectonix went viral. It showed spring breakers leaving a Florida beach to return to their homes across the US, as a series of tiny orange dots congregating on a beach in early March scattered across the country over the following two weeks.
“It becomes clear just how massive the potential impact of just one single beach gathering can have in spreading this virus across our nation,” the video’s narrator said. “The data tells the stories we just can’t see.”
But there was another story there that most of us can’t see: how trackers hidden in smartphone apps are the source of incredible amounts of specific data about us, much of which gets sent to companies you’ve never heard of. This has been going on for years and is an essential part of the mobile app economy. But it took the Covid-19 pandemic to bring some of these companies, and what they’re capable of, to the forefront.
The whole article is a fascinating read and I recommend checking it out, but I wanted to spend some time in this article talking about a sentence that jumped out at me in the above quote:
This has been going on for years and is an essential part of the mobile app economy.
If you want to understand how a system works and especially if you want to change how a system works, look to the incentives. Human behavior is driven by a series of rewards and punishments, carrots and sticks, and the same holds true for business. While you can certainly look to regulations or user education to change behavior, ultimately those measures just factor in to the risk/reward calculations a business or user takes.
For instance, delivery drivers in big cities routinely flout parking regulations. Why would they do that when it’s against the law and can cause a fine? Enforcement isn’t guaranteed (you only get fined if you get caught) and the added cost of complying with the law is much greater than the cost of the occasional ticket.
This means if you want to change how businesses treat privacy, you have to change the incentives that drive them. Applied to the mobile app ecosystem, even with privacy regulation, privacy settings, and user prompts, companies will weigh the risks and costs of getting caught against the reward of capturing and selling user data and as long as the reward is enough, many will take the risk.
The fact is, the current app ecosystem on Android and iOS is designed to facilitate the collection and selling of user data. Every incentive points a developer in this direction. This ecosystem is full of free (as in cost) but proprietary software that makes money either by showing you targeted third party ads (customized based on your shared personal data) or by collecting and selling your data to third parties to add to their own databases. In particular with Android the (free to vendors) OS itself along with the complete Google software suite (which vendors are required to install to be part of the ecosystem) are also funded by collecting and selling user data.
Users also find money to be a powerful incentive. When browsing through the hundred different apps that all perform the same function, there is a strong incentive to pick the free app with ads over the $1.99 one, even if the free app might capture your data (after all, there’s no guarantee the $1.99 app won’t too). Of course, since the applications are almost universally proprietary software, you can’t really know for sure what data they collect, only whether they ask for permission.
The path of least resistance provides a powerful incentive. User interface designers understand the power of defaults and the same goes for software development. The above Vox article goes into quite a bit of detail on the various Software Development Kits (SDKs) that companies have provided to make it easy to develop mobile apps. Most applications have a common set of features, and using an existing SDK means you don’t have to reinvent the wheel.
Of course these SDKs also make spying on users the path of least resistance, as it’s much easier to just request full permissions for your app on a user’s phone than it is to start with no permissions and figure out which ones you truly need. Why does a flashlight app need access to your location and contact list? Since so many applications are designed with selling user data in mind, even a well-meaning, ethical, privacy-conscious developer might find it hard to identify and remove all third party tracking if they base their application on existing examples and popular SDKs.
Users also find laziness to be a powerful incentive. Many application developers take advantage of this by requiring users to opt-out of tracking, often via hard-to-find settings buried deep within the application. Many if not most users don’t bother to tweak their privacy settings, and many companies share your data without your consent.
A large part of our work at Purism is focused on creating a healthy, ethical, privacy-preserving alternative to the current mobile app ecosystem. This is one of many reasons why the Librem 5 doesn’t run Android nor iOS but instead runs PureOS–the same secure, privacy-preserving, Free Software Foundation-endorsed operating system that we use on our Librem Laptops and Librem Mini.
While users are free to install any third-party applications they want, applications in our PureOS Store must be free software and protect user privacy. As Purism’s founder and CEO Todd Weaver says: “Every line of code is a moral decision.” Making privacy and free software a default changes the incentives to encourage ethical behavior by developers. It’s much harder to hide tracking features in your application if anyone can inspect the code and create a version that removes those features.
Purism is also working to change incentives through targeted regulation. Requiring applications to make tracking “opt-in” instead of “opt-out” would go a long way toward protecting privacy by default. Purism is part of a group of organizations including the EFF and DuckDuckGo who have asked the California legislature to require companies to get consent before using user data.
Of course, the strongest way to change the current app ecosystem is by changing the financial incentive. That’s where you come in. Each technology choice you make is a vote for the future you want to see. Voting with your dollar to support companies like Purism that are building hardware and software that protect your privacy sends a message to other companies that privacy matters to you and if they want you as a customer, it should matter to them too.