The recent screaming headlines about data security and privacy in the wake of the Facebook-Cambridge Analytica scandal have started making even the “illiterates” of the digital world aware about their personal data and the ramifications of the data being leaked or improperly shared. People have slowly begun realising how their data is being used for purposes that are surreptitious in nature and how, most of the time, they are not even aware of it being collected in a “digital underworld”.
From India’s perspective, data security and privacy are increasingly becoming paramount — with more and more people going digital amid the rapid adoption of data services in the lower strata of society, where overall data sensitivity could be very low. By the end of 2017, India had 83 million 4G subscribers in its rural geographies. The trends indicate that the data penetration is going wide and deep, meaning people from all strata of society are going online and there is a higher probability of data risks and frauds.
So-called digital literates and experts are surprised by the facts that reveal how and what kind of data is or could be collected by the apps that people use on a daily basis. To prove the case, let’s evaluate the top five grossing apps in India (as of March 31) as per App Annie, an app market data and insights company headquartered in the US.
On March 31, Vigo Video (formerly Hypstar), WhatsApp, Facebook Messenger, UC Browser and Ludo King game were the top 5 apps on the Android platform in India. Android runs on 96 per cent of smartphones in the country. (Athough, the Top 5 trending keeps changing and may not reflect the actual Top 5 most-used apps; but such apps are widely used by a huge number of smartphone users.)
While conducting an audit of the kinds of permissions these apps should be seeking to perform the functions that they are here for, and the actual permissions they seek, some alarming facts have emerged.
For instance, under the “Device and App” history permission group of Google Play, Vigo Video and UC Browser, they can read sensitive data log. This means popular apps like these can effectively scan everything in your smartphone.
Similarly, under the “Identity Permission” group, Vigo Video, WhatsApp and Facebook Messenger can read, add or remove accounts on your device.
Likewise, Facebook Messenger and Vigo Video can download files without notification as it seeks permission under other permissions groups of Google Play. UC Browser seeks full licence to interact across users in this category of permissions.
Even for advanced app developers, it is difficult to decipher why these permissions are required — and even if they are able to establish a reason, they cannot guarantee that the permission is not abused.
For instance, permission to download files without notification by Facebook Messenger and Vigo Video could be used to install stickers and other such things seamlessly on one’s device for better user experience and friendliness. But the only things stopping them from dropping a hidden software development kit (SDK) on a smartphone are ethics and trust — both at an all-time low these days.
Google must act like a “Digitally Socially Responsible” platform that forces developers who publish apps in its Play Store to provide a full description of the permissions they seek — and what exactly the apps require the permissions for.
This ambiguity of “may” or “may not” definitely gives them legal comfort, but users cannot be experts to decipher to what extent the app may infringe on their data.
There is also a need for third-party independent app audits that could evaluate them and certify whether these are only doing what they are supposed to do.
In this digital age and time, data is bound to rest with the app makers and other value-chain players. As long as they are transparent in seeking only the requisite permissions and, at the same time, clarifying to what extent a permission group is used, they are real friends and enhance productivity of the users.
As of now, it appears that only Ludo King among the Top 5 apps is a fair one that seeks a few network and accessing storage permissions, besides preventing the device from sleeping.
There is no solution unless the entire ecosystem becomes more transparent. One may think of removing all the suspicious apps from the system but, how to decide what is suspicious and what is not is a real herculean task.
By Faisal Kawoosa
(Faisal Kawoosa is Head-New Initiatives at CyberMedia Research. The views expressed are personal. He can be contacted at firstname.lastname@example.org )