Why on Earth do 7% of apps need access to your call log? Why do 10% need to see what your device’s camera sees? And why do 32% need to know your location?


Source: Global Privacy Enforcement Network

Agreeing to a long list of permissions in return for access to an app can feel like a needless compromise on your privacy, and perhaps even on the security of your personal information. Imagine trying to buy an Ordnance Survey map at the local camping store, only to be asked for round-the-clock access to your location, revealing personal data from your phone and possibly more. Get stuffed, you might reasonably think.

So what’s so different about apps that justifies all that access?

App developers can cite three key reasons for requesting permissions from the user:

  • Functionality – e.g. access to the camera is required by Snapchat; Google Maps requires location data
  • Security – e.g. personal data is required to confirm the user’s identity
  • Data mining – information on the app’s users is mined in order to facilitate ongoing product optimisation, or for marketing purposes

Let’s assume the developer is always telling the truth. In that case, those first two points are easy to justify. It’s the third justification – data mining – that rankles with many users and consumer watchdogs.

If the information requested is not fundamental to the user’s safe and satisfactory use of the app, then what right has the developer to ask for it? A 2016 survey by the Global Privacy Enforcement Network found that nearly one third of permission requests out of 1,211 apps surveyed lacked a credible justification.

How much can app producers get away with?

Whether you like it or not, many apps use customer data for marketing purposes – and they have their users’ permission confirmations (which are a requirement for app downloads) to cite as justification.

There are two modes in which this practice takes place – one far more defensible than the other.

Some app developers mine user data for use in analysis of overall user trends. In these cases, the user’s personal data is not observed in isolation; rather, it becomes an essentially anonymous number within a user-base-wide observation. If you’re against that, you’re probably against web traffic stats in Google Analytics too.

Things get more morally dubious when the app publisher analyses personal data as a means of targeting the individual user. Some even go so far as to harvest phone numbers and email addresses from the user’s contacts, for use in future marketing campaigns.

The big problem from the user’s perspective is that there’s no way of telling how the permissions they grant to an app will be used – permissions requests are so nebulous they can act as a catch-all.

As things stand, big app publishers with recognisable brands seem set to enjoy the liberties afforded by permission requests for the foreseeable future, but for smaller publishers the picture is blurrier. Consumers are increasingly aware and suspicious of – as evidenced by the backlash against Pokémon Go’s illegitimate (and supposedly accidental) requests for personal data, which have since been removed. If the user doesn’t absolutely need your app, excessive permissions could prove an obstacle to conversions.