Permissions, Privacy and App Reviews
by Bob Schwartz
In the ongoing battle between your privacy and mobile app developers seeking—and getting—your permission to access personal information about you and your life, you are losing.
Millions of people reflexively agree to permissions that go far beyond the functional needs of particular apps. Sometimes it is because users don’t bother looking at permissions lists, or don’t understand all the permissions. Sometimes it is because the permissions requests are strategically placed: while Google Play includes a Permissions tab on its Web site, the mobile site doesn’t include Permissions at first screen, instead revealing it only after the Download button, when the Accept & download button appears. Sometimes, maybe most of the time, it is because users just don’t care, particularly when apps are free, and it seems that permissions, however onerous, are simply the price to pay.
The reasons to care are the subject for another time. But there is a critical way which this may be rebalanced right now, if just a little bit.
Few reviews, from big media reviewers or from user comments, ever mention permissions as a factor in recommending or avoiding particular apps. For example, and by no means singling out any reviewer or app developer, this morning brought a glowing review from Lifehacker about the new version of the Springpad app:
There seems no doubt that Springpad, especially in this latest iteration, is a creative app in a very crowded field. But looking carefully at permissions, you find the list above.
This isn’t to suggest that these permissions are or are not directly related to the functionality of the app or to subsidiary commercial support from advertising and marketing opportunities. And there is no implication that anything malicious is intended.
The point is information. Whether or not it is to a developer’s advantage to have users pay close and continuing attention to app permissions, it is definitely to the users’ advantage to do that.
Which brings us to a modest—and a slightly less modest— proposal.
Responsible reviewers should at least begin including some form of permissions listing in their reviews. This could be as simple as a shorthand list, something like the ratings for movies and television: PV (Pictures and Video), RC (Read Contacts), RP (Read Phone), and so on.
The next step would be for reviewers to evaluate permissions in two detailed ways. One is to write about how necessary (or unnecessary) the set of requested permissions is to the functionality of or commercial support for the app. The other is to compare similar apps relative to the intensity of permissions. It’s true to that no two apps are exactly alike, but if you try sometime, you just might find that very similar apps request vastly different access rights.
The issues of mobile privacy are not going away. As the user base grows, as the commercial stakes get higher, and as sophisticated data strategies evolve, things are going to get much more complicated. Having reviewers keep permissions front and center is a small but valuable step in keeping users aware and vigilant.
Bob Schwartz 
Hi, Bob!
I found this post when Googling for reviews of app permissions, Springpad in particular.
I have (briefly) considered uninstalling ALL apps once I became aware of the “use of” camera, video, and flashlight functions of my phone at any time without my permission.
I do not understand why more people are not concerned!! Here it is, nearly 2 years after your post, and there is little online-accessible information showing up in search results.
Can you point me towards more information on this topic?
Thanks!! –Emily
Thanks for the comment, Emily.
First, I reported last month about a significant but temporary and semi-secret breakthrough in Android privacy (The Strange Case of App Ops and Android Privacy). So if you have Android 4.3 — no earlier and no later — you can actually completely control the permissions of your apps. Otherwise, you’re out of luck.
As for general attitudes and concern, you can look at Pew’s research Privacy and Data Management on Mobile Devices. People do care and do uninstall or not install apps because of privacy concerns. But in great number people also seem willing to trade privacy for some benefit, whether that’s national security or a free game. The tide may turn towards aggressive privacy initiatives, but with so much money at stake, who knows? If tomorrow, online and mobile became maximally private/minimally intrusive, some business sectors and enterprises might be instantly collapsing. For the moment, what we need is open, informed discussion. I hope to contribute what I can.
Thanks for the information, Bob. I
I appreciate your objective and well-researched writing.
I may be a bit late to
the conversation, but I am fairly new to apps. Fortunately, my platform is Android 4.3! Now to dig deeper into my new phone’s settings…
You’re welcome. Given that you are relatively new to this, I’ll lay out the basics for installing and using Permissions Manager, in case that’s helpful.
Install Permissions Manager – App Ops from Google Play (there are other apps like this too). When you run it, you’ll get lists of all apps, showing the particular permissions you’ve given (e.g., reading your contacts). For each app, each permission has an on/off switch, along with information about how recently the permission has been used, if at all.
This is where it can get a little tricky, but not much. Some apps might absolutely need to know your location, to read your contacts, or to control your device to function fully and properly. Other apps pretty clearly don’t need to know all the things and have all the controls they have access to. Common sense isn’t always totally useful in technical areas, but it is still pretty valuable. A flashlight app by definition needs to be able to control your flash, but if you can’t figure out why it needs to be able to read your contacts or know your exact location, you should feel free to turn those off. The worst that will happen if an app does absolutely need a permission you turn off is that it could possibly stop working optimally. At that point, if your turning off a permission leads to that, you can either restore the permission or stop using the app.
Maybe the most interesting thing to come out of using this Permissions Manager is learning how very many apps ask for lots of permissions but never actually use them. The developers just put out a laundry list just in case, and given that for users ist’s all or nothing, most users go along. The fact that most of the requested permissions are not used is another argument for not giving them away in the first place.