Permissions, Privacy and App Reviews
by Bob Schwartz
In the ongoing battle between your privacy and mobile app developers seeking—and getting—your permission to access personal information about you and your life, you are losing.
Millions of people reflexively agree to permissions that go far beyond the functional needs of particular apps. Sometimes it is because users don’t bother looking at permissions lists, or don’t understand all the permissions. Sometimes it is because the permissions requests are strategically placed: while Google Play includes a Permissions tab on its Web site, the mobile site doesn’t include Permissions at first screen, instead revealing it only after the Download button, when the Accept & download button appears. Sometimes, maybe most of the time, it is because users just don’t care, particularly when apps are free, and it seems that permissions, however onerous, are simply the price to pay.
The reasons to care are the subject for another time. But there is a critical way which this may be rebalanced right now, if just a little bit.
Few reviews, from big media reviewers or from user comments, ever mention permissions as a factor in recommending or avoiding particular apps. For example, and by no means singling out any reviewer or app developer, this morning brought a glowing review from Lifehacker about the new version of the Springpad app:
There seems no doubt that Springpad, especially in this latest iteration, is a creative app in a very crowded field. But looking carefully at permissions, you find the list above.
This isn’t to suggest that these permissions are or are not directly related to the functionality of the app or to subsidiary commercial support from advertising and marketing opportunities. And there is no implication that anything malicious is intended.
The point is information. Whether or not it is to a developer’s advantage to have users pay close and continuing attention to app permissions, it is definitely to the users’ advantage to do that.
Which brings us to a modest—and a slightly less modest— proposal.
Responsible reviewers should at least begin including some form of permissions listing in their reviews. This could be as simple as a shorthand list, something like the ratings for movies and television: PV (Pictures and Video), RC (Read Contacts), RP (Read Phone), and so on.
The next step would be for reviewers to evaluate permissions in two detailed ways. One is to write about how necessary (or unnecessary) the set of requested permissions is to the functionality of or commercial support for the app. The other is to compare similar apps relative to the intensity of permissions. It’s true to that no two apps are exactly alike, but if you try sometime, you just might find that very similar apps request vastly different access rights.
The issues of mobile privacy are not going away. As the user base grows, as the commercial stakes get higher, and as sophisticated data strategies evolve, things are going to get much more complicated. Having reviewers keep permissions front and center is a small but valuable step in keeping users aware and vigilant.