Leaky Apps Scandal: Where Does the Buck Stop?

Apps stock imageThis weeks revelations about the role that app developers and advertising networks may have (potentially accidentally) played in UK and US government spying raises very important questions for the mobile industry.

Aside from Rovio, which released a comprehensive statement assuring its users that it does not give data to spying agencies, and levelling blame at third-party networks, the silence from the industry has been deafening.

Google’s Doubleclick ads are among those served within Rovio’s Angry Birds, which implicates the company in this alleged haemorrhaging of personal details. Google is also an app owner, with its suite of productivity apps among the most widely used in the world, giving it even greater visibility of data and relevant security issues.

Google: No comment

Asked what the company made of the Wikileaks information, a Google spokesperson said: “We don’t have a comment on this.” When pressed on its responsibility to its users, Google added: “No one’s available for comment.”

Ad networks including Millennial Media and Nexage also serve ads within Rovio’s apps. Millennial Media’s EMEA content and communications manager Dave Ross-Tomlin, made a short statement yesterday. “There has been reporting over the last 24 hours about the collection of mobile data by government ‘spy’ agencies,” he said. “Let us be clear: Millennial Media has not and does not work with, nor pass information to, the NSA, GCHQ, or any other such agencies.”

The company said that it uses non-personally identifiable data provided by publishers – in this case, app developers – with the permission of users. It then adds additional filtering for regulatory compliance, relating to laws like the Childrens Online Privacy Protection Act. We were directed to their privacy policy but Millennial could not give any more detail about whether data could have been collected without them knowing and, if so, how this could be stopped in the future.

MMA: We take privacy seriously

It is not entirely clear within whose jurisdiction this lies and who should be held accountable if consumers’ privacy is infringed. While the Internet Advertising Bureau said it is unable to comment, Stephen Upstone, UK chair of the Mobile Marketing Association, a trade body for the industry, said that his organisation and its members take the issue of consumer privacy very seriously.

“I am not aware of any companies sharing of customer data accidentally or deliberately,” Upstone said. “The MMA takes an active role in encouraging regulation and best practice with the mobile marketing and advertising industry globally. We consult with brand marketers, advertising agencies, publishers, software and service suppliers on behalf of the industry and consumers.”

When asked who could be held responsible if data has been handed over to security services, purposefully of not, Upstone added: “Individual companies that handle data are responsible for ensuring it is properly handled, securely stored and that the laws and regulations are being respected. App developers who work with third-party suppliers and manage data are responsible for choosing vendors who are managing data properly.”

Rovio has said that it is now re-evaluating its work with ad networks as it considers how to ensure that data is not made so freely available in future, but without clear evidence of who has done what, many in the industry face having this key app ad inventory removed from their arsenal. And with little response from app developers and the ad networks they work with, it is difficult to know how the industry can stop this happening in the future.

ICO: We have raised concerns about US spying

We got in touch with a number of consumer protection organisations, including Consumer Future and Which?, but they were unable to comment as they did not have the relevant expertise. An Information Commissioner spokesperson said that app developers must comply with the requirements of the Data Protection Act, including being open about how data will be used and that data collection is not excessive, on which the organisation has created guidelines.

On the NSA and surveillance, the ICO spokesperson said: “There are real issues about the extent to which US law enforcement agencies can access personal data of UK and other European citizens. Aspects of US law under which companies can be compelled to provide information to US agencies potentially conflict with European data protection law, including the UK’s own Data Protection Act. The ICO has raised this with its European counterparts, and the issue is being considered by the European Commission, who are in discussions with the US Government.”

This is just the latest in a long list of examples of government infringing on civil liberties, so are people right to ask whether privacy itself is a thing of the past? Online security firm Bitdefender says that users who embrace privacy are denied access to modern technology.

Bitdefender: Internet is a pool of data waiting to be mined

“Many of the apps that we install on a daily basis are paid for with our private details,” said Alexandru Catalin Cosoi, chief security strategist at Bitdefender. “On one hand, advertisers are becoming greedier and greedier, because the more personal information they get, the more accurate their profiling, and on the other hand, developers are better paid if they accept the task of getting more information for the advertiser.

“It looks like a win-win situation, but the end-user has the most to lose in the case of a data breach, and what’s most harmful is that most of the time they aren’t even aware that their private information is being harvested. Social networks are booming and a good chunk of users either have no idea how to, or do not care about, safely using these. The internet has become a pool of personal information ready to be mined.”

It was announced yesterday that Ed Snowden, the man who did some data mining of his own when he leaked documents about government spying to Wikileaks, has been nominated for the Nobel Peace Price. But the prize is not without its critics, with past nominees including Joseph Stalin.

In an interview in December Edward Snowden said: “I didn’t want to change society. I wanted to give society a chance to determine if it should change itself.” These revelations look like a good opportunity for the mobile industry to do some soul-searching of its own.

We reached out to a number of ad networks, including Nexage and Medaiplex, who did not get back to us. Adblock, creators of software to stop ads, declined to comment and App Annie, the app data analytics platform that tracks 3.9m apps, said it may be next week when they engage with the question. We are awaiting further comment from a number of other organisations.