Privacy International leads revolt over Android ‘bloatware’

Privacy International is leading a coalition of more than 50 organisations demanding Android owner Google offers users the opportunity to delete any and every app from their device.

On almost every device, there are several apps which are relatively redundant and useless. Unfortunately for the user, these applications are known as ‘bloatware’ and there is no-way to get rid of the squatting app. The open-letter spearheaded by Privacy International is calling for Google to end the practice, allowing users complete control over what applications are kept on the device.

“We, the undersigned, agree with you [Google CEO Sundar Pichai]: privacy cannot be a luxury offered only to those people who can afford it,” the letter states.

“And yet, Android Partners – who use the Android trademark and branding – are manufacturing devices that contain pre-installed apps that cannot be deleted (often known as ‘bloatware’), which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent.”

‘Bloatware’ applications are largely harmless on the surface. Generally, they sit there not doing much, but the issue being raised by Privacy International and its followers is what is going on in the background.

Quoting a paper written by several academics, the coalition claim these applications collect data in the background, largely without the knowledge of the user, and also have ‘privileged custom’ permissions which would not usually be granted by the Android security framework. These permissions include access to the devices microphone and camera.

Interestingly enough, the paper also claims the devices carry the ‘Google Play Protect’ badge but 91% of these applications do not appear in the Google Play Store. This could be a way to get around the strict privacy protections which are implemented by Google and therefore undermines the integrity of the ‘Google Play Protect’ credentials.

The letter is calling for several changes to the dynamic, most notably:

  • Users should be able to permanently delete any application
  • Pre-installed apps should face the same scrutiny as other apps
  • Pre-installed apps should have some sort of update mechanism
  • Google should refuse to certify devices unless manufacturers make changes to reinforce privacy credentials and protections

What is worth noting is that Privacy International and other such organisations are lobby groups which often paints an apocalyptic view of the digital economy. Google can never do anything right in the eyes of this community.

That said, Google is often in hot water over privacy concerns.

Numerous executives have penned blog posts and opinion articles to push the importance of privacy both as a concept and an internal company value of Google. However, the odd scandal often emerges to undermine these PR efforts.

In November, Amnesty International suggested Google was implementing strategies to abuse privacy rights of individuals. Its virtual assistant is under investigation after it emerged humans were reviewing transcripts of conversations recorded by its smart speaker without the consent of the user. In July, International Computer Science Institute (ICSI) researchers said numerous apps could easily circumnavigate Android’s privacy protections. The Google smart city initiative, Sidewalk, has also come under some intense privacy criticism.

What is clear is that Google’s actions and the relationships which it has in place are always of benefit to it as an organisation. The presence of ‘bloatware’ is by design not an oversight, therefore Google will begrudgingly back-pedal on this current dynamic. It may well be forced to under the weight of public criticism, but there will be plenty rolls of the dice before it.

Privacy International points GDPR finger at Facebook

An investigation from privacy advocacy group Privacy International on the flow of personal information has questioned whether Facebook and its advertisers are violating Europe’s GDPR.

To date there have not been any major challenges using the data privacy regulation. There have of course been numerous violations of user privacy, but as these incidents occurred prior to the implementation of GDPR, the old-version of the rules and punishments were used. This investigation from Privacy International could prove to be a landmark.

The investigation itself questions whether Facebook and the app-developers which use its platform for data collection and user identification is acting responsibly and legally. Using the Facebook Software Development Kit (SDK), data is automatically sent back to the social media giant, irrelevant as to whether consent has been collected, or even if the user has a Facebook book account.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” Privacy International states on its website.

“App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called ‘mitmproxy’, an interactive HTTPS proxy, Privacy International has analysed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

After testing dozens of different apps, Privacy International claims 61% automatically transfer data to Facebook the moment a user opens the app, while others routinely send Facebook data that is incredibly detailed. Some of these users may be logged out of the platform or might not even have a Facebook account in the first place. Developers tested include travel comparison app Kayak, job search company Indeed and crowd-sourced search service Yelp.

Looking at the Kayak example, not only was information transferred back to Facebook once the app was opened and closed, but also during each stage of the search process. In the example Privacy International gives, the user selected a flight from London Gatwick to Tokyo between December 2 and 5, Narita Airport was then selected, before another search was conducted searching for hotels for two adults in the city. All of this information was sent to Facebook without prompt, despite Kayak claiming, ‘don’t worry, we’ll never share anything without your permission’, when the user signs in.

Alone this information is useful, but not incredibly so. However, when you consider the huge number of apps which will be sending information back to Facebook, an incredibly detailed picture of the user can be built. Using the other apps tested in this investigation, Facebook could also learn or make assumptions about the user’s religion (Muslim Pro), music interests (Shazam), salary and disposable income (Indeed Job Search) and interest in physical activities (MyFitnessPal). All of this information could be used to feed incredibly personalised advertisements to the user.

The big question which remains is whether this could be perceived as a violation of GDPR. Facebook has stated it released an update to the SDK which allowed developers to suspend the automatic data transfers, though this was only for version 4.34 and later. With the Opt-out section (the Google advertising ID) automatically turned off, some might suggest the user is being led as opposed to asked.

Another factor which could work against Facebook is the collection of data on users who do not have Facebook accounts; this is much more suspect. As per GDPR, a company has to have a specific and justified reason to collect personal information. It does appear Facebook is collecting information on users despite having no purpose or valid reason to do so.

With fines for violating GDPR up to 3% of annual turnover, the stakes are very high. This could prove to be one of the first tests of the rules, designed to protect the privacy of the general public, and few will be surprised Facebook is a central character in the story. With the social media giant seemingly antagonising many governments around the world, we suspect there will be a queue forming to have a swing with the sharp GDPR stick.