(13 August 2013) The Office of the Privacy Commissioner for Personal Data ("PCPD") conducted a survey1 of 60 smartphone applications ("apps") developed by Hong Kong entities and found that their transparency in terms of privacy policy was generally inadequate. Only 60% of the apps provided Privacy Policy Statements ("PPS") and most of them did not explain what smartphone data they would access and the purposes for the access.
As part of the Global Privacy Enforcement Network2 Internet Privacy Sweep exercise ("the Sweep") which aimed to assess the transparency in the collection and use of personal data online by data users, the PCPD joined force with 18 other privacy enforcement authorities on the common date of 6 May 2013 to conduct the survey. In view of the popular use of apps in Hong Kong, the PCPD focused on the availability, accessibility and readability of privacy policies of apps. The PCPD announced commencement of the Sweep on 7 May 20133.
The PCPD selected 60 most popular Hong Kong apps to review the transparency of their PPS, the types of data commonly accessed by apps, and the potential privacy risks to users. The 60 apps (54 were free apps) were evenly selected from Apple App Store and Google Play Store covering 16 categories of apps including games, travel, entertainment, lifestyle, and food & drink, etc.
Inadequate transparency in Privacy Policy
In going about their daily life and business, smartphone users often store various types of private data on their smartphones. Even though not all such data may come under the meaning of "personal data" under the Personal Data (Privacy) Ordinance, app developers are advised to adopt the PCPD's recommended practices on preparing PPS4 and state how they handle personal data and/or protect privacy. If app developers/providers collect and/or use personal data, they should comply with the principle of transparency and make their relevant Personal Information Collection Statement ("PICS") available to data subjects in a manner that is easily accessible, readable and understandable.
Deputy Privacy Commissioner for Personal Data, Ms Lavinia Chang stated at the press briefing today that "the survey results show that privacy policy transparency of apps was generally inadequate (see Table 1). 40% of the 60 apps selected did not provide any PPS nor contact information for enquiries. Although the remaining 60% provided PPS, they were all provided in the developer's websites and few explained the purpose for accessing each type of data stored on smartphones. In several cases, the PPS was not provided until after the users had installed the apps. Although the law does not prescribe the manner in which PPS is to be provided, it is recommended practice to make PPS readily available on the installation interface during or before app installation".
Most of the PPSs were not tailored for the apps in question, but were applicable only to the websites of the app developers/providers in relation to membership applications or visits to websites. Over 10% of the PPSs had presentational problems. In some cases the PPS was provided only in English while the app was in Chinese. In another case, the PPS was 292-line long but was displayed in an eight-line window on the website.
Table 1: Transparency of Privacy Policy
|
Privacy Policy |
No. of apps (%) |
|
No explanation on purpose of accessing each type of data |
35 (97) |
|
Not tailored for app in question |
33 (92) |
|
In different language from app, or not easily readable |
4 (11) |
Potential privacy risks
The types of private data accessed by apps also varied. This ranged from one to eight different types of private data accessed for the 60 apps examined in the survey (See Table 2). Games appeared to access more types of data.
Table 2: Private data /functions accessed by apps
|
Types of data accessed |
No. of apps (%) |
|
Unique phone identifier |
44 (73) |
|
Location data |
34 (57) |
|
Account information stored on the phone |
21 (35) |
|
List of apps running on the phone |
13 (22) |
|
Camera/microphone function |
10 (17) |
|
SMS/MMS messages |
8 (13) |
|
Call logs |
6 (10) |
|
Address book |
6 (10) |
|
Calendar details |
1(2) |
While some smartphone users may consider access to the data mentioned above harmless, they should, however, be aware that bits and pieces of private data gathered by different apps may give rise to privacy concerns. The following example serves to illustrate: App A collects User X's unique phone identifier (IMEI number) and location data from X's smartphone, and App B collects the same IMEI number and his/her social network account stored on the phone. If the data collected by the two apps is combined and correlated using the IMEI number, the location data of X's social network account may become trackable by parties who have access to the data collected by both apps. This is done even if X has not "checked in" his/her social network account (a function of social networking sites which allows users to use the GPS on their smartphones to share their exact location on social network app).
The PCPD's Recommendations
Ms Chang advises app developers to refer to Personal Data Privacy Protection: What Mobile Apps Developers and Their Clients Should Know (www.pcpd.org.hk/english/resources_centre/publications/files/apps_developers_e.pdf) issued by the PCPD. App developers should only access the types of data necessary for the app, and ensure that their PPSs are tailored for their particular apps. They should state clearly whether the apps would access data on the smartphones and what types of data would be accessed, why and how such access would be carried out so that users may make an informed decision whether or not to use the app.
The PCPD is looking into the privacy notice practices of 10 apps with comparatively higher potential privacy risk with a view to promoting compliance with the requirements under the Personal Data (Privacy) Ordinance. The PCPD has also written to the remaining 50 apps advising them of the matters they should consider to improve the transparency of their privacy practice.
Smartphone users are recommended to read the privacy policy of an app before installing it. They should regularly review their permission settings, if available on their smartphone operating system, to prevent the app from accessing unnecessary data such as location data. They should also uninstall dubious apps and those no longer needed to minimise the risk of data leakage.
Smartphone users may visit the PCPD's website "Think Privacy! Be Smart Online" (www.pcpd.org.hk/besmartonline/en/) for more advice on data protection when using smartphones and mobile apps.
- End -
1See Study Report on the Privacy Policy Transparency ("Internet Privacy Sweep") of Smartphone Applications (www.pcpd.org.hk/english/resources_centre/publications/files/mobile_app_sweep_e.pdf)
2The Global Privacy Enforcement Network is a network of privacy enforcement authorities from around the globe working together to protect the privacy rights of individuals.
3See Media Statement: The PCPD Commences to Study Privacy Policy of Local Smartphone Apps (www.pcpd.org.hk/english/infocentre/press_20130507.htm)
4See Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement issued by the PCPD (www.pcpd.org.hk/english/resources_centre/publications/files/GN_picspps_e.pdf)