VinziusThe Evolving Landscape of Data Privacy
Let’s delve into the evolution of data privacy from websites to mobile apps and the potential challenges posed by the rise of augmented reality (AR) technology.
The goal is to raise concerns about the future of data privacy and emphasize the need for continued vigilance to protect personal information in an increasingly interconnected digital world.
1. Web Privacy Started to Matter in 2018
Before May 2018, websites had more or less every right (and no shame) to track you in every way, for various reasons (often for analytics, advertising, reselling your data, and minor stuff related to your browsing experience). Like I often heard when it comes to good conscience:
« Others are doing it, so why not ourselves? We aren’t the bad guys, on the contrary! »
Since 2018, companies must comply with local regulations (such as GDPR in Europe, CCPA, CDPA or HIPAA in America), and should ask for your permission first. And let’s be honest, you care much more about this ultimate Toblerone brownie recipe.
What about mobile applications?
Do publishers play a similar game there too? They should, as there is no little difference regarding the law. These applications tend to be more troublesome as they can access your life (depending on the device permissions you authorized) all the time: when you work, walk, or sleep (well, let’s not speak about « smart » speakers, that’s probably the worst at the time of this article). It’s probably for the best if you don’t know how much of your personal data is being legally (?) « shared » by companies. Most people don’t care, « they have nothing to hide », or « it’s not important enough for Google to care ». Anyway, the most secure operating system is probably the one without an internet connection, deep in some concrete.
Apple is known to make more « privacy-friendly » hardware and software by design, while others don’t (e.g. Google). It doesn’t mean Apple is entirely clean/secure and Google evil (while they did change their motto), but it implies that the operating system is more or less designed this way. For instance, Apple added in iOS 13 many privacy-friendly options like the « sign in with Apple » (which is a pain for developers due to restrictive guidelines, but a nice addition for users), which has been enforced since summer 2020. And to be fair, Google is doing its part too.
As a heavy « apps consumer », I didn’t encounter many privacy alerts within mobile apps. It’s coming little by little, but mostly for well-behaved publishers, and mostly in games.
The likelihood of a fine is insufficient
Despite the shadow of a hefty fine (e.g. up to 4% of the world’s revenue for GDPR infringement), most companies aren’t up to date yet. Reasons are multiple, but the main one is: the incentive is still low, and it’s more difficult for users and local regulators to verify (compared to the web browser).
2. What Data is Accessible by Mobile Apps?
We won’t focus on the operating system, which is a wider subject: when you buy an Android or iOS device, you accept for your privacy to be managed by somehone else. However, it’s an uncertain subject when you download and install a specific mobile app.
What is accessible by app creators?
| Feature | Description | |
|---|---|---|
| 📔 | Address book | Including names, phone numbers, email addresses, and other related information. |
| 🌍 | Location data | Precise or approximate location information from GPS, Wi-Fi, or cellular data. |
| 📸 | Photo and Video libraries | Storage and access to photos and videos on the device. |
| 🎤 | Camera and Microphone | Access to the device’s camera and microphone for capturing photos, videos, and audio recordings. |
| 📅 | Calendar and reminders | Management and access to calendar events and reminders. |
| 💪 | Health and fitness data | Collected through the Health app or other health-related apps and devices, such as heart rate, step count, and sleep data. |
| 🔵 | Bluetooth | Devices and data exchange between the iOS device and Bluetooth-enabled devices. |
| 🏃♂️ | Motion and activity data | Accelerometer, gyroscope, and other motion sensor data. |
Most of this data was freely accessible in the early years (until 2014 or so). For instance, the front camera of your device didn’t require authorization, and a lot of applications were using advertising libraries that would record your face without your knowing (e.g., to understand your behavior and emotions).
I can tell as I worked in this industry and saw several static libraries crash when Apple introduced the authorization system with iOS 7 in September 2013.
Was the camera the only unprotected source? No, most weren’t. However, nowadays, most of these features require the user’s consent.
Is it better with Virtual Reality such as Oculus Quest (or Meta Quest)? No. At the time of this article (early 2023), it’s clear that Facebook / Meta is collecting (on their servers) derived data from your headset, such as:
- Hand tracking.
- Eye tracking.
- Natural facial expressions.
- etc.
Anonymized? As they say. But rumors suggest it was much worse in the beginning, though hard to verify now.
3. Who is Accessing your Data?
Are the app / website creators the only ones accessing your data? Hell no.
More than one entity has access to your data, and we usually make the distinction between:
- Data controller: decides why and how personal data should be processed.
- Data processor: processes personal data on behalf of the data controller.
The data controller determines the purpose and means of processing personal data, while the data processor processes the data on behalf of the controller. Both data controllers and data processors have specific responsibilities and obligations under data protection regulations, like the GDPR, to ensure the privacy and security of personal data.
Once you give your data to someone, you can be sure it’ll go through multiple intermediaries. How far? Who knows.
A strong incentive to sell your data
We could split data usage in two important categories:
- Services that enhances the product life (e.g. crash analytics).
- Advertising: either by selling, or buying.
- You sell ads? get more money by telling what your users like.
- You buy ads? validate the conversions by calling the ad platform and providing additional data.
The biggest problem resides in the second part. To make more money (and by a large margin), companies are strongly incentivized to share information that defines you. And either way (buying or selling ads), advertisers get your information.
Here starts the rabbit hole. You like cheese? Hundreds of companies will soon know, and it’ll be tied to identifiers going further than your knowledge. Nothing to hide or don’t care? Until you do, and it’s then too late.
4. How do Operating Systems Handle this Matter?
Let’s focus on Apple as they led the subject in the recent years. Do that mean we own them everything? No. But they have the power to obstruct their concurrents business (e.g. Facebook) in order to reinforce their motto (and make more money).
Examples of privacy enhancements introduced by Apple over the years:
| Version | Year | Improvements |
|---|---|---|
| iOS 6 | 2012 | Advertising Identifier (IDFA) |
| iOS 7 | 2013 | User’s Authorization (e.g. camera access), Activation Lock |
| iOS 8 | 2014 | Encrypted data by default, Hide MAC address |
| iOS 9 | 2015 | Transport Security (ATS) |
| iOS 10 | 2016 | Differential Privacy technique |
| iOS 11 | 2017 | Intelligent Tracking Prevention in Safari |
| iOS 12 | 2018 | Password management |
| iOS 13 | 2019 | Sign in with Apple, More control over location data sharing |
| iOS 14 | 2020 | App Privacy labels, App Tracking Transparency feature |
| iOS 15 | 2021 | Mail Privacy Protection, iCloud Private Relay (iCloud+ subscription) |
| iOS 16 | 2022 | Clipboard access, Lockdown mode, Safety check |
Is it:
- Preventing any privacy leaks to third-parties? No, but it’s making their life more difficult.
- Preventing Apple from storing and analyzing your data server-side? Not for all your data. Whatever is uploaded to iCloud should be considered as leaked (as a general rule). But overall, it should be better than the average tech company.
Should a private company be able to decide life or death on this kind of matter? Probably not, but governments usually are slow to take protective decisions.
5. The Rise of AR and the Erosion of Privacy
Mobile devices? We’re coming to an end. It has been almost 16 years since the original iPhone (2007). We can estimate that AR devices might overtake mobile phones in the coming years. Hardware isn’t ready yet, but it’s a matter of time.
Is the data of mobile phone users properly protected? No. Is it going to be worse once the main human-machine paradigm changes? Yes.
I like the artist’s vision of “Hyper Reality” from 2016. It emphasizes how the real will confront the virtual. My guess is it’ll become reality by 2026, just 10 years after the short movie.
Once society enters this kind of mindset, your privacy will be a memory of the past. Even if you turn on privacy settings, your face (and metrics) will be recorded without your knowledge and consent (already the case). And it’s not even the worst part.
You think it won’t be “legal”? France is the first European country to legalize biometric monitoring. Do politicians understand the dangers of such laws? Yes, and they smile while voting for them.
Is it for the better or the worse? The future will tell. However, you can be sure that your data and privacy are already compromised.
Author Vinzius
LastMod 10 April, 2023