When you open up your Skype app to make a call, it’s probably no surprise that it’s accessing your phone’s call history. But would you expect your Nike+ Running app to collect that information too?
If you’re like most people, the answer is no.
That’s why the Nike+ Running app gets a B on PrivacyGrade, a site for people to figure out what information their apps might be collecting. Right now it only looks at Android apps, but the site already lists hundreds of them from Google Maps to Instagram to WebMD.
Many of the apps that got graded are for health and fitness.
For instance, What To Expect, a pregnancy app, gets the lowest possible grade, a D, for collecting images you take of your baby bump and potentially using them to offer you targeted ads.
The grades are determined by comparing people’s expectations about the information an app might collect with what the app actually collects. For example, people don’t expect the Period Tracker (Pink Pad) app to track their location, but it does, so it gets a C. Whereas Google Maps, which everyone expects to track their location, receives an A. (NPR News, by the way, gets a B while NPR One scores an A.)
Researchers at Carnegie Mellon University and Rutgers University created PrivacyGrade based on their studies of people’s privacy expectations. They found, unsurprisingly, that when people are informed why their location or other sensitive data might be needed for an app, they’re more comfortable giving that information away.
PrivacyGrade specifically looks at the pieces of an app’s code called libraries. Libraries are pieces of code provided by companies to help apps connect to their services. Facebook, Twitter and Google all offer libraries for app developers. They allow users to post impressive weight loss gains or long runs to Facebook from within an app, for instance.
But they can also let advertisers learn about an app’s users in ways people don’t necessarily want – and the developers may not even know it. “One of the big problems we’ve seen with libraries … developers don’t often know what these libraries are doing,” says Jason Hong, one of the developers of PrivacyGrade.
PrivacyGrade’s main limitation is that it looks only at libraries. While it’s a good start, any given app could be digging much deeper into your private information on the phone outside of those libraries says Jeremy Gillula, a spokesperson for the Electronic Frontier Foundation.
And right now, there’s not enough demand by the public for app developers to use safer libraries or fix their code. People who build apps “don’t have a huge incentive,” says Gillula. An NPR-Truven Health Analytics poll found that people don’t seem to care about health data privacy nearly as much as you might think.
That’s where PrivacyGrade’s rating system could help, says Omri Ben-Shahr, law professor at the University of Chicago. He says he was skeptical of the site until he found out about the grades.
Grades or rating systems work. People “don’t want to know too much about a restaurant other than its Zagat rating,” he says.
For health in particular, Ben-Shahr says there may be more incentive for people to use a site like PrivacyGrade. “Commercializing people’s illnesses, medical problems, is something that many people find particularly tasteless. So there might be more demand … but only to the extent that they get low grades.”
He says even people who say in a survey that they want privacy, but when it comes down to it, they aren’t willing to put their money where their mouth is.
“It’s pretty easy to change settings or to even change service in a way that anonymizes you on your smartphone,” says Ben-Shahr. “But people are not buying this form of protection. And so when people really want some kind of protection like insurance, they’re willing to pay a lot for it.”
So where does that leave a free site like PrivacyGrade? It’s too early to tell if it’ll catch on, says Ben-Shahr. And the grades should be taken with a grain of salt: “If people already expect the worst … then [PrivacyGrade] is not going to give them a negative grade.”