Cybersecurity , Data Governance , Data Privacy & Information Rights Management

Mobile Apps and Websites Collect More Data Than Required

Lack of Transparency in Handling and Sharing of PII Is Concerning
Mobile Apps and Websites Collect More Data Than Required
Image: Shutterstock

The two key digital channels of business - mobile apps and websites - are collecting way more personal data than required, highlights Arrka Consulting's study for 2022 on the State of Data Privacy of Indian Mobile Apps & Websites. The handling of users' personal data, sharing it further with third parties, and lack of transparency pose risks to data privacy.

See Also: Live Webinar | Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways

The accuracy of privacy-related declarations on Google Play Store and App Store is particularly worrying. Forty-two percent of Android apps declare collecting data on the exact location of the user, whereas in reality, 76% of apps collect this data. On iOS, 59% declare that permission is being taken to access the location, whereas 83% already have access.

"Given the significant push by Apple and Google on the adoption of stringent data privacy measures by app developers, the discrepancies between what apps declare about their privacy practices on the stores and what they actually do in practice are concerning," says Shivangi Nadkarni, CEO and co-founder, Arrka.

Are Companies Tracking More Data Than Required?

As enterprises pivot to business models built on data, the debate around "what" and "how much" data need to be collected and shared is getting intense at the cost of privacy.

The Arrka study indicates that a significantly higher number of Indian apps request access to specific permissions compared to their global counterparts. The U.S. apps come a distant second, and the EU apps take the least permissions. A combination of Google Play Store policy changes and stringent privacy regulations like GDPR appears to be changing app behavior in the EU and, to a lesser extent, in the U.S.

  • Fifty-seven percent of Indian Android apps have access to microphones compared to just 19% in the U.S. and 32% in the EU.
  • Indian websites were found to deploy 21 third-party trackers compared to 18 in the U.S. websites and 11 in the EU websites.
  • A 33% decline was observed in the number of third-party trackers on U.S. websites as compared to 2020.
  • Significantly higher use of Google Analytics by Indian websites was observed, compared to the U.S. and the EU websites.
  • Privacy Notice readability scores in the EU are 30% higher than in India. The average Readability Score of an Indian organization's privacy notice is rated 30, which is half the acceptable International Readability Standard Score.

The report studied digital properties of 100 Indian organizations across 25 sectors and 76 in the U.S. and EU for benchmarking.

The study identifies that Indian companies are tracking more data than required, considering the significant variance in permissions being taken by apps within the same sector. Travel booking, banking, entertainment (streaming) and news/magazines are among the sectors that show the most variance.

"One wonders if those enterprises taking more permissions compared to their counterparts are offering additional features and functionalities or is it "good to have" data for other purposes," Nadkarni says.

This means 50% of organizations are not yet ready for the upcoming Digital Personal Data Protection Bill's key requirement around the limitation on the collection of personal data. The personal data shall be collected only to the extent that is necessary for processing of such personal data, the bill states.

Similarly, 50% of organizations are yet to be compliant with the bill's requirement around the privacy notice being clear, concise and easily comprehensible to a reasonable person.

"Must Have" vs. "Good to Have" Access Permissions

Mobile apps collect a lot of personal data about a user via permissions. "Dangerous permissions" are those through which the data collected is highly sensitive and can cause harm, if misused.

Usage of permissions can be highly contextual. In some cases, they are "must have" to provide certain features and functionalities, while in some cases, they are "good to have" or are not necessarily needed. The latter is a major privacy concern and questions the organization's intent behind collecting that data.

Google is the single-largest third party with whom data is being shared, followed by Facebook. In Android apps, 39% of the identified trackers belong to Google and 28% to Facebook. Meanwhile, Google has 47% of identified trackers on websites with Facebook a distant second with 9% trackers on websites.

Top Dangerous Permissions Accessed by Mobile Apps

The top dangerous permissions accessed by Android apps are the users' exact precise location (76%), camera (76%) and microphone (57%). More apps requested access to location, camera and microphone in 2022, compared to 2020. There are also more apps accessing "exact" location than "approximate" location. The top permissions accessed by iOS apps include photos (90%), location (83%) and camera (81%). Focusing specifically on lending apps, 75% currently access resources of the users that the RBI guideline has recommended to desist from, like contact list, file and media, and call logs.

A possible reason could be that organizations are providing newer services/features based on these permissions, like voice-enabled and facial recognition services. However, this doesn't alleviate the rising privacy concerns the year-on-year trends indicate.

Website Tracker Landscape

Websites collect personal data of users from their devices via trackers - cookies as well as other trackers. Almost 88% of the websites had third-party trackers embedded and 15% of those are known advertisers. Despite the push for a cookieless future, there has been a 25% increase in the number of third-party cookies over 2020.

Questionable Transparency

An industry that's built on the premise of transparency - the finance sector (banks and fintech marketplaces) - ironically, has the lowest noticeability score. Organizations need to be transparent with their users regarding Privacy Notices and keep them informed about their data processing and handling activities.

The more data enterprises track, the more burden it places on them around the responsibility of how the data is being used, who it is shared with and for what purpose. With the data protection bill round the corner, it’s the right time for organizations to revisit their data collection and usage policies, especially for their digital properties.

About the Author

Shipra Malhotra

Shipra Malhotra

Managing Editor, ISMG

Malhotra has more than two decades of experience in technology journalism and public relations. She writes about enterprise technology and security-related issues and has worked at, Dataquest and The Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.