How many companies get my data when I use free mobile apps?
What I usually expect out of app is that it asks a server if it has new data – so for a sports app I might be asking the score of the Juventus-Barcelona game. The server would send me the score, and probably save the fact that I wanted the score of a football match and not, say the score of the Blackhawks ice hockey game. A nice little one to one communication - and something that over time will get me fine-tuned content because it’s tracking what sports I like and don’t like.
But what does the communication pattern really look like? It turns out it's a little different. And when I say a little, I mean a lot.
The title of Eurecom's paper seems harmless enough: Taming the Android AppStore: Lightweight Characterization of Android Applications. Characterizing apps in a lightweight fashion doesn't seem like much of a paper worth writing, but this paper is certainly worth reading. The team downloaded 2146 mobile apps and used packet tracing to see what those apps were connecting to. 436 apps were enjoyably boring – they didn't connect to anything.
But the remaining 1710 apps contacted just under 250,000 unique URLs – an average of about 140 URLs per app. 10% of the apps tested connect to more than 500 distinct URLs. The dry comment from the authors about about the “winner” for communication:
"We find the appMusic Volume EQ connects to almost 2000 distinct URLs. Interestingly, Music Volume EQ is a volume slider app, and not an app that would really require access to the network."
So what does the communication pattern really look like? Here is what it looks like if you were connecting to 500 URLs:
Another interesting statistic is that 26.8% contact user trackers – companies who exist to simply gather information about you. And 16% of those contact over 100 different trackers reporting on your usage habits. The winner of this category? If you have Eurosport Player, you'll be telling 810 trackers about yourself when you use it. Keep that in mind the next time you pull out your brand new Galaxy S6 Edge to find out how the NBA Draft is turning out.
What is trust and privacy these days? I must admit, I’m a bit old fashioned. I don’t want to be telling 5 companies what I’m doing all the time, let alone 500. But it does beg the question of how many an acceptable number is in the first place. Society doesn’t seem to be spending much time defining what the right number is. At least in Europe there is a right to be forgotten… but next time you think about that Right to Be Forgotten, just remember how many different companies you will have to contact to actually be forgotten… after you find out they exist in the first place.