Ma­jor­ity of mo­bile apps vi­o­late pri­vacy law, says watch­dog

Of the 60 prod­ucts sur­veyed, only one pro­vided pri­vacy state­ment spe­cific to the app: Pri­vacy com­mis­sioner’s of­fice

China Daily (Hong Kong) - - FRONT PAGE - By KAHON CHAN in Hong Kong kahon@chi­nadai­lyhk.com

The ma­jor­ity of mo­bile ap­pli­ca­tions ap­par­ently vi­o­late the pri­vacy law by col­lect­ing from users’ phones sen­si­tive data prob­a­bly not re­lated to their func­tions and with­out suf­fi­cient warn­ing to users, the pri­vacy com­mis­sioner’s of­fice re­vealed on Tues­day.

An­droid de­vice users have had the priv­i­lege to know what per­mis­sions they are giv­ing away be­fore they in­stall mo­bile apps onto their de­vices, which range from ac­cess of cer­tain in­for­ma­tion to ac­ti­va­tion of the de­vice’s hard­ware, like a cam­era.

The Of­fice of the Pri­vacy Com­mis­sioner for Per­sonal Data (PCPD) sur­veyed mo­bile ap­pli­ca­tions de­vel­oped by Hong Kong firms and found that al­though many ask for per­mis­sion to ac­cess pri­vacy-sen­si­tive in­for­ma­tion or func­tions, they rarely ex­plain why.

Sched­ule 1 of the Per­sonal Data (Pri­vacy) Or­di­nance pro­vides that a col­lec­tor of per­sonal data must pub­licly dis­close their “poli­cies and prac­tices” on how per­sonal data is han­dled. A “Pri­vacy Pol­icy State­ment” was rec­om­mended.

Only one mo­bile app, out of a to­tal of 60 sur­veyed, pro­vided a pri­vacy pol­icy state­ment on the de­vel­oper’s web­site spe­cific to the app. De­vel­op­ers of 35 other apps made no men­tion of the app in their state­ments. The re­main­ing 24 had not even made the pol­icy pub­lic.

Eight games wanted ac­cess to text mes­sages. News and ed­u­ca­tion apps told users the de­vice’s voice record­ing might be ac­ti­vated with­out the user’s con­sent. The lo­cal Yel­low Page app even asked for the right to edit the user’s cal­en­dar and phone­book.

Henry Chang Chung- yee, the in­for­ma­tion tech­nol­ogy ad­vi­sor for the pri­vacy com­mis­sioner, said ex­po­sure will get much worse if de­vel­op­ers are able to pool per­sonal data col­lected through dif­fer­ent apps.

The most alarm­ing find­ing, Chang said, was that many apps are able to look up “other ac­counts” on the de­vice. App de­vel­op­ers might thus be able to tie up all vir­tual iden­ti­ties used by a real- life per­son on so­cial and in­stant mes­sag­ing apps.

He warned that since de­vel­op­ment of mo­bile apps in­volves many “stake­hold­ers”, some of which are in­vis­i­ble to the users, tech­ni­cally there is a risk of fur­ther leaks of per­sonal in­for­ma­tion ob­tained through mo­bile apps.

The PCPD has since fol­lowed up on 10 uniden­ti­fied apps that pose higher pri­vacy risks. Deputy Com­mis­sioner Lavinia Chang Yu-ming said they have taken a softer ap­proach, but fur­ther ac­tion could not be pre­cluded if app de­vel­op­ers are un­co­op­er­a­tive.

The of­fice had also or­dered a com­pany that spe­cial­izes in back­ground checks to stop pro­vid­ing con­tent to a mo­bile app called “Do No Evil”, which of­fers one- stop back­ground checks for em­ploy­ers and par­ents.

The com­pany, Glo­ri­ous Des­tiny In­vest­ment Ltd, has formed a data­base of crim­i­nal his­tory, bankruptcy records and com­pany di­rec­tor­ships from pub­lic dis­clo­sures of the Ju­di­ciary, the Of­fi­cial Re­ceiver’s Of­fice, the Gazette and the Com­pa­nies Reg­istry.

The data­base has been ac­ces­si­ble by cor­po­rate clients for back­ground checks, as well as the gen­eral pub­lic through “Do No Evil”.

Even though source ma­te­ri­als were ob­tained from the pub­lic do­main, the app was con­sid­ered to have “se­ri­ously in­truded” per­sonal data pri­vacy as the pur­pose of back­ground checks was in­con­sis­tent with the pur­pose set out by the agen­cies to col­lect or pub­li­cize the per­sonal data.

Pri­vacy Com­mis­sioner Al­lan Chi­ang noted that since not all rul­ings of court pro­ceed­ings are pub­licly avail­able, dis­clo­sure of just the court list­ings could be con­sid­ered an in­ac­cu­rate record of the per­sons in­volved. Ag­gre­ga­tion of frag­mented data also in­creased the sever­ity of the in­tru­sion.

The app was still avail­able from Google Play as of Tues­day, but its data­base has been in­ac­ces­si­ble since Aug 7 in com­pli­ance with a PCPD en­force­ment no­tice. The probe con­tin­ues to in­ves­ti­gate whether the cor­po­rate deals are in breach of the laws.

Newspapers in English

Newspapers from China

© PressReader. All rights reserved.