Majority of mobile apps violate privacy law, says watchdog
Of the 60 products surveyed, only one provided privacy statement specific to the app: Privacy commissioner’s office
The majority of mobile applications apparently violate the privacy law by collecting from users’ phones sensitive data probably not related to their functions and without sufficient warning to users, the privacy commissioner’s office revealed on Tuesday.
Android device users have had the privilege to know what permissions they are giving away before they install mobile apps onto their devices, which range from access of certain information to activation of the device’s hardware, like a camera.
The Office of the Privacy Commissioner for Personal Data (PCPD) surveyed mobile applications developed by Hong Kong firms and found that although many ask for permission to access privacy-sensitive information or functions, they rarely explain why.
Eight games wanted access to text messages. News and education apps told users the device’s voice recording might be activated without the user’s consent. The local Yellow Page app even asked for the right to edit the user’s calendar and phonebook.
Henry Chang Chung- yee, the information technology advisor for the privacy commissioner, said exposure will get much worse if developers are able to pool personal data collected through different apps.
The most alarming finding, Chang said, was that many apps are able to look up “other accounts” on the device. App developers might thus be able to tie up all virtual identities used by a real- life person on social and instant messaging apps.
He warned that since development of mobile apps involves many “stakeholders”, some of which are invisible to the users, technically there is a risk of further leaks of personal information obtained through mobile apps.
The PCPD has since followed up on 10 unidentified apps that pose higher privacy risks. Deputy Commissioner Lavinia Chang Yu-ming said they have taken a softer approach, but further action could not be precluded if app developers are uncooperative.
The office had also ordered a company that specializes in background checks to stop providing content to a mobile app called “Do No Evil”, which offers one- stop background checks for employers and parents.
The company, Glorious Destiny Investment Ltd, has formed a database of criminal history, bankruptcy records and company directorships from public disclosures of the Judiciary, the Official Receiver’s Office, the Gazette and the Companies Registry.
The database has been accessible by corporate clients for background checks, as well as the general public through “Do No Evil”.
Even though source materials were obtained from the public domain, the app was considered to have “seriously intruded” personal data privacy as the purpose of background checks was inconsistent with the purpose set out by the agencies to collect or publicize the personal data.
Privacy Commissioner Allan Chiang noted that since not all rulings of court proceedings are publicly available, disclosure of just the court listings could be considered an inaccurate record of the persons involved. Aggregation of fragmented data also increased the severity of the intrusion.
The app was still available from Google Play as of Tuesday, but its database has been inaccessible since Aug 7 in compliance with a PCPD enforcement notice. The probe continues to investigate whether the corporate deals are in breach of the laws.