In Depth: What do your apps want to know about you?

Spotify, Uber and Snapchat

We all like to pretend that we take legal matters seriously, but the reality is that few of us do. Case in point: have you ever actually trawled through all the terms and conditions on any app?

Our apps are watching us, often keeping track of what we do. So without reading thousands of pages of legal mumbo-jumbo, how can you know what data you’re signing away and how it will be used?

We were wondering, too, which is why we’ve been back to look at the data collection policies of some major apps. Here’s what they really want to know about us.


Spotify is watching you walk

According to Section 1 of Spotify’s Privacy Policy, the streaming service (which counts over 75 million users) will record your “interactions with the Service” – that is, what music you listen to.

No surprises there, although it will also save your interactions with third party services and adverts linked through the service. So if you click on an advert in the app, don’t be surprised if you start seeing ads for more of the same sort of thing.

It will also record what search queries you make (Section 3.2). So sorry, yes, there is a log of all of those furtive searches for Nickelback that you were too scared to hit play on. It will also grab what it calls “technical data” – such as cookie data, your IP, details on the device you’re listening on and so on.

Perhaps most intriguingly, Section 3.2 also says that Spotify will also collect your motion data from the accelerometer and gyroscope. Why does Spotify want this? Is it secretly tracking our movements? Thankfully the answer is much more benign: It is tracking our movements, but only to enable the app’s Running feature, which varies the tempo of your music depending on your pace.

What’s interesting though is that a few months ago, Spotify caused a huge controversy when it updated its privacy policy to include permission to access your contacts, photos, location, microphone and social networks.

It now appears that this was a case of the company future proofing its policy – doing the legal work now just in case it wanted to incorporate photo upload (for some reason) in the future. Unfortunately for the company, the change spiraled into a slightly hyperbolic PR nightmare.

In any case, the company has since argued that if its apps ever did want access to any of these features on your phone, you would have to grant permission manually when the feature was implemented. For example, in iOS and Android, if an app wants to access your photos, a box will pop up asking you to explicitly grant permission. So you’re still in control.

And finally, there’s a section (5.2) in there about how Spotify might share your data with different partners. Aside from the “boilerplate” stuff (court orders, in the event of a sale or merger, etc), it also notes that your data could be shared in a “de-identified” format (pseudoymized) with academic researchers.

Perhaps most surprisingly, if you signed up to Spotify through a special offer with a network or ISP (such as Vodafone), Spotify reserves the right to share data on your Spotify usage with them too (Section 5.2.4).

Conclusion: Only a problem if you’re worried about your carrier realizing just how much of their bandwidth you’re using listening to Bieber.


Uber wants to know your call and text data

Taxi app Uber is almost constantly in the headlines in London for its battle with the capitals’ venerable black cabbies. But should we worry about the data it is collecting about us as well as its impact on the regulated private hire market? The company has published a very detailed privacy policy, so let’s have a look.

In essence, like most of the services in this investigation, there’s a lot of stuff that has become standard. Uber says that it will collect data on your location, your transactions with the service, the device you’re using and the “log information” about your device, web browser and so on.

The key thing to remember with Uber is that there is a difference in the information stored and shared between what Uber, the corporation, gets to see, and what data about you it shares with its drivers, which the company technically sees as private contractors and not employees.

In terms of the former, there have previously been allegations made about a supposed “God view,” which is a map view available to people in the company to view all of the Uber vehicles currently on the road (imagine something like the multiplayer map in Grand Theft Auto Online, perhaps).

Arguably, this is necessary for the company to be able to monitor its operations and ensure its services operate smoothly, but there have also been allegations that such maps have been projected on to the wall as decoration in Uber-hosted parties.

So, what exactly does Uber get?

The only two points that might surprise are your contact information – which Uber says (if you choose to grant it) will be used to “facilitate social interactions”. In other words, if you choose to split the fare on a ride, it will let help you choose your contacts. It will also collect your call and SMS data – though this is presumably in reference to communications between you and its drivers, so it can see communications between the two of you.

One other piece of data collection which might not be too well known is that not only do you get to rate drivers when you catch a lift, but they get to rate you too. Seriously. So Uber have recorded internal ratings for you as a passenger – and obviously store this data to share with other drivers when you request a lift. You can actually request to see your own rating by contacting Uber support.

In terms of sharing with third parties, Uber’s policies are similar to Spotify with the company reserving the right to share data with advertisers. It’s Cookie Policy specifically mentions the use of “pixel tags” – these are when a company deliberately embeds a tiny image that enables you to be tracked without needing to be logged in.

When your computer downloads the tiny image it sends to the server information about your browser, device, screen resolution and IP address and so on (the “log” information), which can then be used to see how often you visit a website or app and track your movements. Don’t be too worried though, as this is fairly common practice – and one carried out by most of the companies in this piece.

More broadly, Uber has previously got into some hot water about accessing user data after one executive made comments that some people have claimed suggest he might be willing to access the private ride data of a journalist to investigate her private life. Since, Uber has apologized for the comments and has denied that it reflects “company policies or practices”. In any case, as a tech journalist writing this can I just say that I think Uber is the best company in the world.

Conclusion: Though Uber’s arrangements with its drivers are controversial in other respects, perhaps it does guarantee a legal separation that means the person driving you won’t know that much about you.


Snapchat has a memory

Once you’ve sent a Snapchat and it’s been viewed, it’s gone forever, right? Maybe, but it doesn’t mean that Snapchat head office won’t still hold quite a few details relating to it and you.

The company explains that it collects usage information – including data as detailed as which lenses you apply to pictures, as well as metadata surround each message like the day and time. It also collects information on how often you speak to people and when you open messages.

Like everything else, it will also take data on your device itself, including its unique identification number, as well as your browser type, which Wi-Fi network you’re connected to, and the aforementioned “log” information such as your IP address.

Perhaps most curiously – and something that has caused controversy – is the claim that the app will log “pages you visited before navigating to our services.” This sounds scary – after all, what could Snapchat have seen you looking at?

This is probably a reference to what web developers call “referrers.” Whenever you click a link on a normal webpage, the page that you go to will be able to see the page you were on previous. This has been the done thing since the inception of the web and has been incorporated into app design too. So if you follow a “share on Snapchat” link from a webpage, Snapchat will know which webpage you’ve come from.

But – and this is the big but – if your entry into Snapchat isn’t via a referral, the app will still have a record of your browsing history. So just make sure you close anything you don’t want anyone knowing about before checking your Snapchats.

And finally, in terms of the service’s signature message deletion, the privacy policy notes that messages are normally deleted from Snapchat’s servers within 24 hours (so you can use features like Replay), but this can be suspended by requests from law enforcement. So if you’re planning your next heist and don’t want to get caught – don’t do it via Snapchat.

Conclusion: No need to worry about Snapchat staffers seeing your “private” photos, but they’ll probably know when you sent them.

Tinder, Belkin Wemo, Facebook and Google

Surely there would be an interesting data collection policy here given Tinder is dating app? Is Tinder figuring out what sort of people you like? If you’re always swiping right on people with glasses or older people the app could do something clever with that information, right?

READ  In Depth: Google IO 2016: dates and keynote predictions

The privacy policy doesn’t reveal anything too juicy – but what is interesting is that like most (if not all) of the other companies listed here, Tinder says it reserves the right to collect data on you from other sources.


Tinder wonders if you’ve been using other dating sites

In this case, Tinder is owned by The Match Group which amazingly also owns many of the other big dating websites including and OKCupid. So if you sign up to multiple sites, Tinder might compile your data together – if not to get you better matches, but to paint a better picture of you to advertisers, no doubt.

Perhaps most interestingly the policy also mentions that Tinder will take a look at your public Facebook profile, if you sign up for Tinder using a Facebook login. The policy says:

“If you do so, you authorize us to access certain Facebook account information, such as your public Facebook profile (consistent with your privacy settings in Facebook), your email address, interests, likes, gender, birthday, education history, relationship interests, current city, photos, personal description, friend list, and information about and photos of your Facebook friends who might be common Facebook friends with other Tinder users.”

Whether Tinder actually acts on this data is unclear – but the policy certainly reserves the right to collect it. Given that the object of dating website is to match you with like-minded people, it doesn’t take too much of a stretch of the imagination to think how Tinder could improve its matching by comparing likes, background and other data about you.

However, according to most educated guesses, there’s no evidence that your data is used in this way – so our guess is that it is the company granting itself permission to access this data just in case it wants to change things in the future.

Conclusion: If you use multiple dating websites don’t be surprised if you start seeing some really specific adverts.


Belkin Wemo wants to know if your lights are switched on

Wemo is less well known, but could be indicative of an aspect of privacy that will become increasingly important in the not too distant future: the Internet of Things (IoT). Wemo is Belkin’s brand for its connected devices – which covers everything from lightbulbs to plug sockets, to security cameras and other sensors, all of which can be controlled via the Wemo app.

In its privacy policy, it outlines the usual stuff, but also adds that the state of your connected devices could be collected by Belkin. In other words, under the policy Belkin could conceivably see when your lights are switched on, and even when motion has been detected in your house and so on.

In reality the explanation is far from sinister. In fact, it is pretty much intrinsic to how the product works: if you’re going to control these devices (both locally and remotely) via an app, they need to send their data to a central server so the app knows how to handle them.

What this does highlight is that as IoT devices become more commonplace, we’re going to have to get used to sharing ever more granular details about our lives. If your IoT devices detect heat presence but darkness in the room, don’t be surprised if you start seeing adverts on the web reminding you to buy a new lightbulb.

Conclusion: If your house is wired up to the IoT, HAL9000 is already in charge, but to be fair he seems to be doing a rather good job.


Twitter hides in plain sight

Like everyone else, Twitter collects “log data”, as well as data from widgets embedded in third party websites. So, for example, if you read a film review that has a Twitter button embedded into it, don’t be surprised if you start seeing adverts on Twitter for that film (many other services, including Facebook, do the same thing).

What is interesting to note privacy-wise (and which you might already know) is just how much information you give to Twitter is public but sort-of hidden in plain sight. For example, you might not have fully realised that the list of people that you follow, and who follows you is public. Perhaps more importantly anything you favourite/heart is also public – and this has caught people, including some politicians, out before.

Twitter also logs your location if you grant it access on your device. This means that theoretically your tweets can be geolocated – which might be useful, but also reveal where you are if you don’t want to be found.

Conclusion: Everything sensitive is probably already public anyway.


Facebook can use your data in academic studies

Given that Facebook accounts for a large proportion of our lives, there’s no doubt that Facebook knows a lot about us. Which is probably why its policy is fairly exhaustive. In among all of the now normal stuff that we expect a service like it to collect, it also notes that it will collect your battery and signal strength. This is presumably so that developers can analyse app processing to check that your battery isn’t draining, and also to enable the feature that lets you post offline.

The policy also notes that, like Spotify, your data may be used in academic research. Given the wealth of data, and the fact it could conceivably be segmented by location and demographics and so on, it’s no wonder that scientists are keen to interrogate it.

It has already led to some fascinating results – including this paper on the extent to which people with similar political views either stick together or interact with people they disagree with.

Needless to say, Facebook’s use of our data hasn’t been uncontroversial. In the past Facebook received criticism for not letting users delete data – and even retaining data once accounts were removed. More recently, the company has come under fire for expanding its search capabilities to mine previously unsearchable data.

Conclusion: We already know that Facebook knows everything. Just make sure your privacy settings are set so you only share with the people you want to share with.



And now the big one: Google. Perhaps it is easier just to assume that Google remembers everything given the company’s endless appetite for information.

The company’s privacy policy then, is surprisingly brief, and talks about how it collects similar information to the other companies in this feature. This includes your “log” information – like your IP address and device information, as well as “unique” application numbers to identify your device. It also uses the aforementioned pixel tags. So far, so standard.

But interestingly it also notes something that you might not realise is being shared with Google: the times and dates of your calls on your (presumably Android) device, how long they lasted and the “SMS routing” data.

Google also notes that it will log your location information. If you have an Android phone Google will quietly collect data on everywhere you go – and recently even launched a feature that would enable you to retrace your steps. The good news is that if you don’t want to be tracked you can switch off location history in settings on your Android device, and delete your existing location history on the Google Location History section of Google Maps.

The policy also says that it will capture data using “other sensors” – including nearby Wi-Fi hotspots. This is something that has caused controversy before when Google tried hoovering Wi-Fi networks up with its Street View cars. The idea behind it is that by measuring which networks are available and the strength of the signal, Wi-Fi networks can be used to geolocate users without GPS – so it will both work indoors, and drain less battery. You don’t even have to connect to Wi-Fi for Google to get the data, including each router’s unique MAC address.

In terms of how Google uses your data, it’s exactly as you’s expect: to serve you ads. Interestingly the policy does say that tailored adverts will not be driven by any data Google can deduce about you from “sensitive categories” – which it describes as health, sexuality, race and religion.

What is quite nice about Google’s approach – and perhaps we should expect it given the vastness of Google’s operation – is that the company provides a whole suite of tools to manage the data that Google contains, so you can download everything or tell Google what specifically to delete.

Conclusion: Google knows everything and in exchange allows the internet as we know it to exist. Whether this will be a fair trade in the long run remains to be seen, but for the time being it is working out quite well.

What have we learned?

Most of the policies are actually rather similar – with all of the apps tending to collect more rather than less data. This is probably for fairly obvious legal reasons: you can sue them if they collect something they haven’t warned you about, yet you’re not going to be very upset if it turns out that the companies aren’t spying on you.

But it is perhaps worth taking a step back and considering just how much data about ourselves and our activities we now routinely share, every minute of every day. The amount of detail these companies – especially the big ones like Facebook and Google – hold about us could conceivably be quite dangerous.

If we want to continue to live in a society that respects the privacy of individuals, we need to become more diligent – and take more of an interest in how much these companies know.

There are no comments yet

× You need to log in to enter the discussion