How Mobile Phones Became a Privacy Battleground—and How to Protect Yourself

Abraham Smith

In the 15 years since the iPhone’s debut, the world of data privacy has changed significantly. Since 2007, app-privacy controversies—ranging from the social network Path downloading the contents of people’s address books to every weather app under the sun selling location data—have snowballed, leading to concerns both legitimate and misinformed, as well as the inability of many phone owners to determine which threats are real. But digging through history to understand where the privacy controls of iOS and Android began, and how both mobile operating systems have shifted to give people more control, can give you a better idea of what the true threats are right now.

“I think the transition to mobile devices brought a sea change in data collection, because unlike traditional ad tech, which was mainly focused on what we were searching for, now companies could also focus increasingly on where we were,” Albert Fox Cahn, executive director of Surveillance Technology Oversight Project, told us. “Today the ad tech world would have been unrecognizable from back when the iPhone was first introduced.”

In the absence of a federal privacy law, most ad-tech companies and data brokers are unregulated and opaque in their operation, which makes it nearly impossible for phone owners to track where their data goes or how it gets used, let alone prevent that data from being shared in the first place. It also means that the industry has no standards to follow, so it’s difficult for everyone to figure out what is and isn’t possible on any given device.

What phone owners have instead are sometimes-complicated menus full of permissions that are buried deep within an operating system and rarely set up by default with their privacy in mind.

Where your data goes (and who can see it)

With mobile apps, advertising tends to work like this: An app developer includes a bit of code from a software development kit (SDK), made by an advertising network you’ve likely never heard of, that can gather all sorts of information, such as your location and app-usage data.1

Unless you read the details of a privacy policy or bother to scroll through the pages of a terms-of-service statement, you get neither an indication that this data gathering is happening nor details as to what data is being sent to third parties, but that transmitted data contributes to a profile of you that advertisers then use to target ads. These ad companies want as many apps as possible to include their SDK so that they can collect more data to build better profiles.

Whitney Merrill, a privacy attorney and data-protection officer, told us that what scares her most “are the SDKs and random packages that people are throwing in that still collect data in ways that weren’t anticipated.” Merrill described a hypothetical—though not unlikely—scenario in which an app developer monetizes its app by putting in a bunch of different advertising SDKs to leverage as many networks as possible. But because the developer hasn’t investigated the privacy practices of those ad networks, those SDKs could take all the data that passes through them when you use the app, package that data up, and then sell it; these entities could continue to pass your data along, combining it with data from other companies until it forms a clear picture of your behavior. This data can be bought and sold for advertising purposes, or purchased by agencies of the US government.

Although it’s easy to fixate on the creepiness of the ad industry, it’s also useful to remember that there are potentially greater risks to your data and privacy depending on who can see your data. Determining who those parties are, unfortunately, isn’t straightforward. Anyone who works at the company who makes an app, any of the third parties an app sends data to, or even employees at the company hosting the server that stores the data can possibly access some or all of the data you give them.

While this type of data access is outlined in complicated privacy legalese, “oftentimes the most important thing isn’t in the privacy policy, but in how the data is stored,” Albert Fox Cahn told us. The only situation in which this outside access to data is impossible is when the app correctly implements end-to-end encryption. With end-to-end encryption, you are the only one who holds the encryption keys to turn your data from a jumbled mess into something readable, even if that data is stored on company servers. This type of encryption is a feature in a number of messaging apps, most notably Signal.

Very little of what people do online is encrypted this way. This means that anyone’s activity can be accessed by the company hosting the data, in some fashion, even if it’s encrypted on the servers. This is how a company can decrypt data to respond to government requests.

A brief history of mobile-app privacy, told through permissions

In 2007, the era of the modern smartphone began with the original Apple iPhone. When the iPhone launched, an app could access just about any data on your phone without notifying you, including your location and a list of other installed apps. That shifted with the introduction of permission prompts, and those permissions expanded alongside concern among phone owners, often due to alerts from researchers and other reports of privacy violations. While we were doing our research for this article, sifting through 15 years’ worth of news stories regarding smartphones and privacy, we noticed a trend: A privacy-related controversy would erupt, followed by some sort of system-level fix on both iOS and Android.

It turns out that a broad overview of the history of mobile operating systems makes it easier to understand the current data economy. So let’s take an abridged look at some of the watershed moments of the past 15 years.

2007–2010

Smartphones’ first few years were relatively free of privacy controversies, but that’s partially because people didn’t know to look for them yet.

For instance, at launch, advertisers used your phone’s permanent device identifier, basically your phone’s equivalent to a Social Security number, to track you for advertising, a practice that wouldn’t change for another five years. “Previously it was a wild west,” said Will Strafach, founder of the Guardian firewall and VPN app. “In a sense, it’s what started this advertising and analytics bubble. Where there was a lot of unchecked ability without any user permission.”

2010–2014

The first “Oh no, what have we done?” moments cropped up as the privacy implications of having a tiny always-on computer that traveled everywhere with a person began to take shape in the early 2010s. During those years, media scrutiny of apps increased while one of the first major app-privacy controversies emerged, leading to changes at the system level to try to rein in third parties’ access to data.

  • 2010: iOS 4 adds an app-specific permission for location data.2 It also includes the launch of iAd, a platform for developers to easily include ads in their apps. One year later, iOS 5 would add the ability to disable location-based iAds.
  • 2010: The Wall Street Journal publishes (subscription required) the first comprehensive “your apps are watching you” style of investigation that we could find, though at least some academic research on the topic was published earlier. At this point, ad tracking still uses the unique ID that Apple or Google assigned to your phone. Variations of this type of article become commonplace over the next decade-plus, but the WSJ investigation seems at least partially responsible for a class-action lawsuit that follows its publication, and it arguably leads to the non-permanent advertising identifiers that phone makers would add later. The investigation also triggers a few additional reports regarding location tracking specifically, including Apple’s letter to the House of Representatives defending this practice, an NPR article detailing location tracking in apps, and one of the first reports detailing how law enforcement uses data collected from iPhones. Congress pushes for both Apple and Google to require apps to have privacy policies.3
  • 2012: A researcher finds that Path, a social networking app, is uploading users’ entire address books to its servers. Quickly thereafter, The Verge reveals that Path is not the only app doing this. Path would settle charges with the FTC in 2013, paying a fine of $800,000.
  • 2012: Apple introduces new app-privacy permissions with the launch of iOS 6. Apps now need explicit permission to access contacts, calendars, reminders, and photos, in addition to location.4 A year later, iOS 7 adds the microphone and camera to that list. Google would implement similar permissions in 2015. iOS 6 also sees the introduction of the Identifier for Advertisers (IDFA), a non-permanent device identifier that replaces the unique ID that apps previously had access to. Along with the new IDFA comes the option to limit ad tracking, which withholds the identifier from advertisers to prevent certain types of ad targeting. Google would mandate the similar Advertising ID (AAID) in 2014, add the ability to reset the ad tracking in Android 10, and further tweak that to completely delete the identifier in Android 12.
  • 2013: The FTC fines the developer of an Android flashlight app that was collecting and sharing location information without notice.
  • 2014: Tucked away among the most egregious privacy violations revealed by Edward Snowden is a curious story about the NSA and popular phone apps and games, including Angry Birds. These “leaky apps” reveal a range of information about the user or player, including their location, demographics, and more.
  • 2014: A number of celebrity iCloud accounts are hacked, and the photos are released online. At least one of the invaders was able to get in by trying different passwords or sending phishing messages. Although Apple does offer two-step verification at this time, it’s confusing to enable, something that the company would clear up with the introduction of system-wide two-factor authentication in iOS 9 and OS X El Capitan in 2016. Google, which has offered two-factor authentication for a long time, would start requiring 2FA in 2021.

2015–2019

We’re inclined to refer to these years as the “It turns out location information is important” period. Several experts we spoke with noted that location data is a troublesome problem to solve, and it’s also especially valuable to advertisers and law enforcement. “It’s all or nothing” with location data, Will Strafach said. “It’s this weird middle ground where Apple can’t do technical enforcement on that without straight up not allowing location access for certain apps.” And anonymizing that data is nearly impossible, as Whitney Merrill noted: “It’s very hard to anonymize location data. You just have to make it less precise.”

  • 2015: iOS 9 blocks the ability for apps to see a list of the other apps that iPhone owners have installed; such data could provide app developers with information about iPhone owners’ dating habits, gender, religious beliefs, political affiliations, and more. Android would do the same in 2021 with Android 11.
  • 2017: Security researcher Will Strafach discovers that the popular weather app AccuWeather is sharing geolocation data on iOS—even when location sharing is disabled—by using a Wi-Fi router’s MAC address. This is a good example of how some apps may try to get around permissions to track you in novel ways. In 2019, Apple would limit the kinds of apps that can see the names of the Wi-Fi networks you connect to; then, in 2020, the company would add a permission to restrict an app’s access to other devices on local networks. Android would gain a similar permission setting in Android 13.
  • 2018: A report shows just how many apps are sending personal data to Facebook through its SDK.
  • 2018: Researchers find that the fitness tracking app Strava could reveal the location of military bases and potentially be used to pinpoint individual people. In the following years, the company would introduce many privacy permissions in its app to better manage what strangers may be able to view, but clever approaches still manage to identify Strava users and their location.
  • 2018: A New York Times report shows just how easy it is to collect location information from cell phone apps and piece them together to track individuals, a topic that The Times would dig into further in 2019.
  • 2019: The Wall Street Journal reports (subscription required) that Flo, a period-tracking app, is sending private customer data to Facebook; the report would lead to a class-action lawsuit, and Flo would eventually reach a settlement with the FTC.

2020–present

Halfway through the second decade of the smartphone era, it’s now a “Privacy is important” period, as most people are starting to pay far more attention to such concerns than they did before. The change is partially due to the flood of news about privacy violations, starting with reports about unprecedented government access to personal data and moving on to the weaponization of data against individuals.

  • 2020: A Wall Street Journal article (subscription required) sheds light on US government purchases of location data collected from apps for use in Department of Homeland Security immigration enforcement; a later investigation by the American Civil Liberties Union would detail the massive scope of this collection. It’s quickly revealed that other agencies are engaging in similar practices, including the Internal Revenue Service (as reported in The Wall Street Journal), the Drug Enforcement Administration, the Centers for Disease Control and Prevention, and the Defense Intelligence Agency. In addition, Vice reports that the US military is purchasing data from a Muslim-prayer app.
  • 2020: Android 11 adds one-time permissions, mic and camera indicators, and, most notably, an auto-reset feature that revokes permissions for apps you haven’t opened in a while. iOS doesn’t offer a similar feature.
  • 2020 and 2021: Apple launches privacy labels and the App Tracking Transparency feature, which shifts to an opt-in model for advertising tracking. These changes seem to have an impact on the ad-tracking industry, and Facebook predicts a $10 billion hit to its 2022 earnings.
  • 2021: A Catholic news outlet obtains location data from the queer-dating app Grindr and uses it to out a priest, forcing him to resign. This is one of the clearest examples we can find of the weaponization of data against a specific person.
  • 2022: Google launches its own privacy labels for Google Play, as well as the ability to block some ad tracking on Android.
  • 2022: The United States Supreme Court overturns Roe v. Wade, the 1973 decision that previously guaranteed a constitutional right to abortion access; a call on social media to “delete your period-tracking app” quickly follows. Although there is genuine concern surrounding the privacy practices of some of these apps, another major worry mirrors that affecting other apps: They could collect and sell personally identifying location information (including visits to abortion clinics, as The Wall Street Journal reports).

Of course, the past 15 years haven’t been filled with mobile-app controversies exclusively. This decade and a half has seen Facebook gobbling up WhatsApp and Instagram, Google buying Waze, YouTube, and dozens of ad-tech companies, and countless stories of big-tech companies sidestepping privacy rules, cellular carriers repeatedly sharing customer data, and military spyware being installed on thousands of phones. And that’s not even touching on other impactful privacy violations such as the Facebook and Cambridge Analytica scandal or the simple fact that every company appears to be an ad company now.

It’s all, well, a lot.

How to improve your mobile privacy

It’s impossible to completely prevent tracking and sharing of your data, and even failed attempts to do so can make using the internet on your phone a terrible experience. In some ways, just being aware of where your data can end up, as described above, is a good first step. But you can do a few things to minimize data collection on your phone while mostly maintaining the major benefits of the technology itself:

  • Disable personalized ad tracking on your phone: Both iOS and Android offer methods to opt out of personalized ads. Doing so removes the simple-to-track device identifier and thus makes tracking you more difficult for apps and, more important, for the brokers that buy your personal data from app makers. You can disable personalized ads by following these iOS instructions or Android instructions.
  • Consider the apps you download: Before downloading any app, ask yourself whether you actually need it. If it merely gives you access to a service that you can use through a web browser instead, going with the browser is a better idea. Also, take a tour of your phone’s built-in tools—you probably don’t need to download an ad-filled flashlight app, a QR code reader, or a measuring app if your phone already has one.
  • Pay attention to permissions: When you do install an app, note which permissions the app requests. Deny anything that seems strange, such as an app that lacks GPS features but asks for your location. You can always enable these permissions later if you wind up needing them. You can check permissions by following these iOS instructions or Android instructions.
  • Limit what apps can do in the background: Apps can download and transfer information even when you don’t have them open. For example, weather apps update to show the new temperature and to reflect potential changes to weather conditions throughout the day. Not every app needs such access, though, and it can lead to some types of passive tracking. You can disable background activity on any app where it doesn’t seem necessary; for details, see these directions for doing so on iOS. On Android, you can disable this access only on a system level, which you may find too restrictive, but here are directions.
  • Note when services require logins and look for other options: When you first open an app, some companies love to toss login screens in front of you with a teeny, tiny, nearly invisible X in the corner to decline. If an app seems to require a login but doesn’t provide a useful benefit for doing so—such as syncing your settings between devices or to a website—test the app to see if you can use it without creating an account. An email address can be a valuable supplement for entities to build a profile about you, even if you’ve disabled your device’s ad identifier.
  • Poke around for privacy-focused in-app settings toggles: Find the “Settings” or “Options” section in the app and see if it offers any additional privacy settings, such as opting out of data sharing with third parties.
  • Delete apps you don’t use: Just about everyone has downloaded an app for a single purpose and then immediately forgotten about it. Every once in a while, scroll through your list of apps and delete anything you no longer use or need.

Of course, mobile apps aren’t the only source of privacy problems. Any web browsing you do on your computer might be logged and linked to you (and linked to your mobile web browsing, for that matter), and although in comparison desktop computers tend to have more privacy-protection options, they’re rarely set as the default. We have some suggestions for browser extensions that can help.

And the concern is not limited to traditional computers and smartphones anymore. Smart TVs, smart speakers, and plenty of connected devices collect and share all sorts of data about their owners. In those cases, you’re best off spending a few minutes poking through the various settings to disable any sharing you can.

In the 15 years since the launch of the major mobile operating systems, phone owners have clearly gotten more control over what data their apps can access. Phone owners can block certain obvious red flags like microphone or video access, control what photos an app might access, and disable system-level features, such as Bluetooth connectivity, per app. But there are still hurdles to overcome. Location information is nearly impossible to anonymize and control (there’s no way to guarantee that an app will use your location for its services but not sell that data, for example), and companies can use seemingly innocuous data, such as for battery life and screen brightness, to create a device “fingerprint” for tracking. Moving forward, that familiar pattern—privacy and security experts find a flaw, Apple and Google fix it—is likely to continue. History has shown that they can be pressured into addressing flaws, and as they do, you’ll probably have to dig around in exciting new settings on a regular basis.

This article was edited by Arthur Gies and Jason Chen.

Footnotes

1. SDKs aren’t inherently bad, nor are they exclusively used for advertising. Instead, they’re small bits of code that make developing common tools in apps faster and easier. Advertising is just one of those possible components.
Jump back.

2. Both iOS and Android would go on to iterate on location-data access several times, more than on any other permission. iOS 8 (2014) and Android 10 (2019) added the prompt to restrict location access to when the phone owner is using the app. iOS 13 (2019) and Android 10 added the ability to allow it only one time. And iOS 14 (2020) and Android 12 (2021) added the ability to choose between providing an approximate or precise location.
Jump back.

3. This wouldn’t be a requirement until 2018 for Apple and 2022 for Google.
Jump back.

4. As of iOS 16, there are 17 permissions in this section; Android has 13.
Jump back.

Leave a Reply

Your email address will not be published. Required fields are marked *