76 per cent android apps access location, only 46 per cent tell you

Arha Surve, 7, say his parents Himshree and Amit, uses apps for two hours daily for math, letter writing, learning languages and playing. Pic/Nimesh Dave

Arha Surve is a vivacious seven-year-old whose tablet is loaded with educational apps that help him with Maths, letter writing, languages, musical instruments, plus all the games expected to engage a child obsessed with creating the world's longest, most complicated marble run. While his parents, Himshree and Amit, ensure screen time is limited to two hours during school term, three hours are allowed during vacation.

Like most parents, what they don't know is that most apps have in-built components that siphon data that determines user habits and behavioural traits to manufacturers. Most apps access your camera and location too. Yes, even children's apps. The data - often unencrypted - is traded, legally, in an ecosystem that's worth $300 billion.

Seven-year-old Arha Surve regularly accesses a host of apps on his tablet for a variety of purposes. Crores of children like him in India could unwittingly end up as targets of violation of privacy, due to the permissions accessed by the apps. These include access to their camera, mic and location. Pic/Nimesh Dave

Internationally, there are laws coming into motion to stop collection and use of children's data. But right now, as cyber-experts love to put it, your phone is a massive tracking device. It just happens to also make calls from time to time.

Earlier this year, Arrka, a start-up that empowers organisations to better safeguard their privacy, released its Data Privacy Report for 2022. As research, it studied apps and websites of 189 organisations, including 100 Indian firms across 25 industry sectors. A section of this report, focused on 30 children apps, has revealed some worrying facts - 67 per cent of Android apps and 50 per cent of iOS apps access at least one permission that comes under the ‘Dangerous' category. This includes the camera, microphone, contact list, location, files in the storage space and details of the device.

Amit Surve and Himshree

Arha's parents say that they take all precautions possible, like using a dedicated email ID that verifies his age and restricts access to inappropriate content, linking his device via Google Family Link to monitor screen time and keeping a close eye on the apps he downloads. Arrka's study, nevertheless, has given them food for thought.

"I didn't give much thought to privacy concerns before," says Himshree, "but I am now more aware of potential security threats. As a working parent, these gadgets help me buy an hour or two for myself. My child's safety is top priority but I can only do so much. Some issues should be dealt with at the policy level as well."
The overall results of the study are no better. Out of the 189 apps that Arrka analysed, 76 per cent Android apps access the user's exact location, 76 per cent access the camera and 57 per cent access the microphone. For iOS, these statistics stood at 59 per cent apps for location even when the app was not in use, 81 per cent for camera and 54 per cent for microphone.

Kayzad Vanskuiwalla

And that's not the only stuff of nightmares: Apart from accessing permissions that fall in the Dangerous category, they also install trackers - tiny files silently deposited into the device that track what you do online.

"This data is typically used to primarily build a detailed behavioural profile of the user," says Shivangi Nadkarni, co-founder and CEO of Arrka. "It's built over time with data collated over years across multiple apps, devices, channels and sources, which is continually enriched and enhanced. These profiles include how you typically spend your day, who the other members in your family are, whom do you hang out with, all you do online, and so on. Sophisticated algorithms figure you out in depth and even predict future behaviour. This data is then traded between various entities. There is a vast adtech ecosystem out there - a $300 billion plus industry that's rapidly growing."

To make matters worse, this is completely legal. Currently, India has no privacy law to curb this practice. There are rules under the Information Technology Act that only cover very sensitive data, but the rest of the data, including what is covered in Arrka's study, is free for all.

"One of the great moves that the Indian legislation has made concerning privacy," says Kayzad Vanskuiwalla, Director of Cyber Threat Detection and Analytics, Securonix, "is ruling that all sensitive personal data must be kept within India and can't be transferred outside. However, government and other regulatory bodies should be set up to define how this data is stored, accessed and what is the stringent action that will be taken if any company goes against these policies. The EU's General Data Protection Regulation (GDPR) keeps large corporations such as Google, Facebook and Apple in check with regard to privacy laws. Many of these practices can be adopted in India as well."

Nadkarni says that while there is no one-shot solution to safeguard privacy of Indian users, the draft Data Privacy Bill, expected to be discussed in Parliament during the monsoon session, would go a long way in this regard.

"To give you perspective," she says, "the Bill explicitly prohibits behavioural profiling of children or serving them ads. This is a trend worldwide, where countries are clamping down hard on the collection and use of children's data to ensure they remain protected."

Even on the transparency front, Indian firms were found to rate a dismal 30 out of 100 on readability, which is half the acceptable score as per international standards. Further, Arrka found a huge discrepancy in what the apps declare that they access in their privacy policy, and what they actually do. For example, 76 per cent Android apps access the user's location, but only 46 per cent of them declare it. The same discrepancy was observed for categories such as camera, microphone, contacts, photos and text messages.

Internationally, too, the issue of data privacy has been a growing concern, with cyber security experts and agencies repeatedly highlighting the fact that apps are accessing permissions that they have no business to in the first place.

In 2019, Russian cybersecurity solutions and services provider, Kaspersky, published a report of its findings on apps and permissions. It cited an example of a selfie camera app, with five million downloads from Google Play. Kaspersky found that the app uses four ad trackers and demands not just access to the user's camera, but also their device location, which is not strictly necessary for it to operate, as well as phone and call data, which was "anything but necessary for this kind of app".

Further analysis of the same app, found that it doesn't just get access to the phone or tablet location, but also sends this information, along with the IMEI, MAC address (a unique code that can be used to identify your device on the Internet or local networks) and Android ID to a Chinese IP address, all without encryption. "Forget about good intentions, there's no good reason," Kaspersky's Sergey Golubev wrote on a blog.

Android Apps
76 per cent
Access location
76 per cent
Access camera
57 per cent
Access microphone

iOS Apps
59 per cent
Access location
81 per cent
Access camera
54 per cent
Access microphone

(Out of the 189 apps that Arrka analysed for its Data Privacy Report 2022)