Sunday, 28 April 2019

What good is a Privacy Policy?

A friend recently pointed out the existence of an Israeli app called Shiri (שירי), which allows its users to freely listen a large collection of Israeli songs. Generally speaking, I hesitate to install new apps on my phone on account of the regular abuse of my privacy and security performed by most apps (a phenomenon I had already discussed here). However, out of curiosity, I decided to give this particular app a proper examination.

First, I went to the app's iTunes page in order to check its website out. It is there that I found Shiri's privacy policy, which - to my eyes - seemed quite impressive. Under the assumption of fair use (which I believe I have on my side here, as I am about to critically assess this policy), I will quote some of its more appealing aspects:
The National Library collects only personal information provided by you, willingly [emphasis by yours truly], with active and informed consent granted during your user registration process and\or during your request of services and\or...
The National Library will not transfer your personal information to third parties unless (a) it is required to do so by law, and\or (b) it was required to submit information to an authorized authority according to that authority's request, and\or (c) it was necessary for the provision of the requested services and you approved the transfer of the information to that third party.
Given such a lovely privacy policy, I went out and installed the free app. However, before starting the app for the first time I set up a proxy service in order to capture all the online activities performed by the app.
The next thing I did was start the app. I will emphasise here that I only started the app, did not press anything, and got only as far as its welcome page. However, by then my proxy service already showed the following online connections were made by the Shiri app:



Three usual suspects are immediately noticeable: Google, Facebook, and Apple. Apple can be excused by the fact it is the phone's operating system itself that contacts Apple every time an app is started in order to support Apple's app usage statistics. However, there is no excuse for Facebook nor Google to be there. Not when the above quoted privacy policy says that no personal information of mine will be transferred to third parties (which is exactly what Google and Facebook are, in this particular case).
Even if the inclusion of Facebook and Google was included because "it was necessary for the provision of the requested services", I do not recall having "approved the transfer of the information to that third party"; all I did was start the app for the very first time. It cannot be said that I had willingly provided my consent for my information to be collected!
Further, Google and Facebook were not the only trackers to join the Shiri party; they are just the most famous. As you can see in the above screen shot, we also had app-measurement.com, appsflyer, hockeyapp, and crashlytics. Now, it may be argued that these are not your average data harvesting services out there to suck as much information about you (the way Google and Facebook act), but rather services that are there to help the app developer ensure they are providing good service. However, these are still third parties, they are still collecting my information, and I still haven't provided any consent for them to do that. More importantly, in the context of this post, they were never supposed to exist in the first place given Shiri's privacy policy!

Why is it, then, that Shiri is acting this way? Why is Shiri publishing a privacy policy which it then completely ignores?
I strongly suspect there was no ill will on behalf of Shiri here; just good old ignorance. One part of the organisation, with all the good idealism on its side, wrote a marvelous privacy policy; then another part of the organisation (probably with the help of external contractors) went out to develop an app, and that part chose to use SDKs from Google and Facebook. While at it, they chose to use several third party services to help them with the app's development and running. I suspect they did not even bother to read their organisation's own privacy policy.
Who does, these days?

3 comments:

wile.e.coyote said...

So how is the app?

MR said...

I have no idea; I only got as far as that first page, which told me all I needed to know (i.e., I cannot trust this app).

MR said...

I have no idea; I only got as far as that first page, which told me all I needed to know (i.e., I cannot trust this app).