Availability of links to privacy policies at online stores for the 110 apps examined
- I examined privacy policies for 110 popular Android and iOS apps. App stores provided working links to privacy policies for 67% of iOS apps and 75% of Android apps
- 61% of privacy policies specifically stated that data would be encrypted. 31% had general language that could be read to imply that encryption would be used. Another 5% of privacy policies said nothing about security. One policy stated that it did not use encryption
I reviewed the privacy policies for the 110 apps included in a study of sensitive data sharing by mobile apps.  I focused on (1) the prevalence of privacy policies for mobile applications and (2) what, if anything, those policies said about the use of encryption for data in transit.
Results summary: For the 110 apps I reviewed, the app store pages provided working links to privacy policies for 67% of the iOS apps and 75% of the Android apps. Of the apps with accessible privacy policies, 62% contained general language saying that security measures would be used but did not specifically promise that encryption would be used, 31% included language implying that the apps encrypted some types of data in transit, 5% said nothing about security, and one policy (2%) affirmatively stated that encryption was not used (although, according to our testing, it actually did).
The Federal Trade Commission began studying website privacy policies in 1998. In a report to Congress that year, it found that although 85% of the sites it surveyed collected personal information, only 14% provided any notice of those practices, and only 2% had comprehensive privacy policies.  Since then, the FTC has encouraged adoption of privacy policies through its notice-and-choice framework. Laws, including COPPA, HIPAA, Gramm-Leach-Bliley, and the California Online Privacy Protection Act, now require many websites to publish privacy policies. Today, the vast majority of large websites seem to have privacy policies. However, are privacy policies for mobile applications readily available?
Privacy policies have received extensive research attention in the past 15 years. In 2000, the FTC followed up on its 1998 report with one of the earliest comprehensive surveys of privacy policies.  Two years after that, it looked at privacy policies of websites targeted at children.  More recently it has surveyed the privacy policies of mobile apps targeting children, releasing two reports in 2012 and conducting a follow-up survey in 2015. [5, 6, 7]
I also downloaded terms of service and license agreements for each app when available. In the case of iTunes, this was no easy task. Although privacy policies in iTunes are provided via links to developer websites, license agreements are presented within iTunes itself, which does not allow license agreements to be selected, copied, saved, or printed. I did not refer to the terms of service or license agreement documents when interpreting the language of the privacy policies.
Prevalence of Privacy Policies on App Store Pages
Of the 55 apps reviewed in each store, the pages for 37 iOS apps (67%) and 41 Android apps (75%) included working links to privacy policies (Figure 1). The pages for another 3 iOS apps and 2 Android apps had links that did not lead to privacy policies (“dead links”).
Figure 1. Availability of privacy policies in the Apple (iOS) and Android app stores for the 110 apps tested.
Finally, 3 policies (5%) did not say anything about security.
Nearly all (51/55) of the policies included some statement either explicitly or implicitly indicating that data in transit would be encrypted.
As mentioned above, the privacy policies applied to companies, not specific applications. Most of the policies appeared to have been written with websites in mind and their applicability to mobile apps was not always clear. Some policies, however, explicitly included mobile apps either as “online services” or in their definitions of websites.
Most of the policies also contained disclaimer language that could be interpreted as hedging statements made elsewhere about security. For example:
- Statements like Adobe’s are common: “Despite our efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information.”
In a policy that explicitly promises that encryption is used, these disclaimers may merely stress the fact that no technical measure is guaranteed to completely protect data. But when this language appears in the same policy as a general statement that the company takes “reasonable” controls (as is the case with the King.com, Halfbrick, and Adobe examples listed above), it is hard to know what level of security, if any, the company is promising in its policy.
Although most apps had links to privacy policies, privacy policies do not appear to be as prevalent (as of mid-2014) in the mobile space as they are for websites overall. That may change as laws and regulations catch up with mobile applications.
- Zang J, Dummit K, Graves J, Lisker P and Sweeney L. Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps. Technology Science. October 30, 2015. http://techscience.org/a/2015103001/
- Federal Trade Commission 1998. Privacy Online: A Report to Congress. https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf
- Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report to Congress: 2000. https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission-report/privacy2000.pdf. Web: 2015-10-19.
- Federal Trade Commission 2002. Protecting Children’s Privacy Under COPPA: A Survey on Compliance. https://www.ftc.gov/sites/default/files/documents/rules/children%E2%80%99s-online-privacy-protection-rule-coppa/coppasurvey.pdf
- Federal Trade Commission 2012. Mobile Apps for Kids: Current Privacy Disclosures are Disappointing. https://www.ftc.gov/sites/default/files/documents/reports/mobile-apps-kids-current-privacy-disclosures-are-disappointing/120216mobile_apps_kids.pdf
- Federal Trade Commission 2012. Mobile Apps for Kids: Disclosures Still Not Making the Grade. https://www.ftc.gov/sites/default/files/documents/reports/mobile-apps-kids-disclosures-still-not-making-grade/121210mobilekidsappreport.pdf
- Kids’ Apps Disclosures Revisited: https://www.ftc.gov/news-events/blogs/business-blog/2015/09/kids-apps-disclosures-revisited. Web: 2015-10-20.
- Antón A, Earp J, Vail M, Jain N, Gheen C, Frink J et al. HIPAA’s effect on Web site privacy policies. Security & Privacy, IEEE. 5, 1. 2007, 45–52. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=4085593
- Carrión Señor I, Fernández-Alemán J and Toval A. Are Personal Health Records Safe? A Review of Free Web-Accessible Personal Health Record Privacy Policies. Journal of Medical Internet Research. 14, 4. August. 2012. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3510685/
- Cranor L, Idouchi K, Leon P, Sleeper M and Ur B. Are they actually any different? Comparing thousands of financial institutions’ privacy practices. The Twelfth Workshop on the Economics of Information Se-Curity (WEIS 2013). 2013. http://www.econinfosec.org/archive/weis2013/papers/CranorWEIS2013.pdf
- Privacy Policies on Children’s Websites: Do They Play by the Rules? 2001. http://www.annenbergpublicpolicycenter.org/Downloads/Information_And_Society/20010328_Children_Privacy_on_Web/20010328_Childrens_Privacy_on_Web_report.pdf. Web: 2015-10-19.
- Hoke C, Cranor L, Leon P and Au A. 2015. Are They Worth Reading? An In-Depth Analysis of Online Trackers’ Privacy Policies. I/S: a journal of law and policy for the information society. 2015. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2418590
- Ryker R, Lafleur E, McManis B and Cox K. Online privacy policies: An assessment of the fortune E-50. Journal of Computer Information Systems. 42, 4, 15–20. 2005. http://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?article=1175&context=jiim
Jim Graves is a PhD student in Engineering and Public Policy at Carnegie Mellon University, where his research focuses on the law and economics of data privacy. Before returning to school, he worked as a data security and networking professional for over 15 years. Jim earned his JD from William Mitchell College of Law, where he was Editor-in-Chief of the Law Review, and holds an M.S. in Information Networking and a B.S. in Mathematics and Computer Science, both from Carnegie Mellon University.
This work was conducted at the Federal Trade Commission during the summer of 2014 as part of the Summer Research Fellows Program. All statements, analyses and conclusions are the authors’ and do not necessarily reflect any position held by the Federal Trade Commission or any Commissioner.
Under review for data sharing classification.
Back to Top
Enter your recommendation for follow-up or ongoing work
in the box at the end of the page. Feel free to provide ideas for next
steps, follow-on research, or other research inspired by this paper.
Perhaps someone will read your
comment, do the described work, and publish a paper about it. What do
you recommend as a next research step?