Published on October 29, 2015. Views: 10524. Downloads: 4494. Suggestions: 0.
An Exploratory Study of Mobile Application Privacy Policies
I reviewed the privacy policies for the 110 apps included in a study of sensitive data sharing by mobile apps.  I focused on (1) the prevalence of privacy policies for mobile applications and (2) what, if anything, those policies said about the use of encryption for data in transit.
Results summary: For the 110 apps I reviewed, the app store pages provided working links to privacy policies for 67% of the iOS apps and 75% of the Android apps. Of the apps with accessible privacy policies, 62% contained general language saying that security measures would be used but did not specifically promise that encryption would be used, 31% included language implying that the apps encrypted some types of data in transit, 5% said nothing about security, and one policy (2%) affirmatively stated that encryption was not used (although, according to our testing, it actually did).
The Federal Trade Commission began studying website privacy policies in 1998. In a report to Congress that year, it found that although 85% of the sites it surveyed collected personal information, only 14% provided any notice of those practices, and only 2% had comprehensive privacy policies.  Since then, the FTC has encouraged adoption of privacy policies through its notice-and-choice framework. Laws, including COPPA, HIPAA, Gramm-Leach-Bliley, and the California Online Privacy Protection Act, now require many websites to publish privacy policies. Today, the vast majority of large websites seem to have privacy policies. However, are privacy policies for mobile applications readily available?
Privacy policies have received extensive research attention in the past 15 years. In 2000, the FTC followed up on its 1998 report with one of the earliest comprehensive surveys of privacy policies.  Two years after that, it looked at privacy policies of websites targeted at children.  More recently it has surveyed the privacy policies of mobile apps targeting children, releasing two reports in 2012 and conducting a follow-up survey in 2015. [5, 6, 7]
I also downloaded terms of service and license agreements for each app when available. In the case of iTunes, this was no easy task. Although privacy policies in iTunes are provided via links to developer websites, license agreements are presented within iTunes itself, which does not allow license agreements to be selected, copied, saved, or printed. I did not refer to the terms of service or license agreement documents when interpreting the language of the privacy policies.
Prevalence of Privacy Policies on App Store Pages
Of the 55 apps reviewed in each store, the pages for 37 iOS apps (67%) and 41 Android apps (75%) included working links to privacy policies (Figure 1). The pages for another 3 iOS apps and 2 Android apps had links that did not lead to privacy policies (“dead links”).
Figure 1. Availability of privacy policies in the Apple (iOS) and Android app stores for the 110 apps tested.
Finally, 3 policies (5%) did not say anything about security.
Nearly all (51/55) of the policies included some statement either explicitly or implicitly indicating that data in transit would be encrypted.
As mentioned above, the privacy policies applied to companies, not specific applications. Most of the policies appeared to have been written with websites in mind and their applicability to mobile apps was not always clear. Some policies, however, explicitly included mobile apps either as “online services” or in their definitions of websites.
Most of the policies also contained disclaimer language that could be interpreted as hedging statements made elsewhere about security. For example:
In a policy that explicitly promises that encryption is used, these disclaimers may merely stress the fact that no technical measure is guaranteed to completely protect data. But when this language appears in the same policy as a general statement that the company takes “reasonable” controls (as is the case with the King.com, Halfbrick, and Adobe examples listed above), it is hard to know what level of security, if any, the company is promising in its policy.
Although most apps had links to privacy policies, privacy policies do not appear to be as prevalent (as of mid-2014) in the mobile space as they are for websites overall. That may change as laws and regulations catch up with mobile applications.
Jim Graves is a PhD student in Engineering and Public Policy at Carnegie Mellon University, where his research focuses on the law and economics of data privacy. Before returning to school, he worked as a data security and networking professional for over 15 years. Jim earned his JD from William Mitchell College of Law, where he was Editor-in-Chief of the Law Review, and holds an M.S. in Information Networking and a B.S. in Mathematics and Computer Science, both from Carnegie Mellon University.
This work was conducted at the Federal Trade Commission during the summer of 2014 as part of the Summer Research Fellows Program. All statements, analyses and conclusions are the authors’ and do not necessarily reflect any position held by the Federal Trade Commission or any Commissioner.
Graves J. An Exploratory Study of Mobile Application Privacy Policies. Technology Science. 2015103002. October 29, 2015. https://techscience.org/a/2015103002/
Under review for data sharing classification.
Enter your recommendation for follow-up or ongoing work in the box at the end of the page. Feel free to provide ideas for next steps, follow-on research, or other research inspired by this paper. Perhaps someone will read your comment, do the described work, and publish a paper about it. What do you recommend as a next research step?