Skip to Content

Tracking How Mobile Apps Track You

Senate committee sorts out the technical and legal challenges in trying to control how apps track users.

Third-party apps are the weakest link in user privacy on smart phones. They often get access to large quantities of user data, and there are few rules covering how they must handle that data once they have it. Worse yet, few third-party apps have a privacy policy telling users what they intend to do.

That was the message delivered at a hearing of the U.S. Senate committee on Commerce, Science, and Transportation held yesterday. Companies and regulators are struggling to find ways to ensure that user data is handled properly by apps installed on smart phones, but the way apps are designed makes this difficult.

Mobile privacy has come under extreme scrutiny since revelations that Apple’s iPhone and Google’s Android software collect and store users’ location data. Last week, a U.S. Senate subcommittee questioned those two companies on their handling of personal data. This week, Facebook joined Google and Apple on the hot seat.

But all three companies run platforms that support thousands of third-party developers, and how to make sure those apps respect users’ privacy, and explain their rules, is a major question. Sen. Mark Pryor (D-Arkansas) said at the hearing, “It’s not clear that Americans understand how their information may be shared or transferred.”

The hearing also highlighted several reasons why it’ll be difficult to control what apps are doing with user data. It’s not clear which laws should be used to regulate third-party apps, and, in some cases, it’s hard to design proper technical requirements. “There’s no privacy law for general commerce whatsoever,” said Sen. John Kerry (D-Massachusetts). “Data collectors alone are setting the rules.”

A major initiative designed to improve consumer privacy on the Web—the proposed “Do Not Track” bill—could be hard to apply to mobile devices, regulators said. The bill would allow consumers to opt out of having their online activity tracked.

For mobile devices, the situation is more complicated, partly because the devices can observe users’ physical location, as well the sites a user visits or apps he or she uses. David Vladeck, director of the U.S. Federal Trade Commission’s Bureau of Consumer Protection, says the Do Not Track bill is designed to cover online movements, not geolocation, which might need its own protection.

While Do Not Track protects consumers from being tracked when they move from one website to another, Vladeck said, it’s not always clear within an app when this is happening. Princeton University’s director for Information Technology Policy, Edward Felten, who is consulting with the FTC on this issue, explains that, while third-party code on a website clearly comes from a different server than the rest of the site, all the code in an app looks the same no matter where it originated.

The key goals, Felten says, are to give users a simple way to opt out of sharing data beyond the site they’re interacting with, and to follow through technically on users’ wishes. He says that doing so on mobile devices is certainly possible, but it requires additional thinking, since not all the technology can be adapted directly from what’s being done in the browser.

Some app developers may be hesitant to explain how they will use data—to leave the door open for opportunities that may arise in the future. Morgan Reed, executive director for the Association for Competitive Technology, said during the hearing that app makers struggle to provide privacy policies that “work for today but also for tomorrow.” He also pointed out that Google, Apple, and Facebook can change their policies at any time, which could, in turn, affect app makers.

Whatever regulators decide, there is significant momentum toward giving users more information and control over what third-party apps can do. For example, a company called Whisper Systems is providing a modified version of Google’s Android that allows users to see and control where their personal information is going. This week, Twitter announced that its permissions screen for apps will be more detailed. Other companies may follow that lead.

Keep Reading

Most Popular

The inside story of how ChatGPT was built from the people who made it

Exclusive conversations that take us behind the scenes of a cultural phenomenon.

ChatGPT is about to revolutionize the economy. We need to decide what that looks like.

New large language models will transform many jobs. Whether they will lead to widespread prosperity or not is up to us.

Sam Altman invested $180 million into a company trying to delay death

Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.

GPT-4 is bigger and better than ChatGPT—but OpenAI won’t say why

We got a first look at the much-anticipated big new language model from OpenAI. But this time how it works is even more deeply under wraps.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.