The smartphone concentrates a lot of personal data entered by the user. But it also generates them through the sensors and communication interfaces with which it is equipped: with each telephone call or SMS, use of a Web browser or an application, traces of these activities are created. Our smartphone, therefore, knows a great deal about us, both in the virtual world of the Internet and in the real physical world (movements, habits, biological parameters, etc.). The list of our applications is also meaningful since they correspond to our centers of interest and needs. A smartphone can, therefore, provide a lot of personal data that supports an entire ecosystem.
Table of Contents
The business model for smartphone applications
At the start of this ecosystem is the user. The user will look for his applications in an application store ( store ). These applications have been designed by developers. Two other actors, less known to the public, also intervene with various advertisers, who want to send advertising messages and advertising agencies. How does this economic model work?
To get a financial return, the developer of the application (often free) signs a contract with an advertising agency and includes in his application a small tracker or spyware (or spyware) provided by the latter. As soon as the user starts the application, the spyware collects and transmits a certain number of personal data on the user (such as the list of applications used, geolocation information, technical identifiers or others) to the advertising management. The management can thus build a user profile and enrich it over the days, sometimes even thanks to the data collected by other smartphone applications.
If the application allows you to display an advertisement, the advertising company triggers an auction in real-time by announcing, for example, that it is a woman under 25 years interested in fashion. Among the advertisers interested in such a profile, the advertiser who wins the auction provides his publicity and pays a small amount (a few fractions of cents) to the agency. The management then triggers the display of advertising on the user’s smartphone, keeps part of the amount earned and redistributes another part to the developer of the application. The volume of information captured by the advertising agencies being enormous, this market around targeted advertising is very lucrative.
In theory, all the players find their account in this “free versus targeted advertising” model. But we all know the adage “if it’s free, you’re the product” – in reality, here the advertiser pays instead of the user. The model finds its main limits in the complexity of the ecosystem, too obscure for the user to trust, in the frequent disproportion between the personal data collected (continuous profiling) and the service provided to the user, in the lack of information and user control over the future of the data collected – often immediately transmitted to servers outside Europe, where our legislation no longer applies and where the CNIL cannot practice controls. The user also has no guarantees on the conditions of storage, security, on the resale of his data to third parties …
Free and informed consent … in theory
The General Data Protection Regulation requires obtaining the free and informed consent of the user: free because the user must be able to refuse that his data be collected; informed because the user must be informed of the purposes of the collection. Let’s take a look at the cases of Google and Apple which cover roughly 90% of the French market.
Historically, Apple’s iOS operating system has implemented dynamic checks: when an application is run for the first time, if it needs a specific authorization, the user receives a message with an explanation. allowing to grant it or not. At any time thereafter, the user can change his mind and have a global view of the authorizations granted in an easy-to-find control panel.
For Google’s Android operating system, for a long time, the user had no choice but to accept all the requested permissions en bloc, otherwise, the applications could not be installed. Fortunately, since Android 6, Google has included a dynamic authorization mechanism, but the control information remains scattered, difficult to find and understand. In addition, Google has classified permissions into two categories: normal permissions and risky permissions; the user is only asked for risky authorizations, normal authorizations – which, according to Google, do not include many risks for the privacy and security of the user – remain automatically granted during installation. However, by searching the pages for Android developers, we realize that these authorizations actually open access to stable technical identifiers, that is to say to track users over time and to know, for example, all the wifi networks to which they are connected. This information is far from trivial in terms of privacy.
Finally, some limits common to the two operating systems remain, in particular the absence of control of the behavior of the applications by the user, the precise composition of the authorizations, and sometimes still the absence of explicit collection of the user’s consent.
Towards a more virtuous model?
Progress is therefore still possible with regard to the privacy of smartphone users. First, the users themselves should be more responsible, firstly by being aware that there is no such thing as free services – someone has to support the work financially – and secondly by demonstrating more vigilance regarding authorizations when installing and configuring applications on their smartphone, for example by following simple recommendations. Then, the other players in the ecosystem (editor of the operating system, developer, advertising agency) would benefit from being more transparent with regard to their practices; they should also be able to technically prove their compliance with the law (the notion of accountability ). Finally, trusted third parties – typically the CNIL in France – should be able to control these actors, even foreign ones.
It is imperative to seek answers to these questions because, with the generalization of payment on smartphones and the proliferation of connected objects (smartwatches, smart homes, connected cars, etc.), these are already spreading to other areas.