90% of mobile apps could be in breach of Singapore privacy law

Privacy policies of many apps don't declare what data is collected or how it is used: Study

More than half of the mobile apps that people download seek access to swathes of sensitive information, such as users' online and social media identities and location. PHOTO: BLOOMBERG

SINGAPORE - Ninety per cent of mobile apps in Singapore do not adequately declare what consumer data is collected or how it is used, potentially falling foul of Singapore's Personal Data Protection Act (PDPA) .

Yet, more than half of the mobile apps that people download seek access to swathes of sensitive information, such as users' online and social media identities and location.

This comes from an inaugural study of the privacy policies of 113 popular apps from the Singapore Google Play store. The sample comprises taxi apps as well as those from banks, telcos, real estate agents and financial advisers.

The three-month study - done jointly by local data protection software-makers Straits Interactive and Appknox - concluded last week .

"Users freely give permission upon installation, without being informed of how their personal information would be used," said Mr Kevin Shepherdson, chief executive officer of Straits Interactive.

  • Hidden app flaws

  • The study also found that more than half of mobile apps have either poor encryption or contain vulnerabilities, potentially exposing users' sensitive data to hackers.

    For instance, a malicious code can be inserted via the compromised app to control, say, the camera function of the mobile device using the app. This allows pictures, videos or screenshots to be taken and collected remotely and surreptitiously.

    Similarly, mobile numbers can be harvested by app developers for sale to marketers, and by cyber criminals for targeted hacking.

    Early last year, a security vulnerability was discovered in Starbucks' mobile app for the iPhone.

    The app stores customers' credentials - including the balance in their stored-value account, and transaction history and locations - in a text file that is not encrypted.

    An attacker just needs to connect the device to a computer to extract the information from the file system. Starbucks has since patched the security hole.

    Irene Tham

The PDPA, implemented fully in July last year, requires organisations to tell consumers what data is collected and what it is used for.

Noted Mr Shepherdson: "As a best practice, app developers need to state clearly within the privacy policy on the app download page what user information is collected and how it will be used."

The PDPA also prohibits organisations from collecting consumer data beyond what is "reasonable".

A calendar app was found to have asked for access to users' location and photos, in what seems to be excessive data collection, said Mr Shepherdson.

Apps from real estate agents and financial advisers also seek access to location, online identities, and even microphone and camera functions. Most of them do not explain how the data will be used.

Mr Ken Chia, principal at law firm Baker & Mckenzie.Wong & Leow, said that excessive data collection may land organisations in hot water. "They may not realise the privacy implications of their actions and that they may be contravening the Act," he said.

When contacted, the Personal Data Protection Commission, which enforces the Act, urged mobile app developers to review their policies to comply with the law.

"Organisations should only collect, use or disclose personal data for reasonable purposes," a commission spokesman said.

Organisations should also notify and obtain individuals' consent for data collection, unless it is an emergency where the safety of an individual is threatened, he added.

Only 10 per cent of the local apps examined provided comprehensive disclosure, the study found. Among them is HSBC's mobile banking app. Although the bank requires users to agree to share their location information, it clearly states that the app uses the data to locate nearby branches and ATMs.

Users must also grant the app access to their call logs and device identification. But its privacy policy states this is to let users make calls to HSBC from within the app and for verification purposes.

Lawyer Gilbert Leong, a partner at Rodyk & Davidson, said that most app developers may not be collecting data for nefarious purposes.

He said: "If I am using an app for map directions, it is logical that the app has access to my location information. But ideally, app-makers should give consumers the choice to turn on or off any privacy feature within the app."

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on November 02, 2015, with the headline 90% of mobile apps could be in breach of Singapore privacy law. Subscribe