Permissions not Granted? App Use Denied!

By admin

A few years ago, when I was still a regular - even happy - user of my faithful BlackBerrys (the model numbers escape me now) I was glad to download and activate any app that I might find useful. So, following my lengthy experience with the desktop online banking service, when my bank offered online access to banking services via their new mobile app, I was quick to download, personalise, grant its (or rather, agree to its request for) permissions and use it, frequently. It became one of the mainstays of my daily life, moving money around, paying bills, sending money to my kids and such, and always worked like a charm. I was happy.  

One day, I changed BlackBerrys - a typical upgrade - in a 'gotta have that new model' like everyone else does, still, today.  But, and it was unusual for me to take this level of interest, this time as I installed the banking app I noticed it gave me the option to 'Show Permissions'. So I did. And what a surprise.

The list of Permissions requested included 'Read, Write, Copy, Cross-Application' authority against ALL my data - E-mails, Contacts, Pictures, Files, Music, Documents - absolutely everything. In other words, they wanted authority to read, write and copy everything on my BlackBerry, without restriction. I was flabbergasted. So, acting like the annoyed user I was, I un-checked the permissions I figured had nothing to do with banking, and clicked 'Install'.  The app wouldn't install. Of course. So, I re-checked some of the choices, clicked 'Install' again. Again, nothing. I finally re-checked all the permissions and, yes - the app installed successfully and I banked, mobile, once again.

But this time I was really peeved. I had never heard the term Big Data, but I knew marketers and others were keenly interested in the analytics associated with user behaviours and habits, and that there were gigantic data centres in faraway places that stored everything that could be harvested about everyone, so I understood their motivation.  But I was still peeved and I wanted answers or at least to make someone uncomfortable.

So I found the 'Customer Inquiries' number for the bank and called, realizing it was pretty unlikely I'd reach anyone who had a clue what I was peeved about. To my somewhat pleasant surprise, after a handful of short on-holds and re-directions, I spoke to someone in PR who could help. Or try.   

Their bottom-line was this: "Oh, no - the bank would never, ever do anything with your personal data, for any purpose whatsoever, no, no, no, never. Thanks for asking!"  And that was it. In retrospect, I realize I should have asked "Ok, I get it the bank won't do anything with my data, but what will happen to it when the bank sells it or shares it with those faraway gigantic data centres that build profiles of everyone in the universe?" Not so sure I'd have gotten an answer to that one either.I was still peeved as I hung up the phone, but I knew I had reached the end of the line. And I really loved the convenience of that app - and still do, so I shut up and moved on. Harvested in full I figured. 

Fast-forward to yesterday, and the deluge of wonderful presentations at yesterday's FTC event https://www.ftc.gov/news-events/press-releases/2015/08/ftc-announces-privacycon-issues-call-whitehat-researchers - at least one of which included in its title the words "Be Afraid"  - all my worst fears were confirmed (yes, your data is being harvested by every device within range, and more, and no, you don't know about the vast majority of it, and yes, you've given those devices no permissions and no, it doesn't matter anyhow because all those IoT devices are too many to track or control), though there is great hope, as some of the brilliant presenters told us.

Then today, was this piece on Forbes: http://www.forbes.com/sites/ewanspence/2016/01/15/apple-versus-android-os-update-security/#74c245ea5e887ca6387c5e88  ...and I couldn't help but think - oh yeah, just try to 'un-check' some of those permissions and then watch to see if the app will install, or work at all. And that's the point.

All of our devices, everywhere, have become so critical to the living of our modern lives, that to NOT use the devices and their apps, is to be behind the crowd. Or delayed, or incapable, or restricted, or debilitated or impaired or put off - in short, a less-enabled person, almost a lesser member of society.  Sounds pathetic when expressed that way, but would your life be affected if you suddenly deleted all those convenient apps off your smartphone and roughed it? Of course it would. And with IoT looming, in order to be a fully-functioning member of modern society you have to trade your privacy in one, or multiple ways, to people you don't know, for purposes they're not disclosing, with consequences you can only guess. Or maybe you can't.

The Information Accountability Foundation ('IAF') www.informationaccountability.org makes the point phrased in a way I like - addressing use of Big Data, IoT and Analytics for purposes 'Beyond Individuals' Expectations'. Because anyone with an understanding of today's technology, Big Data's capabilities (yes - we should include NSA & GCHQ's notable Backdoor achievements - there are undoubtedly more unhappy disclosures to come) and the objectives of those who compile and use the data, and who might attempt to inform their friends, relatives and anyone else who will listen at holiday parties and other unsuitable venues quickly realizes that the population at large is utterly clueless about these issues (see 'races for president') and largely uncaring to boot.   And don't get me started today about the dark side - nebulous criminal organizations, rich and fully Big Data-enabled - where there may be real, and very unpleasant consequences to the personal privacy trade-offs we've all made in innocence, to our varying degrees of detriment, mostly unknown as-yet.

Like the IAF and many others I totally agree that Analytics and BI and IoT are very important - key to the future growth, prosperity and yes - safety too - of the world. But when it comes to the inevitable 'what now then?' question, I'd say with confidence the presenters at the FTC event - mostly young, smart, informed and enthusiastic researchers from leading universities and other notable organizations - do have the answers, at least most of them, and they're keen to find the remaining answers too. The epidemic practices of what I'd term 'disclosure by default', or 'acceptance (of terms and conditions) by fatigue' has to be changed, and soon, to give us users back some modicum of control and reasonableness when our personal data and privacy is at stake. It's too large an issue with too many future exposures to be treated otherwise. Let's all take part in the effort for privacy as a basic building block - it will benefit everyone.