World | Technology

Hard to say goodbye: Are your deleted mobile apps still stalking you online?

Some app developers are exploiting a loophole to see when you’ve deleted an app—and targeting you to reconnect 

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

Illustration of man sitting, looking at cell phone while chained to an app iconSome companies might not see the breach as a loophole, but rather as something the user is—or at the very least, should be—aware of. (Illustration by Katie Carey)

If that new app you downloaded isn’t as impressive as it looked, you probably didn’t hesitate to delete it. But a report from Bloomberg Businessweek says those discarded apps may not be as keen to say goodbye.

App makers can use an iOS and Android loophole to see that you’ve deleted their app, giving them the ability to target you with ads to reconnect. Uninstall tracking uses silent push notifications to ping previously installed apps, and if the app doesn’t ping back, it’s marked as uninstalled. These push notifications are helpful to refresh an inbox, for example, but using the practice to identify the device’s advertising ID violates Apple and Google’s policy against using silent push notifications to build advertising audiences.

A clear violation of trust

Simply tracking the number of people who have installed or uninstalled the application is helpful for both the product owner and the developer. For example, tracking if there’s a bump in the number of installs or uninstalls when an app update is released can signal whether it was well-received. 

But it’s a bigger leap to know exactly who has uninstalled your app. If an individual’s data is getting used without their knowledge, that’s clearly a violation of their trust, says Android developer Ian Myrfield of FreshWorks Studio, a mobile app design and development studio based in British Columbia. [See When choosing AI, think of the client’s privacy first, says expert Chantal Bernier]

“We have not tracked the identity of a user when they uninstalled the application for any applications we have developed,” says Myrfield. “But loopholes aren’t a new thing, and if this is against Google/Apple policies in principle, then they’ll figure out a way to stop it.”

The tricky part is that some companies might not see this breach as a loophole, but rather as something the user is—or at the very least, should be—aware of, as they would have had to give the app permission to send push notifications.

People unaware this is happening

This practice is alarming to privacy experts, who argue consumers are not aware it is happening. 

“If they [people] knew about it, they would totally object,” says leading privacy expert Dr. Ann Cavoukian, the former Information and Privacy Commissioner of Ontario.

Cavoukian created a concept called Privacy by Design to help proactively embed privacy into business practices. One of its foundational principles is privacy as the default.

“Privacy as the default says [that] you, as the individual, shouldn’t have to be searching for the opt-out box, [and] where you can say, ‘Do not use my information for any other purpose,’” Cavoukian says.

“It should be that we can only use your information for the purpose intended and if we want to do anything else, we have to come to you and obtain your positive consent.”

Cavoukian, who has been in the privacy business for more than 20 years, points to recent opinion polls that suggest there is a “trust deficit” between consumers and companies. According to a 2018 Pew Research poll in the U.S., only nine per cent of respondents believe they have “a lot of control” over the information that is collected about them.

“Concern for privacy is at an all-time high, trust is at an all-time low,” Cavoukian says. “The companies that are smart are addressing this.”

So what can you do about it?   

Unfortunately, the only way to be unaffected is to avoid using the product altogether. 

“The situation today is that if you don’t want to share simple analytics data, well, you can’t really use apps,” says Myrfield, adding that if Google and Apple determine this practice is against their terms of service, they will figure out a way to stop it. 

“Both companies hold the power to remove apps from their stores,” he says.

FOR MORE

See how the EU’s General Data Protection Regulation (GDPR) is changing the global standard for data privacy and transparency—even for Canadian companies. 

Learn expert strategies to protect your company from data breaches and get an overview of cybersecurity with the Introduction to cybersecurity for CPAs course, which is part of CPA Canada’s upcoming Cybersecurity Certificate.