The Games on Your iPhone Could Be Sharing More Personal Data Than Even Their Developers Realize

This year has seen more than its fair share of privacy scandals stemming from app developers caught either deliberately or inadvertently collecting a lot more data on their users than they should have been.

First there were the egregious violations of Apple’s Enterprise Developer program, with Facebook caught publishing an invasive market research app and Google doing the same, followed by reports of underground gambling and porn apps, a cabal of software pirates, and malicious spyware apps all landing on users’ iOS devices. Even apps vetted by Apple weren’t immune, with health and fitness apps discovered to be sharing intensely sensitive personal health information with Facebook, and a whole other set of apps secretly recording users’ screen activity.

As if all of this weren’t bad enough, however, now a new report by Vox suggests that many app developers themselves don’t have any idea how much data they’re actually collecting, or where it’s going.

The problem, the report notes, has been created by the sheer number of advertising and tracking networks that most developers are now tying into, and have been for years. From the “first wildly successful mobile game” Angry Birds, Vox notes how there’s been an increasing amount of intimate information being sucked up by mobile games in exchange for the lower prices demanded by the mobile economy. Since developers have to make a living somehow, charging higher purchase prices to actual customers has slowly been replaced with simply sucking up as much data as they can and selling that to a variety of entities that are more than happy to pay for it.

More frightening, however, is that most developers don’t even know exactly what is being done with this data, and certainly users themselves are even more in the dark. A Pew study cited by Vox notes that 76 percent of Americans knew basically nothing about how Facebook tracks and targets them, even though there’s research that shows most people do have a vague sense of distrust for the social media giant.

If the tactics of even the largest, most public, most well-documented violator of our privacy are a black box to the average person, what do most of us know about the tactics of, say, a Finnish game developer?

Kaitlyn Tiffany, Angry Birds and the end of privacy, Vox

However, Facebook is far from the only game in town when it comes to this kind of data collection. There are of course the other giants like Google and Twitter, but there are dozens of other smaller advertising companies that most people have probably never even heard of. Almost every game out there — certainly all of the free ones — are chocked full of these third-party advertising networks, all sucking up whatever data they can to try and make money by profiling your behaviour.

The problem is that a lot of these gaming developers eagerly sign on to these services to monetize their apps with very little concern about the details of what data these services collect and how that data is used. After all, it’s not the developers’ privacy that’s at risk here.

When the whole Cambridge Analytica debacle happened, I read about that, and I think a lot of my colleagues and I thought the same thing: Why are people so upset? The gaming industry has been doing this for a long time, only for a different goal: just to make a lot of money.

David Nieborg, gaming researcher and political economist, University of Toronto

To be fair, it’s debatable how much personal information apps like Angry Birds are likely to be sending out that most users would care about — “gameplay data” doesn’t seem particularly serious, and it’s not likely developers are getting even basic contact information from apps like these. However, the data that they are sending out there was sufficient for Edward Snowden to identify Angry Birds as one of the “leaky” apps used by the U.S. National Security Administration to access private information.

While the data itself may seem innocuous, as Vox notes there’s lots of room for deeper — and even darker — profiling of users. Data on who is playing, for how long, how well, and how much money they’re spending can be analyzed for the more obvious purposes of helping developers target Facebook ads to attract users who are likely to spend more money on their apps. However, it can also show what makes people tick, and studies have shown that users play games differently when they’re depressed, or dieting, for example, and as machine learning technology continues to evolve, advertising and marketing companies are going to find more creative ways to work with this kind of data and build even more new connections to player behaviour.

There’s a massive incentive to know a lot about your players, [but] the dark twist [is that] if you can do this for a games company and you’re really good at it, you can [then go] start working for other companies that have less trivial goals than just selling digital gems to people.

David Nieborg, gaming researcher and political economist, University of Toronto

According to the report, the average free game could have as many as 10 advertising intermediaries built into it, tracking every move you make and every additional purchase you even contemplate, and these intermediaries aren’t all necessarily based in the U.S. — they can be located in pretty much any country.

While there are games that are openly exploitative and usually recognizable as a result, the bigger problem is that even the most innocuous and well-intentioned apps could be giving away a lot more information than they realize. Most mobile games are built from a patchwork of software development kits and modules that already exist, so for example, if an app uses an ad platform like Facebook or Vungle to serve ads, it’s going to have Facebook’s or Vungle’s code included in the app. Since most coders are busy enough working on the main part of their apps, these chunks of additional code are often simply dropped into the app without even a second glance, and often these code blocks are also only available as binary blobs that developers can’t examine, leaving them with only the choice to include it or not include it.

This is another area where many users may not realize how important Apple’s enforcement of App Store and privacy restrictions actually is. By its very nature, iOS limits the amount of data available to third-party apps, and users need to very explicitly consent to sharing details such as location data. This is far less restrictive in the Android ecosystem, where another UC Berkeley study found 17,000 Android apps to be sharing permanent device IDs that could be used to “fingerprint” users, even across multiple apps, allowing incredibly detailed profiles to be created on users.

As the report notes, Rovio’s privacy policy for Angry Birds lists 43 data controllers and processors that it works with, including 14 advertising intermediaries, three of which were identified in a study by UC Berkeley as “extremely likely” to be in violation of the Children’s Online Privacy Protection Act (COPPA). Some of these are also currently the subject of a lawsuit by New Mexico’s Attorney General. However, when Rovio was interviewed for the report, they seemed to have little knowledge of most of these, originally denying that they used third-party advertiser code at all, but later admitting that it was sometimes necessary to do so.

Unfortunately, almost no developers actually take the time to read through the Terms of Service for all of the third-party software providers that they use to make sure that they align with their own privacy policies, which means that most game developers are likely making privacy promises that they can’t actually keep.

At the end of the day, most of the data collected is fairly innocuous in nature — especially for iOS users, where Apple seriously restricts the amount of data available to third-party apps — so there’s not much cause for serious alarm, but at the same time there’s been a disturbing trend over the past several years toward seeing more and more fingers in the data collection pie, with virtually no understanding from most users — or even developers — of what is actually being given up in exchange for free gaming.