App vs. Website: Which Best Protects Your Privacy?

Ever wondered if you should download the free app or visit the website and which is better for protecting your privacy? That's the ques­tion that North­eastern researchers ask in a new study exploring how free app- and web- based ser­vices on Android and iOS mobile devices com­pare.

The team inves­ti­gated the degree to which each plat­form leaks per­son­ally iden­ti­fi­able information--ranging from birth­dates and loca­tions to passwords--to the adver­tisers and data ana­lytics com­pa­nies that the ser­vices rely on to help finance their operations.

The answer? "It depends," says Choffnes, a mobile sys­tems expert in the Col­lege of Com­puter and Infor­ma­tion Sci­ence. "We expected that apps would leak more iden­ti­fiers because apps have more direct access to that infor­ma­tion. And overall that's true. But we found that typ­i­cally apps leak just one more iden­ti­fier than a web­site for the same ser­vice. In fact, we found that in 40 per­cent of cases web­sites leak more types of infor­ma­tion than apps."

Those types of infor­ma­tion vary, based on the plat­form. For example, the researchers found that web­sites more fre­quently leak loca­tions and names, whereas only apps were found to leak a device's unique iden­ti­fying number.

The researchers will present their find­ings in a paper at the 2016 Internet Mea­sure­ment Con­fer­ence, in Santa Monica, Cal­i­fornia, in November.

The team's aim is to help users make informed deci­sions about how best to access online ser­vices. To that end, they have inte­grated their find­ings into an easy- to- use inter­ac­tive web­site that rates the degree of leak­i­ness of 50 free online ser­vices, from Airbnb to Zillow, based on each user's pri­vacy preferences.

Here's how it works: Users select from a drop- down list of 50 ser­vices and check off whether their oper­ating system is Android or iOS. Next they're asked to rate var­ious types of per­sonal infor­ma­tion, from their birth­dates to their devices' unique iden­ti­fiers, they care most about keeping pri­vate. Then, auto­mat­i­cally, the site gen­er­ates two "leak­i­ness indexes" for the ser­vice selected--a sky blue bar for the app ver­sion, a lime green one for the web--and rec­om­mends which plat­form is best for that par­tic­ular user.

"There's no one answer to which plat­form is best for all users," says Choffnes. "We wanted people to have the chance to do their own explo­ration and under­stand how their par­tic­ular pri­vacy pref­er­ences and pri­or­i­ties played into their inter­ac­tions online.

For the study, the researchers selected 50 of the most pop­ular free online ser­vices in a variety of cat­e­gories, including busi­ness, enter­tain­ment, music, news, shop­ping, travel, and weather. Each ser­vice had to offer the same func­tion­ality on both its web­site and app. To ensure that they were inter­acting with the ser­vices as everyday users would, the researchers con­ducted manual, rather than auto­mated, tests, per­son­ally log­ging in, entering requested user data into text fields, and nav­i­gating the environment.

Both apps and web­sites, they found, leaked loca­tions, names, gender, phone num­bers, and e- mail addresses to varying degrees. But there were sur­prises. "We didn't expect to find the diver­sity of infor­ma­tion col­lected across the dif­ferent plat­forms even for the same ser­vice," says Choffnes. More­over, four ser­vices sent encrypted pass­words to another party: the Grubhub app, unin­ten­tion­ally, due to a bug, which has been fixed; the Jet­Blue app, for authen­ti­ca­tion pur­poses; the Food Net­work app and web­site, for iden­tity man­age­ment; and the NCAA web­site, for iden­tity management.

"The rea­sons for the inten­tional leaks are legit­i­mate, and I'm sure that the ser­vices have appro­priate agree­ments with the other par­ties to pro­tect the pass­words," says Choffnes. "But the prac­tice still raises an impor­tant issue: Users have no idea that their pass­words are being sent to another party." Con­sider: Jet­Blue cus­tomers making an air­line reser­va­tion likely assume they are sub­mit­ting their pass­words to Jet­Blue for authen­ti­ca­tion, when in fact their cre­den­tials are being man­aged by a third party, Useablenet.

Choffnes hopes that the find­ings will start a dia­logue between con­sumers and online ser­vices about the kinds of infor­ma­tion that should be col­lected, bal­ancing the ser­vices' rev­enue needs with con­sumers' pri­vacy needs. "My goal is not just to tell people a scary story but to issue a call to action," he says. "Part of that action could be that users start requesting or even demanding the pri­vacy and trans­parency con­sid­er­a­tions they want from the com­pa­nies they interact with."

So which do you prefer? App or website? Share your thoughts in the comments section below.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Are You Making These 5 Big Communication Mistakes?

Communication is the foundation of everything we do. It’s how we implement our interventions, how we coordinate tertiary care and how we educate everyone...

With Integrity, Everything Works

A wise man I had the privilege of working with many years ago made the bold statement: “with integrity, everything works, without integrity, nothing...

Nurse Bling: No Tricks—All Treats

You know what we love (aside from the obvious, chocolate) about Halloween? The fact that it’s basically become a month-long event, which means you can...