Access: Denied!


Most Malaysian mobile apps are collecting too much personal data unrelated to their service, says a survey. 

SAY yes to some apps and it could be a case of “open sesame” to your privacy.

This is especially when an app seek too much access to your personal information – even more than what’s needed for the service.

As it turns out though, most (59%) of local mobile apps are guilty, demanding for excessive permissions beyond the scope of their function before you can use it.

For example, a local bank required 24 types of permissions – even asking for access to the phone’s flashlight!

These apps also do not inform users about why and how their personal data is going to be used, reveals a survey by data protection specialist, Straits Interactive.

The survey, made available to Sunday Star, assessed the privacy risks of 101 most downloaded Malaysian apps, covering various sectors like lifestyle, business, finance, transportation and health.

And the results show that most local apps (59%) are asking for too much – almost double the global average of 31%.

“In some cases, it’s almost as if you are passing them your entire phone.

“Some apps request full access and control to everything, including your camera, contact list and media storage,” says company chief executive officer and founder Kevin Shepherdson in an interview.

In another example, a local cinema app needed 15 permissions, including access to sensitive information such as a user’s phone log data, location, and the power to modify calendar events and email contacts without the user’s knowledge.

In fact, the survey, completed in March, found that 70% of local apps wanted to know the user’s whereabouts – even services that don’t require such data like entertainment and music apps.

Some 38% of apps wanted access to a user’s camera, while 14% needed permission to use the mobile phone’s microphone.

For the latter, half of such apps have little or no justification at all for such access.

Some apps, like property apps, may need access to the camera to let users snap photos of documents while apps needing the microphone may have voice recognition features.

“But such access can be open to abuse if fallen into the wrong hands.

“An app that has permission to take pictures and videos can gain access to record audio. The app could listen to you when you use other apps or when your device’s screen is off,” Shepherdson points out.

In mild cases, such information can be used by businesses for behavioural advertising, whereby targeted ads are presented to online users based on their browsing behaviour.

But on the other extreme, it can lead to cyber crimes like identity theft, device hacking through malware and the sale of personal data in the black market.

Identity theft, where criminals steal personal details and exploit the information, shot up by 16% from 220 in 2015 to 255 last year.

It was reported that from January to September this year, 262 cases have already been reported to CyberSecurity Malaysia.

But collecting excessive data without informing online users of the purpose is itself, a crime.

Any organisation that excessively collects personal data and does not inform users of the purposes of processing in a privacy notice may be breaching Section 5 of the Personal Data Protection Act.

Those convicted can be fined up to RM300,000, jailed for two years or both.

To avoid being a victim of irresponsible parties, Shepherdson cautions the public to only download apps that come from trusted companies.

And if the app demands for too much access, perhaps it is better to avoid it completely.

“Always read an app’s privacy notice before downloading it.

“Remember, if an app is free, you may be the product,” he says.

Related stories:

Going full force to enforce Act

Airlines have your personal data, and they are using it