Access to data on apps

When installing a smartphone app it is worth taking a few moments to check and see what rights are asked for. This usually involves allowing access to data.

Before installing a smartphone app, users are asked to authorise access to certain data. In some cases this may be necessary for the app to function. But authorisation is often requested for things that are not absolutely necessary or that may even be totally superfluous.

It is clear that a navigation app can only function if it has access to information about the user's location. Other apps may use the location to show advertising relating to the area or for other purposes that benefit the app-supplier rather than the user. In general, users should be aware that when installing apps that appear to be free of charge or very low-price, they are most likely paying with their data.

Some apps require access to a device's camera. Often it is not immediately clear what the purpose of this is. There may be a very useful function, for example, the app reads barcodes using the camera. However, giving this authorisation theoretically allows the app to activate the camera and to take photos at any time.

By way of an example, the FDPIC took a closer look at a medical check-up app. The user submits their values, a risk analysis is drawn up and further check-ups may be recommended. Upon request, the developers of the app sent us the reasons why they ask for authorisation, which in our view is extensive. The reasons given were by and large comprehensible. For example, the app has to be able to read, alter and delete memory content so that the results can be sent to an email address in a PDF file. However, the app could have been programmed without this feature, the results simply being shown on the device's display.

We would advise users to take a close look at the authorisation they are required to give when installing an app and to decide whether this seems necessary. The terms and conditions of use and/or private policy should be read carefully. It must be clear to the user which personal data are processed by the app. If access to data is required for purposes that are not entirely clear, and if the app supplier is not considered trustworthy, users should not install the app

https://www.edoeb.admin.ch/content/edoeb/en/home/documentation/annual-reports/23rd-annual-report-2015-2016/access-to-data-on-apps.html