How Mobile Phones Became a Privacy Battleground—and How to Protect Yourself

Illustration of toggle buttons on various mobile apps.

In the 15 years since the iPhone’s debut, the world of data privacy has changed significantly. Since 2007, app-privacy controversies—ranging from the social network Path downloading the contents of people’s address books to every weather app under the sun selling location data—have snowballed, leading to concerns both legitimate and misinformed, as well as the inability of many phone owners to determine which threats are real. But digging through history to understand where the privacy controls of iOS and Android began, and how both mobile operating systems have shifted to give people more control, can give you a better idea of what the true threats are right now.

“I think the transition to mobile devices brought a sea change in data collection, because unlike traditional ad tech, which was mainly focused on what we were searching for, now companies could also focus increasingly on where we were,” Albert Fox Cahn, executive director of Surveillance Technology Oversight Project, told us. “Today the ad tech world would have been unrecognizable from back when the iPhone was first introduced.”

In the absence of a federal privacy law, most ad-tech companies and data brokers are unregulated and opaque in their operation, which makes it nearly impossible for phone owners to track where their data goes or how it gets used, let alone prevent that data from being shared in the first place. It also means that the industry has no standards to follow, so it’s difficult for everyone to figure out what is and isn’t possible on any given device.

What phone owners have instead are sometimes-complicated menus full of permissions that are buried deep within an operating system and rarely set up by default with their privacy in mind.

Where your data goes (and who can see it)

With mobile apps, advertising tends to work like this: An app developer includes a bit of code from a software development kit (SDK), made by an advertising network you’ve likely never heard of, that can gather all sorts of information, such as your location and app-usage data. 1

Unless you read the details of a privacy policy or bother to scroll through the pages of a terms-of-service statement, you get neither an indication that this data gathering is happening nor details as to what data is being sent to third parties, but that transmitted data contributes to a profile of you that advertisers then use to target ads. These ad companies want as many apps as possible to include their SDK so that they can collect more data to build better profiles.

Whitney Merrill, a privacy attorney and data-protection officer, told us that what scares her most “are the SDKs and random packages that people are throwing in that still collect data in ways that weren’t anticipated.” Merrill described a hypothetical—though not unlikely—scenario in which an app developer monetizes its app by putting in a bunch of different advertising SDKs to leverage as many networks as possible. But because the developer hasn’t investigated the privacy practices of those ad networks, those SDKs could take all the data that passes through them when you use the app, package that data up, and then sell it; these entities could continue to pass your data along, combining it with data from other companies until it forms a clear picture of your behavior. This data can be bought and sold for advertising purposes, or purchased by agencies of the US government.

Although it’s easy to fixate on the creepiness of the ad industry, it’s also useful to remember that there are potentially greater risks to your data and privacy depending on who can see your data. Determining who those parties are, unfortunately, isn’t straightforward. Anyone who works at the company who makes an app, any of the third parties an app sends data to, or even employees at the company hosting the server that stores the data can possibly access some or all of the data you give them.

While this type of data access is outlined in complicated privacy legalese, “oftentimes the most important thing isn’t in the privacy policy, but in how the data is stored,” Albert Fox Cahn told us. The only situation in which this outside access to data is impossible is when the app correctly implements end-to-end encryption. With end-to-end encryption, you are the only one who holds the encryption keys to turn your data from a jumbled mess into something readable, even if that data is stored on company servers. This type of encryption is a feature in a number of messaging apps, most notably Signal.

Very little of what people do online is encrypted this way. This means that anyone’s activity can be accessed by the company hosting the data, in some fashion, even if it’s encrypted on the servers. This is how a company can decrypt data to respond to government requests.

A brief history of mobile-app privacy, told through permissions

In 2007, the era of the modern smartphone began with the original Apple iPhone. When the iPhone launched, an app could access just about any data on your phone without notifying you, including your location and a list of other installed apps. That shifted with the introduction of permission prompts, and those permissions expanded alongside concern among phone owners, often due to alerts from researchers and other reports of privacy violations. While we were doing our research for this article, sifting through 15 years’ worth of news stories regarding smartphones and privacy, we noticed a trend: A privacy-related controversy would erupt, followed by some sort of system-level fix on both iOS and Android.

It turns out that a broad overview of the history of mobile operating systems makes it easier to understand the current data economy. So let’s take an abridged look at some of the watershed moments of the past 15 years.

2007–2010

Smartphones’ first few years were relatively free of privacy controversies, but that’s partially because people didn’t know to look for them yet.

For instance, at launch, advertisers used your phone’s permanent device identifier, basically your phone’s equivalent to a Social Security number, to track you for advertising, a practice that wouldn’t change for another five years. “Previously it was a wild west,” said Will Strafach, founder of the Guardian firewall and VPN app. “In a sense, it’s what started this advertising and analytics bubble. Where there was a lot of unchecked ability without any user permission.”

2010–2014

The first “Oh no, what have we done?” moments cropped up as the privacy implications of having a tiny always-on computer that traveled everywhere with a person began to take shape in the early 2010s. During those years, media scrutiny of apps increased while one of the first major app-privacy controversies emerged, leading to changes at the system level to try to rein in third parties’ access to data.

2015–2019

We’re inclined to refer to these years as the “It turns out location information is important” period. Several experts we spoke with noted that location data is a troublesome problem to solve, and it’s also especially valuable to advertisers and law enforcement. “It’s all or nothing” with location data, Will Strafach said. “It’s this weird middle ground where Apple can’t do technical enforcement on that without straight up not allowing location access for certain apps.” And anonymizing that data is nearly impossible, as Whitney Merrill noted: “It’s very hard to anonymize location data. You just have to make it less precise.”

2020–present

Halfway through the second decade of the smartphone era, it’s now a “Privacy is important” period, as most people are starting to pay far more attention to such concerns than they did before. The change is partially due to the flood of news about privacy violations, starting with reports about unprecedented government access to personal data and moving on to the weaponization of data against individuals.

Of course, the past 15 years haven’t been filled with mobile-app controversies exclusively. This decade and a half has seen Facebook gobbling up WhatsApp and Instagram, Google buying Waze, YouTube, and dozens of ad-tech companies, and countless stories of big-tech companies sidestepping privacy rules, cellular carriers repeatedly sharing customer data, and military spyware being installed on thousands of phones. And that’s not even touching on other impactful privacy violations such as the Facebook and Cambridge Analytica scandal or the simple fact that every company appears to be an ad company now.

It’s all, well, a lot.

How to improve your mobile privacy

It’s impossible to completely prevent tracking and sharing of your data, and even failed attempts to do so can make using the internet on your phone a terrible experience. In some ways, just being aware of where your data can end up, as described above, is a good first step. But you can do a few things to minimize data collection on your phone while mostly maintaining the major benefits of the technology itself:

Of course, mobile apps aren’t the only source of privacy problems. Any web browsing you do on your computer might be logged and linked to you (and linked to your mobile web browsing, for that matter), and although in comparison desktop computers tend to have more privacy-protection options, they’re rarely set as the default. We have some suggestions for browser extensions that can help.

And the concern is not limited to traditional computers and smartphones anymore. Smart TVs, smart speakers, and plenty of connected devices collect and share all sorts of data about their owners. In those cases, you’re best off spending a few minutes poking through the various settings to disable any sharing you can.

In the 15 years since the launch of the major mobile operating systems, phone owners have clearly gotten more control over what data their apps can access. Phone owners can block certain obvious red flags like microphone or video access, control what photos an app might access, and disable system-level features, such as Bluetooth connectivity, per app. But there are still hurdles to overcome. Location information is nearly impossible to anonymize and control (there’s no way to guarantee that an app will use your location for its services but not sell that data, for example), and companies can use seemingly innocuous data, such as for battery life and screen brightness, to create a device “fingerprint” for tracking. Moving forward, that familiar pattern—privacy and security experts find a flaw, Apple and Google fix it—is likely to continue. History has shown that they can be pressured into addressing flaws, and as they do, you’ll probably have to dig around in exciting new settings on a regular basis.

This article was edited by Arthur Gies and Jason Chen.

Footnotes

1. SDKs aren’t inherently bad, nor are they exclusively used for advertising. Instead, they’re small bits of code that make developing common tools in apps faster and easier. Advertising is just one of those possible components.
Jump back.

2. Both iOS and Android would go on to iterate on location-data access several times, more than on any other permission. iOS 8 (2014) and Android 10 (2019) added the prompt to restrict location access to when the phone owner is using the app. iOS 13 (2019) and Android 10 added the ability to allow it only one time. And iOS 14 (2020) and Android 12 (2021) added the ability to choose between providing an approximate or precise location.
Jump back.

3. This wouldn’t be a requirement until 2018 for Apple and 2022 for Google.
Jump back.

4. As of iOS 16, there are 17 permissions in this section; Android has 13.
Jump back.