Under the guidance of CSAIL Principal Investigator Hal Abelson — the Class of 1922 Professor in the Department of Electrical Engineering and Computer Science — CSAIL graduate students Fuming Shih and Frances Zhang are investigating how much certain smartphone applications know about users. They started by exploring Google maps, a common download for smartphone users. Shih and Zhang found that the Google maps application continues to gather location information from users even when the application has been closed. Based on their initial investigation, the researchers were curious to see how many other applications continued to track users when not in operation.
After evaluating 36 applications — ranging from popular games such as Angry Birds to text-messaging platforms, social media applications and photography applications — researchers found that most applications collect personal information about their users even when the phone is not in operation. Shih and Zhang found that applications tracked everything from location information to stored contacts and the device's Web history.
The research was inspired by DIG's commitment to personal data management and information transparency, especially in the new world of mobile communications.
"Our group stresses the importance of transparency, and the right people have to be informed about how their information is being used. We feel that it is important for people to be able to evaluate the privacy risk they are facing," Shih says. "You should be informed that when you turn off your phone's screen that some smartphone apps are still collecting information."
To evaluate the operation of specific applications, researchers modified the Android operating system, which is open to changes from independent users. Shih and Zhang altered the Android operating system so that all tracking activity was reported to their app tracking platform. By collecting this data, they were able to see which applications recorded personal information, when they gathered information, and what type of data was being tracked.
Researchers were unable to evaluate how iPhone applications gather personal information, as the Apple operating system is not open source.
For the purposes of the study, researchers based their definition of a phone not being in use as the device's screen being turned off, a state they refer to as "idle mode," as opposed to actually powering down the device.
Another interesting finding from Shih and Zhang's research was that free versions of applications often gathered personal information while paid versions did not, possibly a technique for making money off an application, according to Shih.
Researchers hope that their app tracking technology can be used to help increase transparency, possibly spawning information sharing sites where people could contribute information on the information gathering techniques of specific applications. In the future, Shih would like to see Android, iPhone or a third party develop a system whereby consumers could see how each application gathers and uses their personal information, such as a privacy rating system.
"We are trying to get a better understanding of what information is being shared and when it is being shared," Abelson says. "What we have found is that even for people in research groups, it's hard to understand what is being shared and the consequences."