TL;DR: I take two examples of design choices that are problematic in terms of ethics and compliance with the GDPR. Reseplaneraren, a travel planner and FMTK, a fitness app. Both of these apps are from government controlled entities and both are tax funded.
Responsible disclosure note: Research was initiated September 2017, and by October 2017 both had acknowledged that they had received my report. A shorter version of this blog post was published on my Medium blog in September 2017.
The Swedish military has a fitness app whose purpose is to get potential recruits and their employees into shape. I like excersising, so I install it to try it out! Unfortunately, I don’t get as far as to do anything, because the first thing that happens upon opening is that I am prompted to grant the app access to my photos, media and files.
Do I want an app linked to the military to have access to the full contents of my phone – my pictures of my family, my party pictures, all the nude pics someone else (may or may not have) sent me? No, I think I’ll skip, thank you. According to the GDPR, I have a right to do so.
I click deny . Obviously. I want to get going with getting fit! To my surprise, the app prompts me:
Access is denied and the app cannot function as it’s supposed to without it.”
I am denied all access to this app because I won’t give them free access to every picture I make.
In September 2017 I asked the Swedish military who published the app why I have to give them all that information. In October 2017 they got back to me and said that they would look into it. I gave them my phone number, offering to explain the issue further to them. They replied and said they would fix the issue.
In June 2018 I installed the app again, and the issue is still there. I thus sent them a new email.
I haven’t gotten any answers as to why they even want the permission. However, other users of the app tell me that this permission is only used for setting a profile picture. The app has some social features, why it would make sense to be able to set a profile picture, but by no means this is a core feature.
I don’t think the military does this in order to spy on potential recruits. I think they do it due to poor design choices. These design choices however compromise my privacy and are unlawful.
My next example is the travel planner app (Skånetrafikens Reseplanerare) that wants me to grant them the following permissions:
The location would make sense since it will provide five seconds less of typing, but it’s not a core feature and the app can function without it.
I can’t even begin to theorize why they would want to use my identity, my photos/media/files and my device and app history. These are not permissions that the app could use in
What they ask for is extremely invasive to the user’s privacy.
In September 2017 I reached out to Skånetrafiken via Twitter and asked them for what purpose they need these permissions. Their support has promised me that an accountable person will contact me “soon”.
After this I had a conversation with them, where they said that I’ve been installing the wrong app. The new improved app doesn’t have this issue. My new question then is why the old app still is downloadable? Also now, nine months later, I can find the old Reseplaneraren in Google Play Store, and it is marked as having more than half a million downloads.
Maybe it’s a good idea to revoke the app?
Is this practice lawful?
The new European Privacy legislation, GDPR, states that I must be able to grant an app granular permissions: consent to some and not consent to others, as well as revoke given consent. They must also only ask for permissions that are reasonable for the scope of the app. Setting a profile picture is not a core feature of a fitness app. Knowing what other apps run on the device are not core features of a travel planning app.
In these interfaces, I am not granted those rights — I am convinced that neither Skånetrafikens nor Försvarsmakten do this of malice. Android permissions are hard to wrap your head around, but that is no excuse for government issued apps to break the law.