App vs. website: Which best protects your privacy? It depends

Should you use the app—or a web browser—for that? That’s the ques­tion that North­eastern researchers, led by assis­tant pro­fessor David Choffnes, ask in new research that explores how free app– and web-based ser­vices on Android and iOS mobile devices com­pare with respect to pro­tecting users’ privacy.

In par­tic­ular, the team inves­ti­gated the degree to which each plat­form leaks per­son­ally iden­ti­fi­able information—ranging from birth­dates and loca­tions to passwords—to the adver­tisers and data ana­lytics com­pa­nies that the ser­vices rely on to help finance their operations.

The answer? “It depends,” says Choffnes, a mobile sys­tems expert in the Col­lege of Com­puter and Infor­ma­tion Sci­ence. “We expected that apps would leak more iden­ti­fiers because apps have more direct access to that infor­ma­tion. And overall that’s true. But we found that typ­i­cally apps leak just one more iden­ti­fier than a web­site for the same ser­vice. In fact, we found that in 40 per­cent of cases web­sites leak more types of infor­ma­tion than apps.”

Those types of infor­ma­tion vary, based on the plat­form. For example, the researchers found that web­sites more fre­quently leak loca­tions and names, whereas only apps were found to leak a device’s unique iden­ti­fying number.

The researchers will present their find­ings in a paper at the 2016 Internet Mea­sure­ment Con­fer­ence, in Santa Monica, Cal­i­fornia, in November

The team’s aim is to help users make informed deci­sions about how best to access online ser­vices. To that end, they have inte­grated their find­ings into an easy-to-use inter­ac­tive web­site that rates the degree of leak­i­ness of 50 free online ser­vices, from Airbnb to Zillow, based on each user’s pri­vacy preferences.

Here’s how it works: Users select from a drop-down list of 50 ser­vices and check off whether their oper­ating system is Android or iOS. Next they’re asked to rate var­ious types of per­sonal infor­ma­tion, from their birth­dates to their devices’ unique iden­ti­fiers, they care most about keeping pri­vate. Then, auto­mat­i­cally, the site gen­er­ates two “leak­i­ness indexes” for the ser­vice selected—a sky blue bar for the app ver­sion, a lime green one for the web—and rec­om­mends which plat­form is best for that par­tic­ular user.

There’s no one answer to which plat­form is best for all users,” says Choffnes. “We wanted people to have the chance to do their own explo­ration and under­stand how their par­tic­ular pri­vacy pref­er­ences and pri­or­i­ties played into their inter­ac­tions online.”

A call to action

For the study, the researchers selected 50 of the most pop­ular free online ser­vices in a variety of cat­e­gories, including busi­ness, enter­tain­ment, music, news, shop­ping, travel, and weather. Each ser­vice had to offer the same func­tion­ality on both its web­site and app. To ensure that they were inter­acting with the ser­vices as everyday users would, the researchers con­ducted manual, rather than auto­mated, tests, per­son­ally log­ging in, entering requested user data into text fields, and nav­i­gating the environment.

My goal is not just to tell people a scary story but to issue a call to action. Users could start requesting the pri­vacy and trans­parency con­sid­er­a­tions they want from the com­pa­nies they interact with.
— David Choffnes, assis­tant professor

Both apps and web­sites, they found, leaked loca­tions, names, gender, phone num­bers, and e-mail addresses to varying degrees. But there were sur­prises. “We didn’t expect to find the diver­sity of infor­ma­tion col­lected across the dif­ferent plat­forms even for the same ser­vice,” says Choffnes. More­over, four ser­vices sent encrypted pass­words to another party: the Grubhub app, unin­ten­tion­ally, due to a bug, which has been fixed; the Jet­Blue app, for authen­ti­ca­tion pur­poses; the Food Net­work app and web­site, for iden­tity man­age­ment; and the NCAA web­site, for iden­tity management.

The rea­sons for the inten­tional leaks are legit­i­mate, and I’m sure that the ser­vices have appro­priate agree­ments with the other par­ties to pro­tect the pass­words,” says Choffnes. “But the prac­tice still raises an impor­tant issue: Users have no idea that their pass­words are being sent to another party.” Con­sider: Jet­Blue cus­tomers making an air­line reser­va­tion likely assume they are sub­mit­ting their pass­words to Jet­Blue for authen­ti­ca­tion, when in fact their cre­den­tials are being man­aged by a third party, Useablenet.

Choffnes hopes that the find­ings will start a dia­logue between con­sumers and online ser­vices about the kinds of infor­ma­tion that should be col­lected, bal­ancing the ser­vices’ rev­enue needs with con­sumers’ pri­vacy needs. “My goal is not just to tell people a scary story but to issue a call to action,” he says. “Part of that action could be that users start requesting or even demanding the pri­vacy and trans­parency con­sid­er­a­tions they want from the com­pa­nies they interact with.”


Substack subscription form sign up