Skip to main content

A woman walks past icons for Apple apps at the company's retail store in San Francisco, California in this April 22, 2009 file photo. Canada’s Privacy Commissioner has joined 22 of his counterparts within Canada and around the world to issue an open letter asking tech giants such as Google Inc. and Apple Inc. to better control user privacy in mobile applications.ROBERT GALBRAITH/Reuters

Canada's Privacy Commissioner has joined 22 of his counterparts within Canada and around the world to issue an open letter asking tech giants such as Google Inc. and Apple Inc. to better control user privacy in mobile applications.

The letter calls on seven of the largest operators of app marketplaces to require apps to beef up privacy measures: recipients were Apple, Google, Samsung Electronics Co. Ltd., Microsoft Corp., Nokia Corp., BlackBerry Ltd. and Inc.

As app usage has grown, so has the concern around their privacy controls. Apps are now ubiquitous: as of December, 2013, 75 per cent of Canadian mobile subscribers had a smartphone, according to comScore. Overwhelmingly, those devices function through apps, those tiles we tap on to check e-mail, play games, find map directions, and check social media such as Facebook and Instagram.

These apps have generated their own economy, with $1.7-billion in revenue per year in Canada alone. That number is forecast to reach $5.2-billion within five years, according to the Information and Communications Technology Council.

The joint letter from the global privacy authorities is based on a study conducted this past spring, which tracked more than 1,200 of the world's most popular apps. The Global Privacy Enforcement Network (GPEN) "Privacy Sweep" looked at whether – and how – users were told about the apps' privacy policies.

The privacy authorities were especially concerned about the collection of users' personal information. Of the apps examined in the Privacy Sweep, just 15 per cent of those worldwide and 28 per cent in Canada included privacy information that clearly explained how the app collected and used personal information. More than half of apps worldwide and 26 per cent in Canada had either no privacy information other than requesting certain permissions, or gave "inadequate" privacy information that did not explain how personal information would be collected, used and disclosed.

While the letter was sent to seven "key players," the behaviour that the letter urges is meant for all app developers. The operators of the marketplaces were urged to play a bigger role in privacy controls, however. The letter called on them to include privacy policy links within app listings in their marketplaces (which is sometimes done but is not universal) and to make clear privacy information a requirement before apps can be listed on those marketplaces.

"We're asking marketplaces – the Googles and the Apples of this world, which are sophisticated companies in terms of privacy laws – to be good corporate citizens and to have conversations with app developers that are less sophisticated, to ensure there is at least some privacy information," Daniel Therrien, the Privacy Commissioner of Canada, said in an interview. "...We call on them to have these conversations ... and yes, to respond positively to our letter."

The Globe contacted the seven companies listed on the open letter. All either declined to comment or did not respond to requests for a response.

The first "Privacy Sweep" occurred in 2013, and looked at how privacy was handled by a number of websites. That study led the Office of the Privacy Commissioner of Canada to contact a number of website operators to flag privacy concerns. More than half of those agreed to make changes to their privacy policies.

The second study, which triggered the letter sent this week, looked at apps to address the way we interact with mobile devices on a daily basis. Mobile devices can provide reams of personal information, including a person's location, contact information, mobile purchases and more.

The letter focuses on the worst cases – where privacy information is missing entirely. But there are many other issues, Mr. Therrien said.

"It is also a problem – though not the subject of today's letter – that some privacy policies are very lengthy or are just not done in a way that can be read easily on a small screen," he said.

The global authorities decided to issue the letter together because in a digital world, personal data travels internationally.

Signatories include privacy officials in Australia, Germany, Britain, Hong Kong and South Korea, as well as provincial offices in Canada, in addition to the federal Privacy Commissioner.

"It's essential that privacy commissioners and data protection authorities on many issues act in unison, to send messages to organizations responsible for the collection of personal information," Mr. Therrien said. "… It sends a stronger message when we act collectively."

The letter was spurred on by the findings of the Global Privacy Enforcement Network (GPEN) "Privacy Sweep," a study in May that examined privacy controls in 1,211 tablet and smartphone apps. In Canada, the sweep included 151 of the most popular apps.

Examiners downloaded and used apps to look for five indicators of privacy. Those included a privacy policy that was clearly communicated before downloading; policies tailored to read easily on small screens; permissions requested (such as the permission to access social media accounts or online browsing behaviour, track the user's location, etc.); permissions that did not seem necessary for the app to function; and the examiner's overall satisfaction with how clearly the app explained its use of personal information and privacy policies.

The Office of the Privacy Commissioner of Canada stresses that the study is not a formal investigation, and represents only a "moment in time" – since apps often change and can be improved or updated. As of May, these were some of its findings:

Permissions that apps requested

Of 1,211 apps globally, 75 per cent requested one or more permissions from users. In Canada, 70 per cent did so.


Location: 32 per cent globally/ 22 per cent in Canada

Device ID: 16 per cent globally/13 per cent in Canada

Access to other accounts: 15 per cent globally/23 per cent in Canada

Camera: 10 per cent globally/8 per cent in Canada

Contacts: 9 per cent globally/10 per cent in Canada

Call log: 7 per cent globally/11 per cent in Canada

Microphone: 5 per cent globally/7 per cent in Canada

SMS (text messaging): 4 per cent globally/6 per cent in Canada

Calendar: 2 per cent globally/same in Canada

Apps that scored high

The OPC cited three examples of apps that sweepers gave top marks. Overall, 28 per cent of apps studied were highly rated, compared to a global average of 15 per cent.


Name that tune. This app can be used to detect music and provide the artist and song name.

Access requested:

-access to identity (accounts)




-device ID/call information

Why it did well:

-Clearly explained each permission, so that users understood the request (e.g. for access to system tools, "to prevent the phone sleeping while we play videos, and to sync your Shazam account preferences.)

-Explanations were often given as part of a request for permissions, or via a link in the request

Fertility Friend

A made-in-Canada ovulation calculator that helps users track their menstrual cycles. Users provide intimate health details for app use, including fertile days and instances of intercourse.

Why it did well:

-Acknowledged the information collected is "extremely sensitive"

-Pledged it will not "sell or transmit to others any personally identifiable data"

-Formatted the privacy policy to be easy to read on a small screen

-Committed not to accepting advertising, since it could target users based on health information

Trip Advisor: City Guides

Manage travel by looking up reviews of local establishments and creating itineraries.

Why it did well:

-Formatted the privacy policy to be easy to read on a small screen, including a table of contents that linked directly to that particular information

-Policy included a section dedicated to explaining what personal information the app gathers and why

Apps that scored low

Overall, 26 per cent of apps studied were rated very low (46 per cent fell somewhere in the middle of the ratings). Some examples:

Super-Bright LED Flashlight

A free app that turns a built in phone light into a flashlight.

Access requested:


-device ID

-call information

-photos/media/files – including the ability to modify or delete contents of the device SD card

-Wi-Fi connection information

-other permissions such as the ability to modify system settings

Why it did poorly:

-Did not explain why the information was needed to operate a flashlight

-No link to a privacy policy on the Google Play store listing

-Developer's website contained no content beyond a link for people interested in buying the website domain, and a privacy policy for the developer that included no information about the flashlight app's use of information

Pixel Gun 3D

A cartoon shooting game.

Access requested included:

-device ID/call information

-device/app history


Why it did poorly:

-No privacy policy available in the App Store listing or within the app itself

-No privacy policy on the developer's website

-A "terms of use" policy was available within the app, and said the developer had full control over user content, unless and until the user deletes the content or uninstalls the app – even then third parties and back-ups may still have the information

-The "terms of use" was long and "legalistic," and not formatted for a small screen (for example the font was small, and shown on a "colourful, moving, animated background"