The French Data Protection Authority (“CNIL”) and the French Institute for Research in Computer Science and Automation (“INRIA”) have been collaborating for the past three years on a research project called “Mobilitics” aimed at better understanding the smartphone ecosystem and the associated data protection implications.

Smartphones are a data wonderland: An average of 30 apps are installed per user; 1.4 million apps were available in the Google Play Store as of February 2015; 1.3 million were available in the Apple App Store as of September 2014; and user data may be accessed without users even being aware most of the time.

In order to fully grasp how this growing ecosystem works, the CNIL and INRIA developed an analytics tool called “Mobilitics”, and loaded it on the smartphones of volunteer CNIL staffers. After a first series of tests conducted in 2013, the CNIL and INRIA released late last year the results of their second experiment, which identified the three following trends: 

  1. Apps increasingly collect technical, hardware and software identifiers. Between 50% and 60% of the tested apps accessed such identifiers.
  2. Geolocation data, which provides contextualized information, remains key to most app services. The experiment notably revealed that geolocation data is accessed very frequently, even when the app is not open; certain apps access geolocation data every minute on average. Geolocation data represents the greatest volume of collected data – about 30% of all the data collected.
  3. The fact that some services are installed by default leaves users with the choice of allowing access to their data, or deleting the app.

For the CNIL, these findings indicate a lack of transparency and insufficient user control over data, particularly in respect of the amount of data collected and the associated privacy risks. The CNIL has called for improvements from all the actors in the ecosystem, such as apps publishers, OS publishers, app stores, and third-party service providers. To this end, the CNIL has reiterated its support of privacy by design principles (soon to be enshrined in the EU data protection regulation), and in particular data minimization by limiting data collection to what is strictly related to the service delivered.