How User Profile Data is Being Captured And Shared Over Mobile

finjanmobileBlog, Mobile Security

user profile data

With data privacy scandals like the Cambridge Analytica affair hitting the news on an almost daily basis, people are getting used to the idea that their online user profile data is being routinely captured and shared with third parties. But as increasing numbers of users move away from desktop and laptop computers as their primary means of internet access, what they may not realize is that these activities have been shifting to the mobile realm, in an ecosystem of devices, mobile web platforms, and mobile software applications.

In this article, we’ll be looking at why and how user profile data is captured and shared over mobile channels, and make recommendations for privacy protection and the selection of responsibly designed and non-invasive mobile apps.

Why Are User Profiles Captured and Shared

At the legitimate end of the spectrum, gaining access to user profile data can be of immense benefit to marketing and advertising professionals. This is true whether the profiles are in their raw form (e.g., at the point of data entry, for an online survey), or “anonymized” by having the bulk of their personally identifiable information (PII) stripped out, before the data is shared.

In sales and marketing, user profiles offer a comprehensive set of organized personal data about the people who engage with various brands on different “channels” such as web sites, eCommerce platforms, mobile apps, email, and social media. Using this information, it’s possible to create targeted and personalized advertising, device, location, and person-specific offers, and highly detailed campaigns.

Successful marketing tactics like this can make a lot of money for the agencies concerned, and the brands they serve. And there’s money to be made by the app developers and site managers who make user profile data available (for a price) to marketers and advertising networks.

At the more sinister end of the scale, hackers and cyber-criminal networks have always been on the lookout to capture user profiles, for the short-term gains and longer-term leverage that the information contained in them can provide.

Plain text (unencrypted) direct data entries can easily give opportunities for identity theft, account hijacking, and direct access to funds or more valuable information. And these days, even anonymized data may be processed to yield enough credentials to build quite comprehensive digital identities for impersonation, social engineering tactics, and the creation of bogus accounts.

How User Profile Data is Captured and Shared

In a traditional desktop environment, browsing histories and cookies (little text files charting all kinds of aspects of your online activity) have been the predominant ways in which user profile data is captured, before the data can be processed and shared or sold on to third parties.

But cookies aren’t a feature of the mobile browsing experience. So online platforms and marketers have to look to other methods, for extracting the information they need about mobile internet users and consumers. Several options are available to them, including:

  • Device identifiers: Phone numbers or device-specific and unique 15-digit IMEI numbers can be obtained from network carriers, while the Media Access Control or MAC addresses of wireless routers can easily be matched with physical addresses.
  • App permissions: At the point of installation, mobile apps will routinely demand a set of permissions from the user, including the right for certain kinds of information to be captured and shared.
  • Initial app set-up: When an app is opened for the first time, a user profile is usually created automatically, which at the minimum may include the date, the user’s language and geographical region, and the app version.
  • In-app monitoring: User information may be captured on a continuous basis, as tasks and sessions within an app are completed, purchases are made, and sections of an app or online platform are visited.
  • Notification options: Apps will also typically include a Settings menu, where choices can be made on how to communicate with and receive messages from the app (push notifications, email, SMS, etc.).
  • Third-party libraries: These contain pre-packaged code and application tools developed by various companies and programmers, for mobile app developers to plug into their software. Individual libraries may contain user profiles from several different sources, so those with access to a particular library may also gain access to a wealth of captured data by default.

For data processing, all of this information and data from other sources such as social media and company profiles may be analyzed on a cloud-based platform such as a Customer Relationship Management or CRM system. This software is capable of pulling in data from numerous sources, and assembling from it a detailed user profile, which may be dynamically updated as fresh information is captured – and from which information may be shared with other agencies and third parties.

Since these systems are available to anyone who can pay the license fee (and a number of them are actually free), both legitimate business and criminal users have access to this technology.

And the mobile approach is gaining ground. Research conducted in 2017 suggests that more than 70% of smartphone apps are reporting personal data to third-party tracking companies like Google Analytics, the Facebook Graph API, or Crashlytics.

Kids Are At Risk, Too

According to research conducted by kids digital media company SuperAwesome, children globally account for as many as 100,000 new internet users each day. And these young users typically spend over 21 hours a week online, interacting with social media platforms and sites like Facebook, which have been primarily designed for adults – with an underlying priority to gather data from users that can be used for any or all of the purposes described above.

A 2017 report issued by professional services network PricewaterhouseCoopers (PwC) expects the global kids digital advertising market to hit $US1.2 billion by 2019, in an environment where online advertisers and marketers will have captured more than 72 million bits of data from each child, by the time they reach the age of 13. And the bulk of this data will have originated from mobile avenues, as smartphones are the primary internet access channel for users of this generation.

Responsible Mobile App Design

As we’ve seen from the ways in which user profile data is being captured and shared over mobile, the app ecosystem and its associated third-party libraries account for much of this activity. So seeking out and using apps that have been designed with a responsible attitude to data gathering and data sharing, is a wise move. Apps that fit this profile should incorporate the following features:

  • Keeping data collection at a minimum: Only information relevant to the proper functioning of the app should be captured, and any data that’s shared should also be released to outside agencies and networks relevant to what the app does (e.g., time and location information to an online weather service).
  • Clear distinctions between private and shared: There should be distinct markers within the app, indicating which operations and data entries are locally stored (and assumed to be private), and which information is being shared with external agencies.
  • Controls for editing your profile: As on social media, there should be a section of the Settings menu that enables users to edit their own profiles, and effectively control the amount and nature of the information about them that’s being captured, for all purposes.
  • Options to opt out: There should be clearly presented and easily comprehensible options spelling out the user’s right to refuse to have their profile and other data captured, or shared. Recent legislation like the European Union’s General Data Protection Regulation (GDPR) has been forcing a rethink in app design and presentation on this basis, but many developers have yet to catch up with this approach.

Other Measures for Protecting Mobile User Profile Data

In addition to seeking out mobile apps that have been designed with a responsible attitude to data privacy, there are some best practices which can reduce your level of exposure.

Altering your device settings to reduce the “footprint” that it makes, is one option. This could include turning off GPS and other geo-location services, when they aren’t necessary, and using a mobile VPN (Virtual Private Network) application or service to mask your identity and location online.

Discretion on social media and other open forums is another recommendation. Don’t reveal every detail of your life in your user profiles, and minimize the publication (via comments, posts, or geo-tagged pictures) of details that could be used to reconstruct your identity and movements.

Major platforms like Facebook, Twitter, and Google+ now have options for refusing access to third-party apps and networks which (like the now defunct Cambridge Analytica) make a habit of sharing or selling user data to outside agencies.

With little in the way of binding legal controls against user profile data being captured and shared over mobile channels, these precautions can at least reduce your vulnerability to these practices.

Secure All of Your Devices for One Low Monthly Fee!
Get InvinciBull™ VPN now!

Share this Post