Zhang and fellow researcher Fuming Shih, a computer science doctoral candidate, found that some popular apps for phones running Google Inc.’s Android operating system are continually collecting information without informing the phone’s owner.

“It seems like people are no longer in control of their own privacy,” said Frances Zhang, a master’s degree student in computer science at MIT.

Some smartphone apps collect and transmit sensitive information stored on a phone, including location, contacts, and Web browsing histories, even when the apps are not being used by the phone’s owner, according to two researchers at the Massachusetts Institute of Technology.

The popular game Angry Birds uses the phone’s GPS and Wi-Fi wireless networking features to track the owner’s location, even when he’s not playing the game, for example. Another game, Bowman, collects information from the phone’s Internet browser, including what websites the owner has been visiting. And WhatsApp, a popular text-messaging program, scans the user’s address book when it is seemingly idle.

What is not known is whether apps that run on Apple Inc.’s iPhone and iPad tablet computer collect information in similar ways. Shih and Zhang only tested 36 apps written for the Android operating system, which is “open source” software — meaning users are free to modify programs that run on the platform. The researchers added software to Android that recorded the actions of each app on a standard Android phone. They could not run the same tests on iPhone or iPad apps, because Apple’s software can’t be modified by users. Zhang said it’s possible iPhone and iPad apps also collect and transmit information in the background, “but we don’t have the data to support that.”


There are logical reasons for some apps to collect such data, Zhang said. Rovio Entertainment Ltd., the maker of Angry Birds, makes money from the free version of the game by displaying ads on the screen. It uses location data from the phone to point players to local advertisers. But Zhang questioned the need to keep tracking user locations even when the game is shut down. And there is no apparent reason a video game like Bowman needs to know about the player’s Web-surfing habits, she said.


The developers of Angry Birds and Bowman did not respond to requests for comment.

WhatsApp cited its privacy policy, which says its app scans address books for phone numbers only to see if any of the user’s friends are also WhatsApp users. According to the policy statement, WhatsApp does not copy names, addresses, or e-mail­ addresses from the phone’s address book.

Zhang and Shih have applied for a patent on their research, which they hope to turn into a rating system to help consumers quickly understand privacy policies for thousands of apps. They used the results of their tests to calculate an “intrusiveness score” for each app, rating the amounts of personal data it collects while in use and when idle. But they can test only­ a handful of the more than half a million Android apps, so they hope to develop a separate app that would “crowdsource” the process. Owners of Android phones could install the app, use it to test other apps, then publish the results on a website. Consumers could check an app’s intrusiveness score before deciding whether to install it.

“Over time, we hope to use this to motivate developers to be more careful about their privacy practices,” Zhang said.


Tracking the privacy impact of smartphone apps “is just incredibly, incredibly hard,” said MIT computer science professor Hal Abelson, adviser to Shih and Zhang.

Most apps have written policies on privacy, according to a survey released in July by the think tank Future of Privacy Forum­ in Washington, D.C., which is funded by a number of technology companies.

But privacy policy statements are often so long and difficult to understand that few people read them, and they often lack crucial details, Abelson said. The privacy policy for Angry­ Birds, for example, does not reveal that the app continues to track a user’s location even when the game is shut down.

In June, the National Telecommunications and Information Administration announced an effort to create legally enforceable privacy standards for mobile apps.

“The first step is transparency,” said Peter Swire, a professor of law at Ohio State University who oversaw federal privacy policy during the Clinton administration.

The MIT research could help by providing simple privacy evaluation tools for consumers and regulators.

“I think it will help the ecosystem,” Swire said, “because we’ll see the embarrassing practices more quickly.”

Hiawatha Bray can be reached at bray@globe.com.