Mobile Ecosystems: We don't know enough about the impact of smartphones on our digital rights
Most people today access the internet via mobile devices we call smartphones. Through these devices, users can access data stored in remote servers, navigate with GPS-enabled maps, photograph their daily lives, read the news, and connect with family, friends, and colleagues around the globe.
But smartphones are also tracking devices that leave a digital trace of our every movement, both online and offline. Companies that produce these devices are the custodians of sensitive user information, as well as gatekeepers to countless types of apps available in their app stores-and therefore have tremendous influence over users' freedom of expression and privacy.
In 2016, most of the world's mobile devices were running either Apple's iOS operating system or some version of Google's Android mobile operating system. For this reason, the 2017 Index was expanded to include Apple iOS, Google Android, and Samsung's implementation of Android-makers of mobile devices and software products that we call "mobile ecosystems." Mobile ecosystems, as the Index defines it, is "the indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account."
Click here to explore mobile ecosystems visualization.
Our findings showed that all three mobile ecosystems evaluated failed to sufficiently disclose policies affecting users' freedom of expression and privacy. This means that it is difficult for users to know and understand how their Apple or Android smartphones control their ability to create, share, and access content, or how mobile ecosystem companies determine who has access to their information under what circumstances.
- While all companies fall short, Google's Android disclosed more about policies pertaining to users' freedom of expression and privacy than Apple's iOS or Samsung's implementation of Android. The starkest differences are in the Governance and Freedom of Expression categories-in both categories, Google led both Apple and Samsung by a wide margin. Google made stronger commitments to protect users' freedom of expression rights at the company-wide level—as measured by the Index's governance indicators—and provided stronger disclosure of policies that affect these rights for Android users compared to both Apple and Samsung.
- Apple, by contrast, disclosed a company-wide commitment to protect users' privacy but made no commitment to protect freedom of expression. The company had similarly weak disclosure of policies that affect user's' freedom of expression for iOS users.
- Samsung made a commitment to respect users' freedom of expression and privacy at the corporate level but does not sufficiently disclose how (or whether) those commitments are implemented in practice.
Why does Google outperform Apple and Samsung?
It is important to note that of these three companies, Google is the only member of the Global Network Initiative (GNI), an organization whose company members commit to uphold principles of freedom of expression and privacy. Additionally, GNI conducts an assessment of whether members have implemented the principles satisfactorily. It has multi-stakeholder membership, and is governed by a multi-stakeholder board. Index data showed that GNI members performed better on the Governance category than other companies, like Apple and Samsung. (Download the full report for more detailed analysis.)
It is possible that both Apple and Samsung may have internal policies and practices aimed at protecting users' freedom of expression and privacy that they do not formally disclose to the public. However the Index only gives credit for policies that are publicly accessible and presented in a company's policy documents. We take this approach as a way to encourage companies to formalize their commitments into policy so that users can make informed decisions about the products and services they use.
Leading figures at Apple for instance have made numerous statements in the media about the company's commitments to privacy and security—and the consensus in the technical community is that Apple's products are the most secure on the market. However its commitments in this regard were not always clearly specified in the policy documents evaluated for this Index.
The Apple App Store, Google Play Store, and Samsung Galaxy Apps store are chokepoints for freedom of expression. All three mobile ecosystems failed to sufficiently disclose policies affecting users' freedom of expression. While Google's Android disclosed more than its peers, no company provided enough information to enable app users and app developers to fully understand what kinds of content can be created and shared, what types of activities are prohibited, or the consequences for violating these rules.
For several indicators in the Freedom of Expression category, the Index evaluated both "user-facing" and "developer-facing" policies. App developers are creators of content and conduits for freedom of speech, information, and other kinds of expression. Therefore Ranking Digital Rights (RDR) takes the position that app developers are, in effect, a type of user whose freedom of expression can be restricted by companies' terms of services or app developer agreements, which set rules for what types of content and activities are permitted on app stores.
For all companies, the terms of service agreements for app users and app developers were neither easy to find nor to understand (F1). None provided any data about content or accounts they restrict for terms of service violations (F4). Only Google provided some disclosure of whether it notifies app developers when it removes an app for breaching Play Store rules (F8). All three companies disclosed a policy of requiring app developers to verify their identities as a condition of registering with their app developer programs (F11).
Likewise, only Google- an industry leader in transparency reporting- disclosed data on the number of government requests to remove third-party apps from its Play Store it receives and complies with (F5, F6, F7). Apple iOS revealed little about how it handles government and private requests to remove content, specifying only that a court order would be required (F5). Samsung provided no information at all about how it responds to or complies with such requests.
While Google was more transparent than Apple and Samsung about policies affecting users' freedom of expression, all mobile ecosystem companies evaluated can and should do far more, by:
- Recognizing app store content as a freedom of expression issue. Companies that have committed to protecting users' freedom of expression principles should ensure that mobile ecosystems and app stores are clearly covered by due diligence and governance processes necessary to implement those principles.
- Clearly disclosing policies and processes for handling requests to remove or pre-emptively restrict apps, whether such requests come from governments or from other entities. Companies should also disclose in their transparency reports information about app removals and restrictions from their app store, including the number of requests received and complied with as well as data about apps or other content removed in the process of terms of service enforcement.
Mobile ecosystems present users with a myriad of privacy concerns. Apple's iOS, Google's Android and Samsung's Galaxy all collect, share and retain large amounts of user information—which could include personal correspondence, user-generated content, account preferences and settings, location data, log and access data, data about a user's browsing activities, and all forms of metadata.
App stores also host third-party apps that can collect equally vast amounts of user information, which can be overly broad or irrelevant to the app's function-for example, games that require access to users' contacts, camera and even email communications. Apple and Google are starting to take steps to protect user privacy from unscrupulous third-party developers. Until recently, Apple's App Store and Google's Play Store were full of "free" flashlight and game apps that siphoned user information without the user's knowledge or consent. That data would then be sold to unaccountable data brokers.
Mobile ecosystem companies should therefore:
- Disclose a commitment to evaluate the content of privacy policies of third-party apps, and disclose information about this enforcement process in transparency reports. Companies should also require third-party apps to notify users of changes to privacy policies, so users can make informed decisions about their continued use
Lack of security updates leaves users exposed. Google was the only company to disclose how long various device models would be guaranteed to receive software updates-a "best by" date for smartphones. Apple and Samsung did not provide such information, making it difficult for users to evaluate for how long their devices will be safe to use (P14).
Given the vast amounts of sensitive personal information saved on and generated by smartphones, users' freedom of expression and privacy relies on the devices' software being up-to-date and resilient against malware. The timely delivery of software updates to mobile devices is a major security and equity issue worldwide. Indeed, the newest and most expensive smartphones are more likely to be up-to-date than older, inexpensive models, leaving lower-income users more vulnerable to malware and targeted hacking.
Android models from the Nexus and Pixel product lines and iOS devices receive updates directly from Google and Apple, respectively, but other Android devices-including those made by Samsung-often lag weeks or months behind. Manufacturers and telecommunications companies alike can modify Android's code for various reasons, and this in turn affects how quickly users receive updates after they are released by Google. As a result, users can spend months using unpatched devices with known vulnerabilities. It is therefore critical for companies to deliver security updates to users within 30 days of the patch being made available, and to clearly communicate to users for how long after purchase (or until what date) they are guaranteed to receive software updates.
Samsung — and other Android manufacturers — should:
- Commit to deliver all security updates to users within 30 days of a patch being made available. Companies should also clearly communicate to users for how long after purchase (or until what date) they should expect to receive software updates.
- Clearly communicate to users for how long after purchase (or until what date) they should expect to receive software updates.