Jay-Z’s App Highlights Privacy Issues in Collecting Vast Amounts of Smartphone Data
Jay-Z’s new album, Magna Carta… Holy Grail, was released last week after much hype. But if you own a Samsung Galaxy phone, you had the option to get the album for free. Great deal, right? Samsung reportedly paid $5 million for the privilege of providing a million copies to its users, gratis. All a user had to do was be one of the first million users to install an app called Magna Carta, which Samsung had developed, and they’d receive a copy of the album 72 hours before its official release.
In exchange for a chance to get the album for free, the app required several permissions from the user, without clearly explaining for what purposes data was being collected. The Samsung Galaxy runs Google’s Android operating system, which notifies users of specific permissions that each app requires to function. In this case, the app requested several permissions, including the ability to modify or delete USB storage, prevent the phone from sleeping, gain access to location data, obtain full network access, and read the phone’s status and identity, among others. When rapper Killer Mike saw this request list, he took a screen shot of the permissions list and tweeted it with the caption “Naw I’m cool”, later elaborating that he’d just buy the CD because his other apps weren’t as probing.
Killer Mike was right to notice that the Magna Carta app was collecting more information than it required to function. While apps certainly need some permissions in order to effectively operate, in this case some of the permissions requested were clearly unnecessary for proper functioning. For example, it’s not clear why the Magna Carta app would need a user’s location – one of the most sensitive pieces of personal information that a smartphone can collect – in order to work. Given that Samsung was surely confident that millions of users would download the app for a chance to get the album for free, the company was gaining access to a vast amount of location data with ease. While some users might view that as a fair trade, others – like Killer Mike – wouldn’t.
Yet those users had no way to opt out or select with any granularity the permissions they’d be willing to grant, or know exactly where that data was going. Users could certainly read a lengthy privacy policy – assuming they could find it, as it’s not currently on the Google Play store – but burying details regarding collection, use, and retention in contractual language doesn’t give consumers meaningful notice about important terms of service.
It’s not even clear that Jay-Z or his partners had grandiose plans to monetize this data grab. While the app has been pulled from the Google Play store, Samsung’s privacy policy (which appears to govern the app’s functions) and terms of service remain accessible. In its U.S. Privacy Policy, Samsung states that for some of its services, users must provide personal information and may have information collected by Samsung services, including device, log, and geolocation information. That information can be used by Samsung for customer analytics or marketing (among others), and could be appended with offline databases. Samsung states that it won’t share personal information with third parties, but it may share it with affiliates, professional advisers, with the government when required by law, and service providers.
Because the provisions in the privacy policy aren’t specific to the Magna Carta app, but rather to all Samsung products, it’s unclear whether Samsung is using the provisions of the privacy policy to their fullest extent. The term “affiliate” could mean anything, for example – a subordinate business entity, a corporate partner, another company that Samsung has contracted with – and thus the ban on third party sharing may be merely nominal. And given that Samsung states that it could collect a large amount of phone data, from geolocation to device identifier, personally identifiable information could flow to an “affiliate,” which may then have its own broad policies on data sharing. As a result, consumers have very little knowledge of how far afield their data might go as a result of using Magna Carta. In fact, it’s entirely possible that the app was just designed lazily, copying other code and authorizing data access that its developers had no intent to use or even collect.
Some argue users have no rights to affirmatively use apps and can merely vote with their feet by not using apps that collect too much information, but in this case it’s difficult to know what information is being collected. Some users might be willing to grant Samsung and Jay-Z access to their data, if there was more clarity regarding the uses and retention periods that the company would institute. CDT has provided best practices for mobile app developers on how to ensure that users understand what data is being collected and for what purposes. By incorporating privacy into the earliest stages of product development, mobile app developers can ensure that user privacy is respected and that data is collected, used, and retained with appropriate limits. By doing so, developers can ensure that they avoid the same problems that Jay-Z and Samsung ran into. No matter how amazing your album is, your fans should at least have a sense of what they’re giving up to hear it.