Which applications exploit your data the most?

The apps we use to chat, shop, learn languages or simply pass time on a daily basis are often uncontrolled machines, especially when it comes to personal data. Que Choisir's survey of 50 mobile apps, on iOS and Android, paints an alarming picture of our digital privacy.

Behind the apparent free nature of many apps lies an underground economy that operates thanks to data brokers: companies specializing in the collection and resale of personal information. The mechanism is highly invasive: developers integrate 'trackers' into their applications. These are small pieces of software that retrieve data from our smartphone and transmit it to external servers. Detailed consumer profiles are then created from this data, which is sold to advertising networks.

The information collected reveals much more than we think: from our daily habits to the places we visit and from our culinary preferences to our political interests. By cross-referencing this data with other profiles, brokers can even deduce who we spend time with and what kind of relationships we have.

The study identified a number of particularly problematic applications, many of which are among the most downloaded in the world. Notable examples include TikTok, which collects an impressive amount of data for less-than-transparent purposes, Shein and Temu, Chinese e-commerce platforms that transmit huge streams of data to third parties, Shein and Temu, Chinese e-commerce platforms that transmit huge streams of data to third parties and BeReal, the seemingly innocuous social media network that, in reality, shares user data on a massive scale.

Duolingo is an emblematic case: this language application appropriates all address book contacts, first and last names, e-mail addresses and telephone numbers, without any clear justification.

Of the 50 applications tested, 33 transmitted large quantities of data. In some cases, the data is sent in unreadable formats, making it impossible to know exactly what personal data is being shared.

The study also identified 4 exemplary apps that deliver on their privacy promises: the strategy game Rift Riff (for iOS and Android), the children's piano game Happytouch and the gift management app Gifter. These apps collect no data and require little or no authorization.

A second group of 13 applications behaves in a reasonable manner: they only request authorizations that are strictly necessary for their operation, and limit data sharing with third parties. These are Clash Royale, BayaM (children's content from the Bayard group), Magic Pic and Xooloo Messenger Kids.

Que Choisir subjected all 50 applications to an in-depth analysis. First step: check that data is encrypted and protected against interception by third parties. Second step: check that privacy notices are transparent and that users have a real opportunity to object to data collection. The third and most important step is to map all information flows between applications and external servers. This involves distinguishing between what is sent to developers and what ends up in the hands of third parties. Wherever possible, the exact nature of the personal data shared has been identified.

The crucial problem, according to the study, is the lack of transparency. Users don't know what data is collected, where it is stored, how it is used and to whom it is sold (...).

In 2024, a study by Le Monde had already revealed the scale of the phenomenon: in a single day, broker DataStream Group collected 380 million geographic coordinates from 47 million phones in 137 countries, via almost 40,000 apps. This data may appear anonymous, but can easily be used to identify individuals.

(©GreenMe.it/Translation and adaptation: JS-The Global Money /Illustration: Unsplash)