No! I don’t confirm your stupid permissions
I have developed half a dozen Google Chrome extensions and the most popular one has 100,000+ users. Last week I got a couple of emails from two different companies who say they are interested to buy the extension for a few thousand bucks (apart from the regular emails that promise making “up to $700/mo” by inserting a “tiny” script into my code).
If I were to ask for a fair price, it would be much more expensive considering the time I’ve put into making them. I mainly use it as a portfolio item and a practical way to learn product development so I’m not going to sell but out of curiosity I replied one of those emails asking:
Why do you want to pay for an extension that is already free? Are you going to charge people for that? How are you going to use the extension?
And the response was honest but rather scary:
Don’t worry Alex. We are going to keep the extension free. We are going to modify it a bit for tracking users.
So somehow tracking users is profitable enough that they are willing to pay a few thousand bucks and can still make a profit. Take a look at the mighty Chrome API. Extensions can potentially do all sorts of nasty things like:
- Reading your browser history
- Logging your keystrokes or emails
- Recording your passwords or payment info
- Changing links to go to ad websites
You name it! The only thing preventing extensions from doing nasty stuff is the permissions they request upon installation (and the good deed of developers).
Android is even worse
That list looks even nastier on your phone since apps can use more sensors like Microphone, camera, GPS, etc.
Recently Netflix asked me to grant permission to microphone if I want to update its Android app:
Apparently the mic is needed for voice search, but I never use that feature. Let alone the fact that I have granted rather weird permission to a video streaming service to read my “call information”.
Sadly many apps require unreasonable permissions. For example I take courses on Coursera. I thought it would be a good idea to install it on my phone so that I can watch course videos during my daily commute. But nope! They want to access my photos, browser history, external storage and contact list for some reason.
One can argue that I shouldn’t complain because Coursera is free. The thing is Coursera doesn’t explicitly mention what data it gathers and how long it stores it and how it uses it or who else has access to it. Sure, the fine prints can be found somewhere in legal mumbo jumbo but:
- It is not present when I need it (i.e. when installing the app)
- It is written very generic and mostly in favor of the company
- Legal text is long and hard to understand
And don’t you tell me “it is needed”, Udacity settles for my identity permission… plus vibrator… and my contact list… and the list of accounts on the device. Reasonable for an online learning app, right?
In the information age, companies gather as much data as possible. Sometimes they have no obvious use for it, but they gather it anyway because one never knows, maybe in the future it can be monetized.
In fact data scientist (who extracts meaningful insight from a pile of data) is one of the hottest jobs these days.
Many people don’t care
I have a confession to make. Back in 2011 I came across PhoneGap (now Cordova) and made an app with it while learning. I forgot to edit the permission template file which basically requested all possible permissions by default. I published it. Hundreds of users installed it!
This proves that a lot of people don’t read the permission list (or their lust for installing the app prevails the need to protect their privacy).
Put the user in control
iOS has a neat setting that allows the user to turn on/off the permissions for all apps after installation. This is my number one reason to recommend iPhone. After all, most mobile viruses are on Android.
I really like how the Web API treats sensitive permissions like camera and location. For example a website can try to access the camera, but if the user declines the permission, it is still supposed to keep working as usual. If the user grants the permission, it’ll have extra features. This is called graceful degradation. The opposite can happen too. For example a website can provide better service if it knows user’s location so it may ask for permission. This is called progressive enhancement.
Call me cynical but I’m not going to install an app when it can do something unreasonable or use my resources for something irrelevant.
Are you a developer? Think about a fair strategy to monetize your product and don’t betray the trust of the users who installed your product.
Are you a user? Raise awareness and try to resist installing software with pushy permission requests that don’t make sense.