Can I trust this app? To help journalists answer this question, tech expert Ben Finn summarises in a handy checklist the most important factors to consider before deciding whether to download or input any personal information into an application or website.
Three major questions to answer
1. Is this website or phone application recommended by experts?
Look at review websites such as Restore Privacy or Techradar and read the comments section to see whether other users would recommend the digital tool (be wary of sites launched specifically for the website or application’s promotion).
2. Does the digital tool offer clean information on its safety features?
Experts can explain things in a straightforward way. Purposely complex explanations can be used to target laypeople or an indicator of lack of understanding.
3. How transparent are the creators?
Users should be wary if the creators of a website or app are anonymous; if the digital tool were later revealed to be malicious, no one person could take accountability. Additionally, if the creators aren’t upfront about what they’re selling, beware that the website or app could be a trap designed to spy on the users and sell their data.
Background check
- News. Check the latest news about the app and especially regarding reported flaws and hacks.
- Updates. Check the application’s last update and the frequency of its updates. Look for an application that updates at least once per month for bugs and vulnerabilities and from the protection of any new attack methods.
- Metadata. Know what metadata is being collected from the first click or download. This can often be found in the data privacy section. Be wary of any app that collects more than it needs as no data is ever collected without a purpose. Aim to understand that purpose; whether it is mandatory, marketing or malicious.
- Access levels. Know the permissions an application requests, if it requires administrative access at its root level, it is likely to be malicious. Applications that collect and sell data are untrustworthy. If something is required for the tool’s operation, try setting it to “only while in use”, but beware some applications may stay on in the background. This function can be changed in settings.
Safety features to look for
- Open source and published audits. Provides the programme’s source code for anyone to use or modify. This guarantees transparency and holds the digital tool accountable to a consistent standard. However, there is no regulatory system for open-source. Some open-source tools are not 100% open-sourced but can still label themselves as such. For example, Signal recently announced that, for security reasons, a part of their code would not be open-sourced.
- End-to-end encryption. A method of securing data to prevent third parties from accessing information. More information available on this link.
- Location of the hosting server and incorporation. Allows the user to know which laws the application is using to collect data. Some countries allow the government to take your data without a subpoena (i.e. China, Russia, India) and some have extremely high legal barriers (i.e. Greece, Canada).
- GDPR (General Data Protection Regulation). A legal framework that regulates data collection. While primarily focused on protecting the privacy of EU citizens in the EU and abroad, it has become a standard that many companies across the world follow. More information available on this link.
Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been researching on how to maintain proper security in the context of an oppressive nation-state, specifically in the context of Myanmar. He has also been working with multiple groups in Taiwan to train them on proper security and safety measures.