Mobile apps are notoriously “data-hungry,” with developers collecting personal and even sensitive data from their users and their users’ devices and using that information for both legitimate and illegitimate purposes.
This kind of data collection is problematic enough when it takes place within the US: that is, when a US citizen has their data harvested by a US company. Just the fact of these treasure troves of personal data being out there dramatically raises the risks of misuse and outright breach (and the unmitigated exposure that brings). But what about the scenarios in which all that personal information (including behavioral data) is systematically syphoned off to foreign powers, including hostile foreign powers?
Countries and regimes hostile to the United States could certainly capitalize on the kinds of access a popular mobile app could give them to Americans’ personal information, let alone what they could do with users’ undivided and prolonged attention. It’s with these heightened consequences in mind that Incogni’s researchers drilled down into the issue of personal-data exfiltration by foreign mobile apps.
Incogni’s researchers generated a list of 10 most-downloaded mobile apps for the past 12 months. They then identified either the headquarters of the companies responsible for each app or the home country of each apps’ ultimate beneficiary owners.
Incogni’s research team also systematically documented the data-collection and sharing practices of these apps, as they’ve been disclosed in the relevant Google Play Store privacy sections. These mandatory disclosures include information regarding the categories of collected data, sharing practices, and the stated purposes behind data collection.
An overview of the results
The results of Incogni’s study are sobering. The apps included in the study were collectively downloaded an estimated 1 billion times, with three quarters of those 1 billion downloads going to Chinese apps. Looking only at the 10 foreign-owned apps most popular in the US, 6 have ties to China: TikTok, Temu, Alibaba, Shein, CapCut, and AliExpress.
Apps developed by Chinese-owned tech companies were some of the most data-hungry in the study, collecting an average of 18 data types from each American user and sharing 6 of them. The most data-hungry app in the study, TikTok, is one of these Chinese-owned apps. It collects a range of sensitive personal information, including names, addresses, and phone numbers.
B2B e-commerce platform Alibaba is another data-hungry Chinese-owned app. It collects an average of 20 data types on each of its American users, sharing 6. It requires access to users’ files, documents, videos and photos, phone numbers, home addresses, and full names.
Similarly, Temu, a Chinese B2C retail platform, collects 18 distinct data types on average while claiming to share only one of them. Temu collects users’ approximate locations, installed apps, and other user-generated content. Chinese shopping app Shein, on the other hand, stands out for sharing a whopping 12 of the 17 data types it collects from its users, including data like users’ phone numbers, names, and photos.
It’s not just about China, though. The US Department of Justice (DOJ) recently restricted some transactions involving the sensitive data of US citizens with countries of concern, like China, Russia, and Iran. An app like Telegram might be able to skirt such restrictions, though. Telegram’s official country of origin is the UAE (United Arab Emirates), but accusations of connections to Russia have clouded the developers’ reputations since its establishment.
A recent investigation has renewed accusations of Russian (in this case specifically FSB) collusion. But Pavel Durov, founder, owner and CEO of Telegram, has a record of assuming business and legal risks in the name of protecting users’ privacy. So the situation is unclear, and all the more so because these latest accusations come from a Russian source, media outlet IStories, putting their veracity into doubt.
Foreign apps are a problem, no matter where they’re from
As the case of the Telegram app shows, where an app’s developer is officially headquartered need not accurately reflect which foreign entities have access to user data collected by the app. An American-owned or American-controlled app, on the other hand, might represent a far safer option for US citizens, at least in the short term.
An app whose developers are beholden to US law first and foremost is potentially safer for US-based users because those developers can be subpoenaed or otherwise compelled to cooperate with authorities — something that’s generally not possible with foreign-owned apps, especially those with ties to unfriendly countries.
Foreign apps are a problem, but US-owned apps aren’t exactly a safe bet. Meta, owner of Facebook, Instagram, and WhatsApp, among others, is a great example of this. Meta is notorious for its data-harvesting and data-hoarding efforts, partnerships with domestic and foreign entities, and allegedly underhanded usage of user data.
The difference between an app like TikTok and one like Facebook is that, should alleged data-privacy abuses become so egregious that they threaten national security, the US government can compel Meta to disclose details regarding Facebook’s operations in the US, something it can’t do with ByteDance, TikTok’s owner.
That said, on an individual (rather than national) level, foreign-owned apps might actually have less of an impact on US users, at least in the short term. A US company might be more likely to share its users’ data with entities that can impact a US citizen in the short term, affecting their ability to get loans, housing or employment, for example.
Then again, there’s little stopping a foreign-owned company from selling its US users’ data to US entities, potentially resulting in all the same, negative consequences.
Data collection is the real problem
“The results of this study have been really eye-opening. So many of the downloads for the most popular apps go to foreign-owned companies, and so many of those to Chinese companies in particular. In terms of national interests and even national security, this is a big problem.” Said Darius Belejevas, Head of Incogni. He continued:
“But on the individual level, things are much less clear. Which entity can affect a US citizen’s life more immediately, the Chinese Communist Party or some vast network of US data brokers? The reality is that all unnecessary data collection is risky: whoever is doing the collecting and wherever the spoils are stored, that data can be bought and sold or simply stolen and leaked, meaning it ends up in all the wrong places all the same.”
Incogni’s full analysis, including detailed breakdowns of exactly what data is collected and/or shared by each app, as well as the public dataset, can be found here.
Read next: Global AI App Market Settles as New Players Push Into the Rankings