Consumers Beware: There’s No Such Thing As A Free App

There is an “old” saying often applied to social media and other digital products: If you’re using a service and not paying for it, then you’re not the customer, you’re the product. The expression is likely older than you think it is – it wasn’t originally said about social media or the internet, but about television, and its incredible power to deliver eyeballs to advertisers. But the statement has stuck around for a reason – one that consumers often fail to think about when liberally downloading and installing free apps and adding browser extensions without carefully reading the terms of service, NuData’s Vice President of Emerging Technologies Robert Capps told PYMNTS in a recent conversation.

Free isn’t really free, he noted, and there is often a price to be paid for accepting the service – sometimes an incredibly high one, which in extreme cases can end with a subpoena being served.


“When installing apps infected with software that makes your computer part of a botnet, the traffic from your machine will look like it’s originating from you, and there could be potential consequences,” he said. “It could be as little as being disconnected from your ISP for file sharing, but it could be as bad as getting subpoenas for illegal activity of which you are totally unaware.”

But even outside of those worst-case scenarios – where downloading and installing the wrong “free” extension of an app sees one’s technology dragooned into a malicious botnet – the consumer’s privacy remains at risk as app developers look to monetize their data.

Becoming The Product

The important thing to keep in mind, Capps noted, is that while the truly malicious actors putting consumer data to criminal ends get a lot of attention, the many ways in which consumers are unknowingly handing over data don’t always involve active malfeasance. Developers often start out designing an app as a passion project that takes up more and more of their time until they realize they need to make money. Selling ads can often have an incredibly negative effect on consumer experience, such that it is rapidly falling out of favor as a preferred method of monetizing an app.

“Once a group of users gets used to a free app, trying to put ads in front of them is often met with a lot of displeasure from the user community,” Capps said.

Data, on the other hand, has value – particularly when it’s sold off to third-party marketing organizations that have a vested interest in buying access to as much as they can gather, which is quite a lot. Consumers don’t tend to look too carefully at notifications when apps ask for permission to access other information and applications on their mobile devices, and may never question why their new mobile game needs access to their contact list or web browsing history. As Capps noted, the marketers, telemarketers and data mining firms have all kinds of uses for that data.

Browser extensions can be even more dangerous, he said. “An extension isn’t just the proxying of information. A browser plugin has the ability to modify pages that are showing up in your browser, and in some cases, they can look at what you’re typing within web forms. So additional data harvesting and resale is possible through these browser extensions. Knowing what sites you visit and how often you spend time on them is really useful to a marketer or an advertiser.”

That data is also increasingly useful to hackers that buy up those pre-installed browser extensions and use the attached computers to build anonymous proxy networks, which can then push traffic through those extensions to make them appear to be consumers’ devices on a local ISP, which makes mitigation techniques more difficult.

And while not all of the uses will be criminal botnets or crypto mining operations, said Capps, they are all potential invasions of consumers’ privacy, attempting to gather and leverage their data in ways they may not agree with. But customers can play a large role in solving that problem, he said, simply by being more aware of which apps they are installing and what data access they are approving.

“One of the things we’ve been trying to push to consumers is to know what they’re installing, and to understand the privacy policies and access policies of a new app or utility they’re installing,” he said.

App stores are also starting to make apps more transparent to consumers with what Capps called “nutritional-like labels” that identify how and where those apps will access user data. But those warnings are only as useful as the customers are willing to read them, and to consider questions such as why a gaming app would need to read their text messages or see their photos – and then decide to say no when the answers don’t make sense.

“As with all things in security, it’s best to take a multi-layered approach with consumers, working to make sure that their devices aren’t compromised … and aren’t participating in a botnet, and that they’ve deleted apps they’re no longer using,” said Capps.