The only way to crack down on this is to prevent apps sending any data at all and to minimise the use of proprietary software. As soon as your personal data leaves your phone and hits someone else's server they will sell it.
Its a bit of a hard problem which we tried to solve using a permissions system but its a hassle because its hard to tell if a permission is being used legitimately and the average user just hits accept on anything because they don't know how to verify if something seems right.
The GDPR was a step in the right direction where it allows you to say no to tracking and still use the service as normal.
I think it's not good enough to merely prevent it from happening with sandboxing or permissions, that's a very technically-oriented way of solving the problem (and obviously what most of us here on HN would go to first).
But merely preventing it on a technical level creates this race where companies and startups are always finding new ways to violate our privacy, while we stumble after trying to patch the latest evil, hoping that it's even possible to patch this time. Stop ajax calls to third party domains? What if they start piping it though the first party server? etc.
There fundamentally needs to be laws and principles in place that sets clear lines as to what's okay and not, it shouldn't come down to "whatever is technically possible". You may NOT take my personal data, my contact list, my browsing habits, and sell them to a third party, even if it's hidden somewhere deep in your T&S. No human actually wants you to do that, if you offered somebody on the street five bucks for their phone contact list they wouldn't say yes. It's only possible because you are doing these evil things hidden from view.
> No human actually wants you to do that, if you offered somebody on the street five bucks for their phone contact list they wouldn't say yes.
There is an argument i have with a guy who stands on the street offering 'free coffee'. So i ask for a voucher, and he explains i have to download an app. I am not convinced that is truly free.
There are a lot of humans that are OK with that. The average person do not value privacy that much. There are a lot of people willing to trade data/usage patters for a free app.
On the proposition "Pay $5/month or pay $0 but let me track you" a lot of people will choose the 2nd.
they may choose the 2nd option, but it's unknown if they would continue if told what the ramifications are. People chose brexit without knowing its ramifications, because they did not understand fully their choice. I suspect those who opt for tracking is also making this mistake.
I doubt it, as a tech savy user I know the ramifications but still going to for the
2nd option. Why ? Because the ramifications is largely inconsequential or not harmful enough for me to care
And this is the problem. You know the ramifications for you as an individual are fairly small, but this is a problem of scale. Billions of people handing over their data allows the creation of much more sophisticated and insidious models. The costs of your decisions are externalized to society as a whole and will affect you one day. You just don't see that.
It is the classic tragedy of the commons. Everyone doing whatever is best for themselves leads to the absolute worst outcome for everyone (including yourself) in the end. E.g you running 50 kWh of AC per day is pretty inconsequential. 2 billion people doing the same is not.
> The only way to crack down on this is to prevent apps sending any data at all and to minimise the use of proprietary software.
You're asking for legislative controls which, at the end of the day, can still be bypassed either flat out illegally or via legal grey areas. At best it's remedied after the act or prevents only the most obvious misuse. When you give politicians the mandate to control something often they're too technologically/process incompetent to get it right and to make sure the solution is in your interest.
You want to abate this practice? Exit social media (...and life will improve), use RSS for mass information consumption (I've been doing it for ~10 years now - I can pour through what would normally be a days sifting/reading in 15 minutes while taking the first dump of the day) and use a browser with extensions that give you more fine grained control i.e. Firefox with NoScript.
Preventing apps from sending data doesn't solve the issue as long as you can use Googles analytics.
You can abuse the analytics event system by encrypting data and submitting it as a string attached to analytic events. These can't be differentiated from normal click tracking.
Server side you can then pull this data out via api and unencrypted it.
Unfortunately, the permissions are rooted in the old server-centric UNIX model where users of the machine were generally trusted with all sorts of identifying information (eg ifconfig("8")). Those permissions were then augmented by a surveillance company, for surveillance companies (at least on the Android side).
When it comes down to it, even things like phone number, MAC, or current access IP address (as opposed to VPN egress address) are highly security sensitive information. There should be no way for apps to get access to these things, and if they insist on obtaining access, the ability to fake out that data should be the baseline of any modern OS.
Its a bit of a hard problem which we tried to solve using a permissions system but its a hassle because its hard to tell if a permission is being used legitimately and the average user just hits accept on anything because they don't know how to verify if something seems right.
The GDPR was a step in the right direction where it allows you to say no to tracking and still use the service as normal.