When you’re wondering why something is the way it is, it often helps to follow the money. And that’s certainly the case with one of the most confounding aspects of modern life: privacy. If you want to know how likely it is an app or service is mining your data, you need to see how they make their money. So we’re going to take a look at the most common software business models to find out what they mean for your data privacy.
Traditional retail
When you think of physical goods that you purchase—say, a toaster or t-shirt—it’s a straightforward transaction. You give someone money in exchange for the item, and walk away.
For many years, this was the dominant model for software. And even after the internet made it possible to easily alter that product post-purchase through software patches and “point” updates, the model persisted. Developers had to create splashy major releases complete with new features and big marketing pushes to get customers to shell out for these updates.
Still, the internet generally isn’t an integral part of these kinds of software. Turn off your wi-fi, and these kinds of apps will work as usual. So there’s generally no conduit for your data to be sucked up. And that means your data privacy, for the most part, isn’t at risk.
Privacy risk: Low
How to take action: Some traditional applications may “phone home” and try to connect to the developers’ servers. In many cases, it’s done to check for software updates. If you want to play it safe, you can selectively block connections by using an application firewall like Net Limiter for Windows or Little Snitch for macOS.
Paid subscriptions
For developers, part of the problem with this traditional, retail model was the inconsistency of revenue. Major releases meant big spikes, but then they had to gamble time and money creating the next version in hopes of driving the next big spike. The rise of cloud computing, which coincided with the beginning of the mobile era in the late 2000s, offered a tantalizing new option: subscription.
The spread of powerful mobile devices created a demand for software that could be accessed from, say, a laptop, a phone, and a tablet. Cloud computing and fast internet connections made it possible. Now users could subscribe to apps that ran off developer’s servers.
The draw for developers was simple: money. Now, instead of having to convince users to shell out a large amount once every year or so, they only needed to ask for a little bit every month. Plus, it opened the door for completely new services that required data to be processed on developers’ servers—thus requiring an ongoing subscription. Think video conferencing, collaborative document editing, or multi-user database management.
This kind of product got its own cottage industry: Software as a Service (SaaS). SaaS-native businesses have come in the form of Salesforce, Wordpress, and more recently, Zoom. There have also been big winners with traditional products that transitioned to SaaS: Microsoft Office morphed into Microsoft 365, and Adobe’s Creative Suite became Creative Cloud.
Developers of subscription-based software usually aren’t keen on upsetting paying customers. So most will keep data mining off the table. It’s not an absolute rule—some will definitely take your money and your information. But especially for companies that sell to privacy-minded large businesses, mucking around in user data is taboo.
Privacy risk: Low-Medium
How to take action: Take a look at the privacy policies posted on the developer’s site. In a lot of cases, these developers are happy to have your subscription payments and see no need to stockpile personal data. For subscriptions that include traditional, installed-on-your-hard-drive software, our recommendation above will apply.
Freemium (with in-app purchases)
So back to one of the other factors that led to these new software models: app stores. When Apple first launched their App Store for iPhone in 2008, a handful of enterprising developers found they could quickly make millions by releasing simple games at 99¢ a pop. But as competition poured in, the hunt was on for a way to make money while dropping that price to zero.
Enter in-app purchases. While these sometimes drive users to paid subscriptions that are available outside the apps, many drive revenue with one-off purchases. This has become, to put it mildly, a controversial practice. Many games have been accused of tricking children into purchasing in-app items, raising the ire of the Federal Trade Commission. That’s to say nothing of loot boxes, in-game items redeemable for randomized prizes, a practice criticized as encouraging gambling.
So what does this mean for your privacy? Let’s be clear: There’s no direct link between in-app purchases and information privacy issues. However, if a developer is in such feverish, unscrupulous pursuit of profit that they’d turn children into gamblers, they might be worth keeping an eye on. Luckily, any app using Apple or Google’s payment system for in-app purchases is required to have a posted privacy policy. Yes, it’s a slog going through privacy policies, but at a bare minimum, you should read through them when an app is doing morally questionable things.
Privacy risk: Medium
How to take action: Read through the developer’s privacy policy to find out what personal information they’re storing, and what they’re doing with it.
Ad-supported
And, of course, there’s the business model that’s subsidized or outright paid for newspapers for a few hundred years: advertising-supported. Given the headlines over the past decade or so, you can probably guess what this type means for your information privacy. The lion’s share of advertising revenue in the US goes to Google and Facebook, two companies that vacillate between indifference and hostility toward user privacy.
The problem with ad-supported apps is that they’re much more sophisticated than traditional newspaper ads. Through a process known as retargeting, they can follow you around the web. Say you visit a shopping site and look at a pair of shoes, but don’t buy them. That site may be tracking your behavior and feeding it into a profile. So then you might be browsing on a different site or using an app on another device, and up pops an ad for those shoes. Creepy, huh?
Many apps will present themselves as free, but in the background, they’re feeding into these types of profiles through information marketplaces called ad exchanges. So whether you see ads in an app or not, they still may be advertising-supported. In other words, free isn’t always free.
Privacy risk: High
How to take action: Approach with caution. Remember that every interaction you have with these apps and services is probably being tracked. In some cases, they may even be following you with tracking pixels embedded on other sites. Read our post on protecting your privacy online to see what steps you can take.