The reviews are in for Consumer Report's new privacy app and they are .... mixed
If we can’t trust a venerated nonprofit organization that has championed consumer rights since 1936, whom can we trust?
That’s what I think as I dive into a pool of comments criticizing Consumer Reports recently launched Permission Slip by CR.
The free app launched to the public earlier this month to help people see how much personal data companies collect and then act on consumers' behalf to clamp it down.
“What we're trying to do from a mission perspective is shine a light on how every app and every service collects data and for what purpose, and then give people the tools they need to exercise these new rights to opt out,” Ben Moskowitz, vice president of Consumer Reports Innovation Lab, tells me over the phone.
I love it. It’s a Sasquatch-sized first step to educate people on the kinds of information companies routinely collect, share and sell for their own gain. It also provides a solid service to help us insist that corporations do better by us and lets us begin to manage how they treat our personal digital data. Oh, and it’s free.
But digital privacy is complicated. So are new app rollouts. Mix the two and there are bound to be concerns about how much of your private data an app needs, to well, protect your privacy.
Is Permission Slip app legit?
Permission Slip by CR earns only two stars in the Play Store and three in the App Store. I hesitated to download it when I saw such poor reviews.
Additionally, a quick search online brings up a handful of Reddit threads and online communities calling out Permission Slips’ privacy policy and accusing it of being a thinly veiled data mining operation.
“Not only do they use all the usual vile e-staling tactics,” writes “nerponx” on a YCombinator Hacker thread, “but they also share aggregated data with other companies. The whole thing is a data mining exercise to cross-link and identify the user accounts and devices of people who have become somewhat harder to track by other means.”
Gulp. Is that true, I wonder, as I start digging into this app. Did Consumer Reports botch this one?
After speaking with the team that created it and some of the top legal-digital privacy minds in the country, the answer is no.
Why is digital privacy so complicated?
For Permission Slip to do its job of protecting your privacy, it needs to collect data, which, to some, is a red flag privacy risk.
Bottom line?
“A highly trustworthy organization has created a mechanism for people to take control of their data,” says Chris Hoofnagle, a law professor and faculty director for the Berkeley Center for Law and Technology. “Permission Slip needs to collect data to perform this function, scale - and be relevant to the average consumer. The process requires collective trust.”
Why does Permission Slip have such low ratings in the app store?
Permission Slip by CR came out to the public in early October, and so many people rushed to use it right away that it crashed the app and caused some significant glitches.
When I saw that happening, I waited a week to give it a go, and my experience has been super-smooth − five stars. Before its full release, it was in beta testing, and many comments reflect early kinks that no longer exist as well.
Does the Permission Slip app have ‘dicey’ privacy practices?
I combed through the app’s 14-page Privacy Policy, and yes, there’s brain-numbing legalese that makes me want to kick someone in the shins. Case in point? This section, which many app critics call out as a major red flag:
"We do not sell your personal information in a way that most people would think of as a sale. However, we do participate in online targeted advertising and use analytics which allows tech companies, in exchange for our use of their services, to use user information collected from our App to improve their own products and to improve the services they provide to others. Under some laws, this is considered our "sale" of your user data to third parties. You can opt-out of this as provided in the “How to Submit a Request” section below."
So they protect your personal data, except when they don’t?
Not exactly.
To use the service, the app asks you to verify your phone number and email. Acting as your “authorized agent,” the app uses this information to make privacy requests on your behalf.
Even though the app is available nationwide, Consumer Reports follows California’s privacy laws, which strictly limits what companies can do with this data.
CR says it shares some general information about app usage with partners for specific narrow purposes, like understanding how people use the app to make improvements and to promote the app on social media sites. CR does not accept any ads on its own services.
When asked for comment about this section of the privacy policy, CR explained this language is necessary because of how the Colorado privacy law defines a “sale” of data. For those who may be uncomfortable with this kind of sharing, CR offers an opt-out.
That may still leave some people uncomfortable, especially "committed privacy people," Hoofnagle said.
"If you ask such people how this should work, they’ll say something like: 'There should be free, open-source software that you can compile on your own computer (GNU/Linux, of course) and send these requests using Tor.'"
That probably won't work for many of the rest of us.
You're being tracked:Grocers like Kroger, Walmart collect shopping data. What I found when requesting mine.
Spot AI deepfakes:Don't fall for artificial intelligence deepfakes: Here's how to spot them
Can we get our privacy back, really?
At issue here is the fact that everything we do online and IRL (in real life) leaves a trail of behavior and personal insight that puts us dead-center of a giant bull's-eye for marketers, data brokers and scammers alike.
Sure, you can pay a fortune − in money and time − trying to scrub your data from social networks, stores, search engines − all the things. But the truth is, that’s like trying to clean up glitter in a windstorm.
New laws finally make it possible for us to get back a smidgen of our privacy online. Still, the amount of work you must do to request each company remove your information or stop selling it is soul-crushing.
My Permission Slip app results so far:
In 10 minutes it blasted out some 55 emails for me, asking companies like CVS, Lowes, Airbnb, OpenTable, Yahoo, and even dodgy data brokers like Spokeo not to sell my personal information, including my email, home address and location data. That alone saved me roughly 70 hours compared with doing it all myself!
So far, CVS is the only company to deny my request not to sell my data. The reason? I live in Washington state, which doesn’t have a digital privacy law on the books.
Currently, 13 states have legislation protecting consumers' rights to privacy. California leads the country in consumer privacy protection, and Idaho comes in dead last.
Usually, even if your state does not force them to comply, many reputable companies still respect your data privacy requests − especially when Consumer Reports’ is behind the ask. I guess CVS didn’t get the memo.
Should I use the Permission Slip app?
It’s a great tool, not perfect, but nothing ever is, especially right out of the gate. But Permission Slip is a great place to start. The more control you have over your digital footprint, the more power you have over your privacy. Also, the less information companies have about you, the less likely data breaches will affect you.
“Data rights can be confusing and time-consuming. (We want) people to be able to use their privacy rights with ease,” Fahs adds. “We (sic) believe privacy is a right that should be within reach of all consumers. By proactively managing your data with companies, you can better control what information exists about you and how that information can be used – which is key to regaining some agency in a market where every click is carefully tracked.”
Jennifer Jolly is an Emmy Award-winning consumer tech columnist and on-air correspondent. The views and opinions expressed in this column are the author's and do not necessarily reflect those of USA TODAY. Contact her at[email protected].