There's a spy in your pocket

How your smartphone helps companies track your digital footprint

The icons of some of the most popular apps in Uganda. They include King James Bible, Jumia Food, Matatu, CallApp, Opera Mini, Safeboda, Clean Master Ultra and Xender.
A phone with praying hands and a button that says amen.
A person in the dark.
A person in the dark with red curtains in front of them. The curtains are about to go up.

The King James Bible app is one of the most popular apps in East Africa,

but have you ever thought about what really happens when you tap amen ?

Let’s have a look behind the scenes...

An illustration of an identification tracker that zooms into your identity online.
An illustration of a location tracker that follows your every move.
An illustration of a grumpy profiler tracker that takes notes about you.
An illustration of an ads tracker that walks around with a trolley of gifts.
An illustration of the crash reporter portrayed as a tiny being with huge eyes and a helmet.
An illustration of an analytics tracker that has many antennas sticking out of it.

Izzy Identificator

Hi, I'm Izzy! I piece together your identification from crumbs you leave around the internet. Don't worry though, I'll map your data to a pseudonym so nobody knows who you are. Although, by the time I capture enough data on you, you'll be pretty easy to find. Depending on how much intel I get, I might even be able to match up your data with your political leanings or your credit card spending habits.

Lonnie Locator

Don't mean to scare you, but I'm following you everywhere to track your location. I've got lots of tricks up my sleeve. I use GPS chips, cell towers, local wifi networks and Bluetooth beacons to find out exactly where you are. And I love sharing this information with my friends.

Parker Profiler

Hello! Over here! Send me everything you've got, because I'm starting profiling. I'm gathering as much information about you as possible. And it's only fair to share, right?

Addie Adsense

We are ready! Don't you want to BUY THIS. Are you sure? What about THIS? By using all of the data I have about you, as an ad tracker, my goal is to show you ads you're most likely to fall for, I mean, need. I only show you the most useful products and services out there (and make a bit of money on the side).

Connie Crasher

I collect data about the app, don't worry. I'm just your local crash reporter. And without me your developer would have a hard time fixing bugs you experience in the app. I just collect a little extra data on the side for fun that will help me bombard you with ads for stuff we think you might want .

Doris Devvie

I'm just here to help your friendly app developer. I'm harmless. Mostly. Developers like my analytics because they help them get to know you better. If they know when you like to use their app and where you like to use the app, they can improve it. Right? So what if I share this intel with my location buddies every once in a while.

An open book.
An open book with eyes.
An open book with eyes and various trackers sticking out of the pages.

But wait… Why would the King James Bible app have these trackers?!

It’s just a free spiritual app! Who would put trackers here?

Well, who made the app? 

A dark computer screen with one creepy eye.
A developer in front of their computer who just got the idea to develop an app.

Somewhere, a developer has an idea to make life easier.

You know...read the bible on your phone, order a boda boda, order food, and connect the local shop to the customer… so they decide to make an app.

But how? Apps are hard! Companies be like: "Don't worry! We got you covered. use our software development kits, they'll help you build your new app faster!"

Software development kits (SDKs) are pre-packaged code that help developers connect with third-party services.

You know, when an app or website asks if you want to sign in using Facebook or Google to save you some time?

That’s a typical example of an SDK, and by doing it you authorize the app to access your personal information such as your name, profile picture, and email address.  

App developer: "Wow this code is super complex. I could never have written this myself. I don't even know everything it does."

It’s true. They probably don’t.

Many pages of content flying around. The image says, "The average Android mobile app includes 15.6 separate software development kits".

And then you download that app, and you accept the privacy policy, because you can’t use the app if you don’t.

A mouse icon clicking on the accept button for the privacy policy. The text on the image says "By accepting you agree to our terms of use and privacy policy".

And just when you thought you were in the clear.

Cue permissions

Real talk.

Permissions give apps access to your mobile device and your data.

They enable an app to have a level of control over your smartphone.

The more permissions, the more control.

And many apps request more than they actually need.

Anonymous user profile with a place for image, username and password.
The user profile image is now connected to another five users.
The user profile image is now connected to dozens of users.
A user app screen with the amen button.
A user app screen with the amen button and dozens of trackers connected to it.
A user app screen with the amen button and dozens of trackers and permissions connected to it.

But that's not all, you still need to login… and how do you do that?

by Using Facebook or Google! It’s so easy!

Remember that Software Development Kit?

Now this app probably knows all of your friends too.

So when you tap Amen...

the King James Bible app starts collecting information about you through its 15 trackers,

AND YOU'VE GIVEN THE app 33 different permissions to access your data.

But wait, if all of this is covered in the King James Bible privacy policy, isn’t the burden on the user to understand what they’re agreeing to?
We don’t think so. 

Because the King James Bible app includes software from other companies, by accepting one single privacy policy you’re actually accepting 19 other companies’ privacy policies. That’s another 75,000 words of privacy policies accepted with a single tap.

Are we supposed to read those as well?

Well, to put it in context, it’d take you about 5 hours.

A bar chart with the most popular apps in Uganda and the number of trackers they have.
A bar chart with the most popular apps in Uganda and the number of trackers they have and the number of permissions they require.

Apps might claim to give you convenience for free, but our research shows it often comes at a price.

We tested 82 of the most popular apps in Uganda

on average, they REQUESTED 30 permissions

and had 7 trackers.

CallApp logo.
CallApp logo and the details of one of your contacts.
CallApp logo and the details of one of your contacts, plus your mum.
CallApp logo and the details of one of your contacts, plus your mum, which are shared with hundreds of people.

They can’t all be that bad right? Let’s try again…

What app shall we download now?

oh, i know, CallApp.

When you install CallApp, you give it permission to “collect and process” information about all of the contacts stored in your phone.

Information like: names, phone numbers, email, home and website addresses. 

What this means is that CallApp isn’t just collecting and processing information about you,

it’s collecting information about all of your contacts as well. 

So if your mum isn’t on CallApp but you saved her number, address, and photo to your phone, then CallApp now has access to that information about your dear mum as well.

Did you ask her permission to share this information?

CallApp didn’t. 

By law, CallApp is required to make sure your mum agrees to share her data. But there’s a loophole. CallApp’s privacy policy says: 

“Please inform your Contacts that their information may be collected and shared with CallApp” 

So now the onus is on you. The moment you start using the app by giving callApp access to your contact, your dear mum’s data is uploaded and stored alongside 3,703,540,608 other records on the CallApp database, without her even knowing it. 

And it gets worse.

Just to check if you’ve saved your mum’s number correctly, CallApp asks other users to confirm your mum’s number, promising them gifts in exchange for doing so

Trackers working together to collect your data.
An illustration of dozens of files in your storage.
Introducing the Clean Master Ultra logo.
Introducing the Jumia Food logo, next to some of the trackers it has.
Introducing the Safeboda app, followed by the location tracker.
Eyes with raised eyebrows looking right.
Eyes with raised eyebrows looking angry.

What about the app you downloaded last time there was no internet and you wanted that mp3 from your friend’s phone? Yeah that's no good as well...

Popular file sharing app Xender requires a series of dangerous permissions:  

- read and write (view and change) external storage
- read and write (view and change) your call logs
- read your contact details
- read your text messages (SMS or MMS)
- use the camera
- access fine location

ThAT last one is especially dangerous because a fine location tracker uses GPS, which can then point to your exact physical whereabouts.

Wow. All those apps. What do you do when you have too many files and not enough storage?

You might be tempted to download something like the Clean Master Ultra app.

It has no less than 17 trackers!

In fact, 6 out of the 6 phone cleaning apps we tested have more than 10 trackers each.

Okay, let’s take a break, you’re probably freaking out a bit.

Perhaps order some food? Maybe something like *local food* from Jumia?

Be careful though, because it will collect your first and last name, gender, and userID and also transmit your location coordinates to some company in San Francisco called “asnapieu”.

Ok ok you give up… Let’s just end this, you decide to go home.

You book your SafeBoda TAXI.

Feel safe?

In 2019 we carried out research on SafeBoda, a motorcycle transport company that operates in Uganda and Nigeria, and found it to be sharing their client’s personal data with third parties without their knowledge or permission. 

But it’s not all doom and gloom… you can change things. 

Our investigations revealed that SafeBoda’s collection of such personal data by the use of trackers is a violation of the law and directly contravenes Section 7 of the Data Protection and Privacy Act of Uganda. 

We also released a report describing how SafeBoda’s privacy policy raised questions of trust as well as legal issues.

As a direct result of our work, SafeBoda changed its privacy policy.

If you’re feeling smug and thinking, I’m ok, I use a VPN to protect me online.

Then now is probably a good time for us to mention that 50% of the VPN apps we tested included profiling trackers too. 

Angry yet?
You should be! 

But we want you to turn that anger into action.

And here’s what you can do. 

Raise awareness

Share this article with your friends and family who use smartphones. 

Educate yourself

We believe in the mantra “if you must collect it, you must protect it”. Read our reports to find out more about staying safe online. 

🔗 Unwanted Witness: Privacy Scorecard 2021
🔗 Unwanted Witness: State of Digital Rights in Uganda 2019
🔗 Vox: The hidden trackers in your phone, explained
🔗 Exodus on how to avoid being tracked

Know your rights

Freedom House’s annual Freedom on the Net report (they report on 70 countries around the world) highlights the rights we’re supposed to have online, and describes how they’re being restricted. 

🔗 Freedom House: Uganda Freedom on the Net 2021

Connect with us

Follow us on Twitter.

This story is a collaborative production between Unwanted Witness and Data4Change, as part of Data4Change's Data Stories Programme, which was funded by Small Media and Omidyar Network.

Credits: Senior Data Researcher, Evelina Judeikyte; Data Associate, Yuxi Wang; Graphic Designer, Surasti Puri; Journalist, Frenny Jowi.

Data sources: Exodus Privacy, Appfigures, CallApp Privacy Policy, King James Bible Privacy Policy.

TopBuilt with Shorthand