Some of Indonesia’s most popular shopping apps have been accused of peeking at private information on people’s phones.
The report by software maker Opera ranked apps by how relentlessly they employ trackers, tools that collect personal information from your phones – such as location, phone numbers, passwords, and user habits.
Indonesian ecommerce startups put to the test included Bukalapak, OLX, Elevenia, Kaskus Jual Beli, Blibli, Lazada, MatahariMall, Tokopedia, and Zalora.
The results, which tested Android apps, show that Bukalapak and OLX were the worst in terms of how many tracker requests they sent to users’ smartphones.
When Tech in Asia first wrote about the controversial findings in Indonesian, a debate about privacy flared up.
The report included a statement by Sergey Lossev, head of Opera Max, an app that monitors what other Android apps are really doing on your phone. “Sharing data like bank account information through unsecured wifi networks can increase the risks of hacking and cybercrime. A lot of users give up information without their realization; like when they shop online through their mobile phones.”
Bukalapak and OLX felt they were being unfairly accused of putting their users at risk of privacy infringements and hacking.
“OLX does not facilitate transactions between sellers and buyers and therefore does not collect data from customers,” said OLX in a statement sent to Tech in Asia. “This is a contradiction to the statement saying that our application collects users’ private information. OLX has a commitment to keep customer’s data secure and as private as possible.”
But that doesn’t address the issue of what information an app might be skimming from your phone.
Bukalapak followed suit, saying, “We secure data from customers with the HTTPS protocol – which encrypts it and disables others from reading it. The data we collect does not include sensitive material such as bank account information.”
Both companies say using trackers in applications is common practice in Indonesia and elsewhere.
Madeleine Ong de Guzman, CMO of Elevenia, supported the other startups. “All ecommerce platforms are doing the best to protect their customers and gain their trust”. She challenged Opera to clarify how it constructed its report.
The report said the shopping apps were tested over a wifi network, making at least 100 purchase requests while browsing various items. The web browser would then note the number of times the apps sent back a request to track personal information.
A spokesperson explained to Tech in Asia that Opera Max ranks sites’ trackers in risk groups: low, middle, and high.
“The mechanism is based on EasyPrivacy, an open source filter that helps detect bugs and tracking scripts, which is also used by ad-blocking services,” said Peko Wan, Opera’s head of PR for Asia.
She pointed out that the monitoring app only helps inform the user about the existence of trackers, not what type of information they collect and what happens with it.
“This report is released for the purpose of raising awareness for security issues on the internet, instead of investigating how ecommerce platforms use their collected data from their trackers,” she said.
Opera later deleted a controversial image from the report which highlighted the 12 stores that made heaviest use of trackers. It added a note saying, “We have removed the names of the 60 apps we tested from the press release to avoid misunderstanding.”
Opera’s report analyzed the data mining habits of 60 companies in 10 countries.
With additional reporting from Aditya Hadi Pratama.