Cover: Can Smartphones and Privacy Coexist?

Can Smartphones and Privacy Coexist?

Assessing Technologies and Regulations Protecting Personal Data on Android and iOS Devices

Published Oct 27, 2016

by Arkady Yerukhimovich, Rebecca Balebako, Anne E. Boustead, Robert K. Cunningham, William Welser IV, Richard Housley, Richard Shay, Chad Spensky, Karlyn D. Stanley, Jeffrey Stewart, et al.

Download Free Electronic Document

Full Document

FormatFile SizeNotes
PDF file 0.5 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

هل يمكن للخصوصية والهاتف الذكي التعايش معًا؟

Arabic language version

FormatFile SizeNotes
PDF file 0.4 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Research Questions

  1. What is the state of privacy with smartphones? What are the gaps and opportunities in addressing privacy and regulation in regard to smartphones?
  2. What are the privacy offerings on devices running Apple's iOS and Google's Android operating system?
  3. How does the users' use of smartphones affect privacy preferences?
  4. What are the different layers involved in hardware, apps, and networks that inform smartphone privacy (e.g., operating system manufacturer, app developer)?
  5. What technical and regulatory protections are available to protect privacy?

As smartphones become more ubiquitous around the globe, policymakers inevitably have to grapple with issues related to the security and privacy of these devices. To aid in this understanding, in 2015, the Defense Advanced Research Projects Agency (DARPA) commissioned a team of researchers from the Massachusetts Institute of Technology (MIT) Lincoln Laboratory and the RAND Corporation to assess smartphone users' privacy from both technical and regulatory perspectives. This report documents the team's approach and findings. On the technical side, it describes a literature review and experiments performed by MIT Lincoln Laboratory investigating the state of privacy of the two major smartphone platforms in 2015: Google's Android and Apple's iOS. On the regulatory side, this report describes a review by RAND of major federal regulatory mechanisms for protecting privacy in the United States and provides a tool to understand both privacy regulation and technology.

While privacy-preserving technology is improving, users' privacy concerns have not been fully addressed by the technology itself. Appropriate regulatory protections also play a role in protecting smartphone users' privacy. Currently, many gaps exist between regulation and technology: The two are not adequately paired to provide the desired protections. We believe that many of these gaps can be identified using a tool that the project team developed for policymakers. By combining technical and regulatory components associated with smartphone privacy, this matrix-based tool will help policymakers guide directions for future research and assess the impact of technical and regulatory solutions that have been or will be implemented.

Key Findings

Google Android and Apple iOS Platforms Differ Fundamentally but Are Converging

  • The differing platforms have led to fundamental differences between privacy protections and guarantees on iOS and Android devices.
  • The permissions models controlling what data can be collected by apps are converging in significant ways.
  • Android and iOS are adopting increased encryption to secure the data that is collected.

Policymakers Have Several Options to Protect Privacy

  • Some options put the onus on the user to recognize and prove that harm has occurred and to identify the perpetrator.
  • This can be difficult in privacy encroachments in the digital ecosystem, where harm may be intangible or where it can be difficult to identify who is responsible for the privacy invasion.
  • A comprehensive policy overhaul relating to privacy is unlikely to occur in the United States in the short term.


  • We propose a tool based on the data lifecycle and Fair Information Practices that allows policymakers to analyze gaps and strengths in smartphone privacy protections during each phase in the life cycle of smartphone data.

This report documents research findings resulting from collaboration between Massachusetts Institute of Technology (MIT) Lincoln Laboratory and the RAND Corporation. The RAND portion of this research was sponsored by Office of the Defense Advanced Research Projects Agency (DARPA) and conducted within the Acquisition and Technology Policy Center of the RAND National Defense Research Institute, a federally funded research and development center sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Department of the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.