Android permissions are in the wrong place, but the real problem with them is that they’re so far removed from what you care about. You don’t care if an app reads your data (or at least I can’t see why you should care) — what you care about is what the app does with that data. For example, if an app reads your contacts data and then does nothing with it, that’s totally okay (if strange). Likewise if it just uses the data to show birthday reminders within the app (for example). It’s only when the information is transmitted somewhere that (potential) problems arise. In other words, we don’t care what data are accessed as much as how the data are used.
Rather than permissions revolving around (for the most part) personal information (contacts, photos) and potentially-personally-identifying information (location, device ID), it would be far more useful to have a dialogue which stated exactly what the app would do with that data. For example, “Transmits precise location and your device’s unique ID to mybestflashlightapp.com”. Getting this sort of description right, and ensuring that apps are accurately described, would be difficult — but not impossible. More on how this might be done in the next post.