Before boarding a flight to Tokyo, Bangkok, or Shanghai, most travellers now spend as much time preparing their smartphones as their suitcases. The apps that make daily life work in Asia - ride-hailing, food delivery, translation, metro navigation - are largely incompatible with their Western equivalents, forcing visitors to download a fresh suite of unfamiliar software. What those apps do with your data, however, rarely features in any packing list. A recent analysis by VPN provider Surfshark, covering 65 widely used travel apps across Asia, found that 97% may collect user data, and nearly three-quarters could use that data for tracking - including after the holiday is over.
The Hidden Cost of Going Local
The scale of the problem becomes clearer when you consider how many apps the average visitor actually installs. Travellers heading to Japan or China are typically advised to download between 22 and 26 apps before arrival, based on guidance from travel planning communities. Each additional app compounds the risk: more permissions granted, more data types collected, more potential exposure points.
Surfshark's analysis - drawn from publicly available information on the Apple App Store - examined what types of data these apps collect, the stated reasons for processing it, and whether data is linked to third-party systems. The findings are striking. More than half of the apps reviewed collect data beyond what their core functionality requires, taking on average two additional data types above the minimum needed. Self-promotion and third-party advertising were among the reasons cited for this excess. Over half of the apps reviewed linked user data - including device IDs and behavioural profiles - to third-party systems, a practice commonly associated with targeted advertising and the broader data broker industry.
The variation between apps offering identical services is telling. Surfshark compared two ride-hailing apps, Grab and Rapido, both in the same functional category. Grab collects 27 out of 35 possible data types. Rapido collects 4. Both take you from A to B. The difference in what each knows about you is vast.
Surveillance That Does Not Stop at the Departure Gate
The more lasting concern is not what happens while you are abroad, but what continues when you return. Apps downloaded in a hurry at Suvarnabhumi Airport tend to stay on phones long after the tan fades. Few users routinely audit their installed applications or review the background permissions those apps retain. Location access via GPS, in particular, can persist indefinitely unless manually revoked - and many users never revoke it.
This is not a hypothetical risk. Surfshark cited a widely used Canadian coffee chain's app that continued tracking users' locations after the app had been closed. A US parking application, similarly, suffered a data breach in 2021 that exposed the records of 21 million users - many of whom had inactive accounts and had long since forgotten the app was installed. Neither incident required the user to be actively engaging with the app. Passive data collection is the norm, not the exception.
Geography also shapes data practices. Apps available in Thailand and the Philippines collected more data types on average than those found in South Korea, where some apps - including Metro Istanbul and TCDD - were found to collect no user data at all. This disparity reflects the patchwork of data protection regulations across the region. Unlike the European Union's General Data Protection Regulation, which imposes strict standards on data collection and consent, much of Asia operates under frameworks that are either less comprehensive, less enforced, or both. Travellers from the UK, accustomed to GDPR-aligned protections, may not realise they are operating in an entirely different regulatory environment the moment they cross certain borders.
Practical Steps That Actually Reduce Your Exposure
No single measure eliminates the risk entirely, but a disciplined approach to app management significantly limits it. The following practices are worth treating as standard procedure before, during, and after any trip requiring unfamiliar apps:
- Download only apps that are genuinely necessary for your itinerary - avoid installing on the basis of vague recommendations
- Review app permissions before and after installation; deny access to location, contacts, and microphone unless the app cannot function without them
- Use apps only when required, rather than leaving them running in the background
- Delete all travel apps immediately upon returning home, rather than allowing them to linger
- Use a reputable VPN, which can encrypt your connection on unfamiliar networks and alert you to known data breaches affecting your accounts
The broader issue is one of awareness. Downloading a local taxi app feels like a practical necessity, not a privacy decision. But the two are inseparable. Every permission granted, every account created, every search made through an unfamiliar platform is a data transaction - one conducted under terms and conditions almost nobody reads, governed by laws that may offer considerably less protection than travellers expect. Treating app downloads as a privacy decision, not just a logistical one, is the most important adjustment any traveller can make.
