At the moment, mobile developers are handling personal user details is in much the same place that the Tour de France handled its doping problem in the 1990s: everyone was doing it, and you would be left behind if you didn't follow the same questionable practices.
If you think that every button press and swipe that you make in a mobile app is not being reported home for analysis with a tracking/big data tool of choice, then I am sorry to bust your bubble. It is but one of the reasons why app developers go to great lengths to find unique device identifiers.
Into such an environment the Office of the Australian Information Commissioner (OAIC) waded yesterday with its Mobile privacy: A better practice guide for mobile app developers document.
It outlines a number of issues that developers need to address:
- Using a Privacy Impact Assessment to map where a users' information is going and identifying the potential privacy risks
- Using controls, such as conditions of contract or user agreements, to ensure that third parties accessing personal information respect their privacy obligations
- Collecting only the personal information needed for an app to function, and not collect data on the basis that it may be using in the future; give users the ability to opt-out of data collection
- Delete or de-indentify information that is no longer needed for a lawful purpose
- Encrypt any personal data stored
- Allow users to delete or request the deletion of personal information once they stop using the app
- Delete any personal information that is no longer needed.
Timothy Pilgrim, the Australian Privacy Commissioner, launched the guide by saying that the growing app industry provided for potential benefits to users, but also allowed for serious risks in how the users' personal information is handled.
"Mobile app developers operating in the Australian market need to be aware of how Australian privacy regulation applies, otherwise they risk breaching the law," Pilgrim said in a statement.
"It is ultimately in an app developer's best interest to build strong privacy protections into their product. The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust and loyalty," he said.
If only I wish it were so.
Remember when Path was caught uploading its users' entire address book and such was the outage that the company has left with no users? Of course you don't, as only the first part of that scenario occurred.
Having had their privacy compromised, users kept using the service in increasing numbers, and the company is now looking at a billion dollar valuation.
Such a statement would contravene the section of the OAIC privacy guide entitled "Only collect personal information that your app needs to function" that states:
It is a noble cause to attempt to push app developers in a direction that respects privacy. But with the majority of mobile ecosystems either obfuscating the intentions of the permissions needed by apps, or not allowing per-permission level of granularity to installation dialogs when users are downloading an app, I'm afraid that OAIC's good intentions will fall on deaf ears.
While it would be great to see apps that followed the privacy guide to the letter, I suspect that many non-technical users would be appalled to learn exactly how much of their information and usage was being passed around the internet, especially for ad driven apps. That makes the decision to be open about what an app is doing, detrimental to the success of an app — which is usually what an app developer wants to avoid.
For those reasons, I feel that instead of targeting app developers with well-meaning guides, a better approach would be to lean on the gate keepers of those ecosystems: the app store vendors.
Until mandated by the likes of Apple, Google or Microsoft to be upfront with users as to what personal details are needed, and how it is handled, I expect app makers will continue with the status quo.
Of course, the massive drawback to this approach is that Android and Windows Phone app stores are reminiscent of the wild west, and the one app store vendor that could make easily pull such a change off, Apple, is unlikely to take kindly to any suggestion that will impede app installation rates.
Nevertheless, a mandatory approach enforced by app store vendors remains the most likely way to see the disclosures that Pilgrim desires. Until then, the OAIC's guide will remain a wishlist of best practice that only the honest implement, while the apps that are being truly dishonest with user data continue on their merry way without reproach.