NTIA Code for mobile app transparency: an analysis

Guest Blog - MEF Privacy UpdateThe NTIA is an agency within the US Dept of Commerce responsible for advising the President on telecoms and IT issues. Last month, it published a Code of Conduct for mobile app developers in an attempt to improve transparency in the collection and use of personal information. MEF’s Senior Adviser for Policy & Initiatives, Simon Bates takes a look at the new Code, and assesses what it will mean for apps and app developers.

In June 2012 the NTIA convened a cross section of stakeholders interested in the app economy. This includes privacy, civil liberty and consumer advocates, app developers and publishers. You can read about the work they’ve done here.

As MEF has made clear in the past, there’s nothing wrong with collecting personal information from users as long as you let them know in advance. Sharing that information can be more problematic but, again, there’s nothing wrong with it per se. The trick is to let users know what you’re doing with their data so they can decide whether they’re comfortable downloading and using an app.

Having assembled some of the leading lights of the app world and put them together with senior privacy experts, the Working Group of MEF’s Privacy in Mobile Apps Initiative  has developed its own tools to help developers ensure best practice in Consumer Trust.  We welcome the NTIA’s efforts to come up with a common set of objectives that meet the needs of both industry and privacy campaigners.

Here is a brief summary of the Code. I’ll follow with a bit of analysis and how it fits with our own approach to helping developers.

General

  • Where possible, app developers should provide access to a short privacy notice prior to download so consumers can make an informed decision about whether to put it on their device.
  • Some laws (e.g. COPPA) may require a long form privacy policy so companies should not restrict their notices to short form only.
  • Adopting these principles does not guarantee compliance with all laws and best practice.
  • When a developer ‘materially changes’ the way the app collects or shares data, they should notify users and maybe even obtain consent. Otherwise, they may face sanction under Section 5 of the Federal Trade Commission Act.
    • Personal information that is collected does not have to be listed in the notice if:It is de-identified (cannot be traced back to an individual consumer)
    • It is only used for certain activities that are in the user’s interests, like improving the app or security.

Short form notice

The notice should be readily available from the application and, where practicable, all of the information should fit onto a single screen.

Here’s what should go into a short form notice:

1) The types of data collected;

  • Biometrics
  • Browser History
  • Phone or Text Log

    MEF’s recent research on mobile privacy policies examines when and how a privacy policy was made available, the language used and its word length, and found that 28% of the top 100 free apps had no privacy policy whatsoever.

  • Contacts
  • Financial Info
  • Health, Medical or Therapy Info
  • Location
  • User Files

2) Third party companies with whom data is shared;

  • Ad Networks
  • Carriers
  • Consumer Data Resellers
  • Data Analytics Providers
  • Government Entities
  • Operating Systems and Platforms
  • Other Apps
  • Social Networks

3) The identity of the company behind the app; and

4) A means for accessing the long form privacy notice (if one exists);

The information should be presented in a way that is easy for consumers to read and understand, and consistent across apps. Icons can be used alongside text but not on their own.

Analysis

Phones

The first thing to highlight is that the notice needs to explain what is being collected and who it’s being shared with, but not why. This seems to be a pretty important omission. As a consumer, I might not mind information being collected and shared with a third party if it’s for, say, analytics to improve the app, but I would mind if it’s for direct marketing purposes. The Code seems to suggest that it’s the recipient of information that is cause for concern. Surely the use that’s then made of the information is equally important.

Crucially, if the user submits any of the listed data types through an open field (i.e. it’s the user’s choice to offer it up – the app doesn’t collect it in the background) then you don’t need to disclose that it’s collected. This is clever: the consumer should only be alerted to personal information use if it happens in the background. 

Rather confusingly, the notice doesn’t have to list the collection of financial information unless “the consumer chooses to make a purchase in which such information is collected”. Surely the consumer will then be aware they’re handing over financial information – they’ve just keyed it in. I’m not sure why the short form notice then needs to change.

The issue of short or long form has not yet been put to bed. The NTIA and its stakeholders obviously think the future is in short form notices – they’re clearly more consumer friendly – but the Code implies long form notices are a necessary complement. This may be because some existing legislation may not be appeased by a short form notice, but this issue needs fixing. Consumers want short notices. The law should not require anything longer.

One debate that does seem to have moved forward is around icons. Privacy champions have long been trialling different ways to graphically represent essential privacy info. The advantage of icons is that they are (or should be) easy to understand and they work across linguistic divides. The downside is that it’s very difficult to ensure consistency across companies, app stores, devices and geographies. Consumers won’t recognise and remember a number of iconography sets. It seems like icons are out, at least for now.

Summary

The NTIA should be applauded for charting a course between the needs of its many diverse stakeholders. Finding any consensus between privacy champions on the one side and industry on the other is no mean feat. The lukewarm reaction to the Code from campaigners should not put app developers off – the Code was bound to include some degree of compromise.

MEF’s practical online privacy tools and resource centre are currently in beta and launch next month and our objective of balancing consumers’ interests with industry objectives mirrors the NTIA’s goals and share the need to deliver transparency.

 Simon Bates is MEF’s Senior Advisor for Policy & Initiatives, you can contact him here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: