California State Attorney General Kamala Harris announced an agreement yesterday with six mobile app platform providers aimed at encouraging app developers to provide more accessible privacy policies. The announcement comes at an auspicious moment -- consumer outrage at the recently-discovered address book practices that Path and other app developers claim are "industry standard" shows that there's a serious disconnect when it comes to industry practices and user privacy expectations. But we should be wary about solutions that depend on walled gardens. App developers need to start baking privacy protection into their designs, and though this agreement may help encourage that, it's not clear that it's the best tool to give consumers meaningful choices when it comes to controlling what data mobile apps access and share.
Under the agreement, Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion will create fields for app developers to provide information about their privacy policies when submitting apps to the app store. These fields are optional, but developers who fill them out make it easy for consumers to find the app's privacy policy.1
Of course, providing a privacy policy is not enough to actually safeguard user data. Companies have a lot of leeway about what goes into the privacy policy. They can use vague, overbroad language so they can collect lots of data about users, share it with affiliates, sell it to marketers, or provide it to the government upon request. And even a strong privacy policy is little consolation; a privacy policy can change at any time, so today's protective language could be tomorrow's permissive exceptions. We saw a powerful example of this with Google’s recent privacy policy changes, in which the company removed the silos from different Google products and allowed YouTube and Web History to be combined with data gathered from other Google products. And consumers expect a lot more when it comes to their online privacy; a study by the Berkeley Samuelson Clinic and Annenberg Public Policy Center found that users (incorrectly) thought that a posted privacy policy meant certain protections for their data against common advertising practices.
The good news about yesterday’s agreement is that it may encourage app developers to start thinking through the privacy ramifications of the technology they create. And this month’s address book uploading issues shows that these companies need the external motivation. When Hipster, a photo sharing social network app, was found to be surreptitiously uploading contact lists to their servers, their CEO announced an “Application Privacy Summit” to suss out the privacy issues around mobile apps. But the promised summit was scheduled for earlier this month and still hasn’t taken place.
The AG's agreement may be one way to address these issues, but this particular program -- relying on walled gardens and closed door negotiations with the gardens' gatekeepers -- isn’t necessarily the ideal resolution for the privacy problems afflicting mobile app users. Users need to have a voice when it comes to controlling their data, and software developers need to respect their choices or be held accountable.
- 1. Similar standards exist in the desktop space. Under California’s Online Privacy Protection Act (OPPA, not to be confused with the similarly named COPPA), the operator of a commercial Web site or online service that collects personally identifiable information through the Internet has to clearly and conspicuously post a privacy policy. It must detail the categories of information collected by the online service, the dates the policy takes effect, how the website will notify users about changes to the policy, and what processes a user has to review or request changes to any of the personally identifiable information collected. If a website doesn’t provide this information, a user can notify the site (check our Privacy Rights Clearinghouse's handy sample letter to companies) and request they post a policy. The site then has 30 days to comply with the law or face the potential for civil lawsuits from the affected consumer.