Common Industry Standards, Not Regulation, Said Key to Privacy Protection in Mobile Apps
CAMBRIDGE, U.K. -- Traditional regulation “will struggle to cope” with the privacy issues raised by mobile phone applications, a Vodafone official said Tuesday at a Privacy Laws & Business conference. Applications are the consequences of an ecosystem that includes dependent and independent players, and whose barriers to entry are incredibly low, said Stephen Deadman, group privacy officer and head of legal for Vodafone Group UK. Many application developers and platforms are based far away from Europe, so any data protection solution requires an understanding of the structures and dynamics of the system, he said. He urged collaboration among storefronts, platforms, designers, and carriers.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The GSM Association earlier this year published privacy-by-design (PbD) guidelines for app developers, Deadman said. It’s now working with game developers, content providers and others to try to boost privacy protections, he said. Regulators and policymakers should drive industry initiatives to resolve the issues, he said.
There’s been exponential growth in the last five years in data and mobile applications, said William Long, who heads Sidley Austin’s European data protection practice. By 2014, one billion smartphones will be sold, twice the number of PCs, he said. Each smartphone now has on average 22 mobile apps, with 15,000 apps released each week, he said. It’s predicted that by 2014, 77 billion applications will be downloaded annually, he said. By 2015, the mobile app market could be worth $36.7 billion, he said.
All this sparks privacy worries, Long said. Some app companies upload entire user address books, while other applications have been found to contain advertisement libraries that can transmit user and location data, he said. There are location-finding services that access users’ photos on iPhones and Android devices, he said. He agreed that privacy protections must come through industry efforts. One key initiative is the GSMA general best practice for compliance, which sets out how to ensure greater privacy and trust in the mobile apps market, he said.
The GSMA document has a broad definition of personal data that includes information collected directly from users, such as contact or credit card details, or indirectly, such as Internet Protocol addresses or phone numbers, Long said. But the definition also encompasses information about how a user behaves with her mobile device, such as websites visited, and data held in the device itself, he said. The best practice paper also stresses the need for harmonization throughout the mobile app system, including platforms, analytics companies, mobile operators and developers, he said.
A key way to engender trust is to be open and transparent with users about what data are being collected, by whom and for what reasons, Long said. A mobile app should gather only the information needed for its primary purpose, he said. Mobile phone users should be told when their personal data will be used for non-obvious purposes and be given control over access to that data, he said. PbD must be incorporated into the system, and data retention and deletion periods set, he said. Users must be educated about mobile app setting and how to manage their privacy, and must be able to report problems, he said. Apps are one area where, more so than in some other sectors, it may be possible to resolve the issues via industry standards and PbD, he said.
Global mobile advertiser InMobi doesn’t ask for more information than it needs, but it can still tell a lot about people once they install one or two apps, said Developer Community Manager Terence Eden. There are, however, ways users can cover their tracks, through incognito browsing or deleting history, he said. The crux of the mobile app/data protection problem is that advertisers are “fundamentally lazy,” he said. They want their ads to go out to all iPhone users although they're actually focused on, say, men who like sports, he said. Most of the data the ads pull in gets dumped because it’s not needed, he said.
Advertisers need informed user consent and realistic targeting, Eden said. They fall into the mindset of needing to know everything about someone in order to fashion a perfectly targeted ad, but that’s actually too much work, he said. Apps are a problem because they can “slurp up a huge amount of information” that’s pushed toward people who can’t use it, he said. He cited a complaint by one InMobi user who loaned his phone to his wife. She was confronted by advertisements for gay dating, forcing her husband to come out, he said. Eden urged users to get to grips with what their mobile phones are capable of.
There’s a piece missing from the debate on transparency that shows a gap in knowledge about how people use technology, Deadman said. He questioned whether, as with food labeling, there should be extensive research on how people actually use their mobile apps.
The GSMA PbD guidelines have been adopted by a group of international mobile operators, but the organization wants common standards across the app ecosystem, Deadman said. Experts can’t be having this conversation in five years, Eden said. By next year, mobile phones will be able to shoot video of everything and probably stream it to Google, he said, and he wants to know his privacy is safeguarded.