Mobile app privacy crossroads

Last week we saw the Mobile World Congress and the giants of the mobile tech world were back in Barcelona to captivate the imagination of the tech press with their latest smartphone and tablet offerings.

The mobile industry trade show has certainly not disappointed. Announcements of smartphones with new quad core processors, phone cameras with huge numbers of megapixels crammed onto its sensor and 3 in 1 smartphone-tablet-netbooks have all provided much excitement. 

However, these testaments to 'Moore's law' will also broaden the technological possibilities for new mobile applications.

It is fortuitous then that, on the opening day, the trade body host - the GSM Association (GSMA) - released their privacy enhancing standards for mobile application developers.

One of the main principles behind the guidelines is to ensure that new apps embody the concept of "Privacy by Design" (PbD). This seeks to ensure privacy-protective measures are a core part of the design process.

The GSMA states:

Users have privacy interests (expectations, needs, wants and concerns) that must be addressed in a proactive manner from the start and not as an afterthought or an ‘add-on’.

PbD has become popular in regulatory policy, and is well on its way to becoming part of EU law.

The GSMA have high hopes for their rules. They want to reduce the fragmented application of privacy principles across the different companies and developers by introducing harmonisation.

To do this they will need the guidelines to be used by big and small developers. They would like adoption by:

All parties in the application or service delivery chain that are responsible for collecting and processing a user’s personal information – developers, device manufacturers, platforms, and OS companies, mobile operators, advertisers and analytics companies.

There is commitment to user needs throughout the text, often drawing good governance principles from existing EU data protection concepts like data minimisation and limiting use of collected data.

There is significant focus on creating trust, and using clear and simple information when communicating with users.

Good ideas developed in the policy include suggestions like:

  • Ensuring default settings are privacy-protective
  • Capture appropriate consent for targeted advertising and using location data
  • Give users control over repeat prompting about the use of their personal data (not just 'one time consent')
  • Ensure the user agrees to updates; don't do "silent/secret updates" in the background.

This self-regulation strategy has gained some high profile supporters with approval from big mobile telcos including Vodafone, Orange and Deutsche Telekom at MWC12.

Getting other big businesses on board might be difficult. Mark Little, an analyst at Ovum, has argued that Apple, Google, Microsoft and RIM will be selective in their application of the guidelines because they go against their dominant business models. They may not adopt the most privacy-protective guidelines.

However, it is clear there is a need for these guidelines. A few app privacy controversies have dominated the tech headlines in recent weeks.

At the start of the month social media iPhone apps Path and Hipster were found to be uploading user address book information without permission.

Then it was Twitter who came under fire because language in their privacy policy was not explicit enough about their iPhone app's access of users' smartphone address books for their "Find Friends" service.

Most recently, last week's Sunday Times alleged that Facebook's Android app has been reading SMS messages on smartphones. However, Facebook disagreed with the report, noting SMS read/write access has only been used for "very limited testing" and that the permission is covered in the Terms and Conditions.

This attempt by the GSMA to increase trust and transparency between users and app companies is to be welcomed.

However, unless the privacy-protective measures are almost universally adopted, the industry impact of the overall document may be minimal.

Lachlan Urquhart is a tech writer for Sophos security blog. You can see his profile and other pieces here.