Feeds

FTC issues new privacy guidelines for mobile firms

'Clean up your act, or Congress may do it for you'

3 Big data security analytics techniques

Protecting consumers' privacy on their mobile devices is a complicated business, and platform vendors, app developers, and advertising networks all have their part to play, according to new guidelines from the US Federal Trade Commission (FTC).

In a report issued on Friday, the FTC observes that the mobile ecosystem has come a long way since the early days of the 1980s, when mobile phones were as big as bricks and almost as heavy, and they weren't good for anything but making phone calls.

In those days, the report observes, a mobile phone owner only dealt with two companies: the one that built the phone and the one that provided the cellular service for it.

But all of that has changed, given all the various apps and services that smartphone users engage with on a daily basis. Today's consumers frequently use a single device to do everything from reading the news to sending messages, paying bills, ordering tickets, tracking their friends with geolocation services, connecting to social networking sites, and more. As the report explains:

The complexity of the ecosystem raises 21st century concerns: When people use their mobile devices, they are sharing information about their daily lives with a multitude of players. How many companies are privy to this information? How often do they access such content and how do they use it or share it? What do consumers understand about who is getting their information and how they are using it?

Mind you, the FTC isn't the first to raise these issues. In March 2012, Senator Charles Schumer (D-NY) wrote a letter to the commission urging it to launch a mobile privacy investigation, following a report in The New York Times that showed how security flaws made it trivial for iPhone apps to access a user's private photos.

Two months later, the FTC hosted a panel discussion on the matter, which was attended by academics, government officials, and representatives of various online advertising concerns. The new report is largely the result of those sessions.

The report's title is Mobile Privacy Disclosures: Building Trust Through Transparency, and as you might surmise, getting companies to do a better job of disclosing what they do with users' data is its major theme.

Platform vendors must lead the way

In the FTC's view, that effort must start with the mobile platform vendors, because their unique position within the mobile ecosystem enables them to set privacy disclosure requirements and enforce them on companies further down the food chain.

"Platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures," the report states.

For example, the FTC recommends that platform vendors design the APIs that expose users' sensitive data so that they display just-in-time notifications to the user whenever an app tries to use them, and that they require the user's express consent before they actually grant access to the data.

Such suggestions might sound like no-brainer stuff, but the report points out that even when platforms do provide these kinds of notifications, they can sometimes be unclear or overly technical, leaving users with the wrong impression about what data will actually be collected, when, and how often.

The report further recommends that platform vendors provide their users with a one-stop privacy dashboard, where they can easily review all of the permissions that have been granted to all of the apps on their devices.

The commission expects app developers to take the initiative to provide similar kinds of alerts and controls themselves, and to publish clear privacy policies. But it places equal responsibility on platform vendors to police their app stores by conducting thorough reviews of the apps that are submitted, and rejecting those that fail to observe privacy best practices.

Wanted: a Do Not Track for mobile

Where ad networks are concerned, the FTC would like to see them do a better job of coordinating with app developers to make sure they fully understand the privacy ramifications of their services, so that the developers can make full and correct disclosures to users.

But the commission isn't going to hold its breath on that score. In what is perhaps its boldest recommendation, the report calls upon all the major players to work together to develop a Do Not Track (DNT) mechanism for mobile devices, similar to the systems already being implemented in desktop web browsers:

Because advertising networks often work with multiple developers to provide advertising within apps, advertising networks are in a position to build consumer profiles by collecting consumer data across different applications. Some consumers may not want companies to track their behavior across apps. Indeed, one survey found that 85% of consumers want to have choices about targeted mobile ads. A DNT mechanism for mobile devices could address this concern.

Again, the FTC report offers only guidelines, not rules. There is currently no law that forces any company to abide by any of the commission's recommendations – and indeed, the report itself says that it is "not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC."

But companies would do well to heed the FTC's suggestions, because if they don't, legislation is the next logical step for Senator Schumer and other policymakers who share his mobile privacy concerns.

As outgoing FTC Chairman Jon Leibowitz said in a conference call with reporters on Friday, "Privacy is the quintessential bipartisan issue in Congress." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.