Feeds

FTC issues new privacy guidelines for mobile firms

'Clean up your act, or Congress may do it for you'

Top three mobile application threats

Protecting consumers' privacy on their mobile devices is a complicated business, and platform vendors, app developers, and advertising networks all have their part to play, according to new guidelines from the US Federal Trade Commission (FTC).

In a report issued on Friday, the FTC observes that the mobile ecosystem has come a long way since the early days of the 1980s, when mobile phones were as big as bricks and almost as heavy, and they weren't good for anything but making phone calls.

In those days, the report observes, a mobile phone owner only dealt with two companies: the one that built the phone and the one that provided the cellular service for it.

But all of that has changed, given all the various apps and services that smartphone users engage with on a daily basis. Today's consumers frequently use a single device to do everything from reading the news to sending messages, paying bills, ordering tickets, tracking their friends with geolocation services, connecting to social networking sites, and more. As the report explains:

The complexity of the ecosystem raises 21st century concerns: When people use their mobile devices, they are sharing information about their daily lives with a multitude of players. How many companies are privy to this information? How often do they access such content and how do they use it or share it? What do consumers understand about who is getting their information and how they are using it?

Mind you, the FTC isn't the first to raise these issues. In March 2012, Senator Charles Schumer (D-NY) wrote a letter to the commission urging it to launch a mobile privacy investigation, following a report in The New York Times that showed how security flaws made it trivial for iPhone apps to access a user's private photos.

Two months later, the FTC hosted a panel discussion on the matter, which was attended by academics, government officials, and representatives of various online advertising concerns. The new report is largely the result of those sessions.

The report's title is Mobile Privacy Disclosures: Building Trust Through Transparency, and as you might surmise, getting companies to do a better job of disclosing what they do with users' data is its major theme.

Platform vendors must lead the way

In the FTC's view, that effort must start with the mobile platform vendors, because their unique position within the mobile ecosystem enables them to set privacy disclosure requirements and enforce them on companies further down the food chain.

"Platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures," the report states.

For example, the FTC recommends that platform vendors design the APIs that expose users' sensitive data so that they display just-in-time notifications to the user whenever an app tries to use them, and that they require the user's express consent before they actually grant access to the data.

Such suggestions might sound like no-brainer stuff, but the report points out that even when platforms do provide these kinds of notifications, they can sometimes be unclear or overly technical, leaving users with the wrong impression about what data will actually be collected, when, and how often.

The report further recommends that platform vendors provide their users with a one-stop privacy dashboard, where they can easily review all of the permissions that have been granted to all of the apps on their devices.

The commission expects app developers to take the initiative to provide similar kinds of alerts and controls themselves, and to publish clear privacy policies. But it places equal responsibility on platform vendors to police their app stores by conducting thorough reviews of the apps that are submitted, and rejecting those that fail to observe privacy best practices.

Wanted: a Do Not Track for mobile

Where ad networks are concerned, the FTC would like to see them do a better job of coordinating with app developers to make sure they fully understand the privacy ramifications of their services, so that the developers can make full and correct disclosures to users.

But the commission isn't going to hold its breath on that score. In what is perhaps its boldest recommendation, the report calls upon all the major players to work together to develop a Do Not Track (DNT) mechanism for mobile devices, similar to the systems already being implemented in desktop web browsers:

Because advertising networks often work with multiple developers to provide advertising within apps, advertising networks are in a position to build consumer profiles by collecting consumer data across different applications. Some consumers may not want companies to track their behavior across apps. Indeed, one survey found that 85% of consumers want to have choices about targeted mobile ads. A DNT mechanism for mobile devices could address this concern.

Again, the FTC report offers only guidelines, not rules. There is currently no law that forces any company to abide by any of the commission's recommendations – and indeed, the report itself says that it is "not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC."

But companies would do well to heed the FTC's suggestions, because if they don't, legislation is the next logical step for Senator Schumer and other policymakers who share his mobile privacy concerns.

As outgoing FTC Chairman Jon Leibowitz said in a conference call with reporters on Friday, "Privacy is the quintessential bipartisan issue in Congress." ®

Top three mobile application threats

More from The Register

next story
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
APPLE FAILS to ditch class action suit over ebook PRICE-FIX fiasco
Do not pass go, do cough (up to) $840m in damages
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.