Feeds

FTC issues new privacy guidelines for mobile firms

'Clean up your act, or Congress may do it for you'

Security for virtualized datacentres

Protecting consumers' privacy on their mobile devices is a complicated business, and platform vendors, app developers, and advertising networks all have their part to play, according to new guidelines from the US Federal Trade Commission (FTC).

In a report issued on Friday, the FTC observes that the mobile ecosystem has come a long way since the early days of the 1980s, when mobile phones were as big as bricks and almost as heavy, and they weren't good for anything but making phone calls.

In those days, the report observes, a mobile phone owner only dealt with two companies: the one that built the phone and the one that provided the cellular service for it.

But all of that has changed, given all the various apps and services that smartphone users engage with on a daily basis. Today's consumers frequently use a single device to do everything from reading the news to sending messages, paying bills, ordering tickets, tracking their friends with geolocation services, connecting to social networking sites, and more. As the report explains:

The complexity of the ecosystem raises 21st century concerns: When people use their mobile devices, they are sharing information about their daily lives with a multitude of players. How many companies are privy to this information? How often do they access such content and how do they use it or share it? What do consumers understand about who is getting their information and how they are using it?

Mind you, the FTC isn't the first to raise these issues. In March 2012, Senator Charles Schumer (D-NY) wrote a letter to the commission urging it to launch a mobile privacy investigation, following a report in The New York Times that showed how security flaws made it trivial for iPhone apps to access a user's private photos.

Two months later, the FTC hosted a panel discussion on the matter, which was attended by academics, government officials, and representatives of various online advertising concerns. The new report is largely the result of those sessions.

The report's title is Mobile Privacy Disclosures: Building Trust Through Transparency, and as you might surmise, getting companies to do a better job of disclosing what they do with users' data is its major theme.

Platform vendors must lead the way

In the FTC's view, that effort must start with the mobile platform vendors, because their unique position within the mobile ecosystem enables them to set privacy disclosure requirements and enforce them on companies further down the food chain.

"Platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures," the report states.

For example, the FTC recommends that platform vendors design the APIs that expose users' sensitive data so that they display just-in-time notifications to the user whenever an app tries to use them, and that they require the user's express consent before they actually grant access to the data.

Such suggestions might sound like no-brainer stuff, but the report points out that even when platforms do provide these kinds of notifications, they can sometimes be unclear or overly technical, leaving users with the wrong impression about what data will actually be collected, when, and how often.

The report further recommends that platform vendors provide their users with a one-stop privacy dashboard, where they can easily review all of the permissions that have been granted to all of the apps on their devices.

The commission expects app developers to take the initiative to provide similar kinds of alerts and controls themselves, and to publish clear privacy policies. But it places equal responsibility on platform vendors to police their app stores by conducting thorough reviews of the apps that are submitted, and rejecting those that fail to observe privacy best practices.

Wanted: a Do Not Track for mobile

Where ad networks are concerned, the FTC would like to see them do a better job of coordinating with app developers to make sure they fully understand the privacy ramifications of their services, so that the developers can make full and correct disclosures to users.

But the commission isn't going to hold its breath on that score. In what is perhaps its boldest recommendation, the report calls upon all the major players to work together to develop a Do Not Track (DNT) mechanism for mobile devices, similar to the systems already being implemented in desktop web browsers:

Because advertising networks often work with multiple developers to provide advertising within apps, advertising networks are in a position to build consumer profiles by collecting consumer data across different applications. Some consumers may not want companies to track their behavior across apps. Indeed, one survey found that 85% of consumers want to have choices about targeted mobile ads. A DNT mechanism for mobile devices could address this concern.

Again, the FTC report offers only guidelines, not rules. There is currently no law that forces any company to abide by any of the commission's recommendations – and indeed, the report itself says that it is "not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC."

But companies would do well to heed the FTC's suggestions, because if they don't, legislation is the next logical step for Senator Schumer and other policymakers who share his mobile privacy concerns.

As outgoing FTC Chairman Jon Leibowitz said in a conference call with reporters on Friday, "Privacy is the quintessential bipartisan issue in Congress." ®

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.