Feeds

FTC issues new privacy guidelines for mobile firms

'Clean up your act, or Congress may do it for you'

High performance access to file storage

Protecting consumers' privacy on their mobile devices is a complicated business, and platform vendors, app developers, and advertising networks all have their part to play, according to new guidelines from the US Federal Trade Commission (FTC).

In a report issued on Friday, the FTC observes that the mobile ecosystem has come a long way since the early days of the 1980s, when mobile phones were as big as bricks and almost as heavy, and they weren't good for anything but making phone calls.

In those days, the report observes, a mobile phone owner only dealt with two companies: the one that built the phone and the one that provided the cellular service for it.

But all of that has changed, given all the various apps and services that smartphone users engage with on a daily basis. Today's consumers frequently use a single device to do everything from reading the news to sending messages, paying bills, ordering tickets, tracking their friends with geolocation services, connecting to social networking sites, and more. As the report explains:

The complexity of the ecosystem raises 21st century concerns: When people use their mobile devices, they are sharing information about their daily lives with a multitude of players. How many companies are privy to this information? How often do they access such content and how do they use it or share it? What do consumers understand about who is getting their information and how they are using it?

Mind you, the FTC isn't the first to raise these issues. In March 2012, Senator Charles Schumer (D-NY) wrote a letter to the commission urging it to launch a mobile privacy investigation, following a report in The New York Times that showed how security flaws made it trivial for iPhone apps to access a user's private photos.

Two months later, the FTC hosted a panel discussion on the matter, which was attended by academics, government officials, and representatives of various online advertising concerns. The new report is largely the result of those sessions.

The report's title is Mobile Privacy Disclosures: Building Trust Through Transparency, and as you might surmise, getting companies to do a better job of disclosing what they do with users' data is its major theme.

Platform vendors must lead the way

In the FTC's view, that effort must start with the mobile platform vendors, because their unique position within the mobile ecosystem enables them to set privacy disclosure requirements and enforce them on companies further down the food chain.

"Platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures," the report states.

For example, the FTC recommends that platform vendors design the APIs that expose users' sensitive data so that they display just-in-time notifications to the user whenever an app tries to use them, and that they require the user's express consent before they actually grant access to the data.

Such suggestions might sound like no-brainer stuff, but the report points out that even when platforms do provide these kinds of notifications, they can sometimes be unclear or overly technical, leaving users with the wrong impression about what data will actually be collected, when, and how often.

The report further recommends that platform vendors provide their users with a one-stop privacy dashboard, where they can easily review all of the permissions that have been granted to all of the apps on their devices.

The commission expects app developers to take the initiative to provide similar kinds of alerts and controls themselves, and to publish clear privacy policies. But it places equal responsibility on platform vendors to police their app stores by conducting thorough reviews of the apps that are submitted, and rejecting those that fail to observe privacy best practices.

Wanted: a Do Not Track for mobile

Where ad networks are concerned, the FTC would like to see them do a better job of coordinating with app developers to make sure they fully understand the privacy ramifications of their services, so that the developers can make full and correct disclosures to users.

But the commission isn't going to hold its breath on that score. In what is perhaps its boldest recommendation, the report calls upon all the major players to work together to develop a Do Not Track (DNT) mechanism for mobile devices, similar to the systems already being implemented in desktop web browsers:

Because advertising networks often work with multiple developers to provide advertising within apps, advertising networks are in a position to build consumer profiles by collecting consumer data across different applications. Some consumers may not want companies to track their behavior across apps. Indeed, one survey found that 85% of consumers want to have choices about targeted mobile ads. A DNT mechanism for mobile devices could address this concern.

Again, the FTC report offers only guidelines, not rules. There is currently no law that forces any company to abide by any of the commission's recommendations – and indeed, the report itself says that it is "not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC."

But companies would do well to heed the FTC's suggestions, because if they don't, legislation is the next logical step for Senator Schumer and other policymakers who share his mobile privacy concerns.

As outgoing FTC Chairman Jon Leibowitz said in a conference call with reporters on Friday, "Privacy is the quintessential bipartisan issue in Congress." ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.