Feeds

FTC issues new privacy guidelines for mobile firms

'Clean up your act, or Congress may do it for you'

Secure remote control for conventional and virtual desktops

Protecting consumers' privacy on their mobile devices is a complicated business, and platform vendors, app developers, and advertising networks all have their part to play, according to new guidelines from the US Federal Trade Commission (FTC).

In a report issued on Friday, the FTC observes that the mobile ecosystem has come a long way since the early days of the 1980s, when mobile phones were as big as bricks and almost as heavy, and they weren't good for anything but making phone calls.

In those days, the report observes, a mobile phone owner only dealt with two companies: the one that built the phone and the one that provided the cellular service for it.

But all of that has changed, given all the various apps and services that smartphone users engage with on a daily basis. Today's consumers frequently use a single device to do everything from reading the news to sending messages, paying bills, ordering tickets, tracking their friends with geolocation services, connecting to social networking sites, and more. As the report explains:

The complexity of the ecosystem raises 21st century concerns: When people use their mobile devices, they are sharing information about their daily lives with a multitude of players. How many companies are privy to this information? How often do they access such content and how do they use it or share it? What do consumers understand about who is getting their information and how they are using it?

Mind you, the FTC isn't the first to raise these issues. In March 2012, Senator Charles Schumer (D-NY) wrote a letter to the commission urging it to launch a mobile privacy investigation, following a report in The New York Times that showed how security flaws made it trivial for iPhone apps to access a user's private photos.

Two months later, the FTC hosted a panel discussion on the matter, which was attended by academics, government officials, and representatives of various online advertising concerns. The new report is largely the result of those sessions.

The report's title is Mobile Privacy Disclosures: Building Trust Through Transparency, and as you might surmise, getting companies to do a better job of disclosing what they do with users' data is its major theme.

Platform vendors must lead the way

In the FTC's view, that effort must start with the mobile platform vendors, because their unique position within the mobile ecosystem enables them to set privacy disclosure requirements and enforce them on companies further down the food chain.

"Platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures," the report states.

For example, the FTC recommends that platform vendors design the APIs that expose users' sensitive data so that they display just-in-time notifications to the user whenever an app tries to use them, and that they require the user's express consent before they actually grant access to the data.

Such suggestions might sound like no-brainer stuff, but the report points out that even when platforms do provide these kinds of notifications, they can sometimes be unclear or overly technical, leaving users with the wrong impression about what data will actually be collected, when, and how often.

The report further recommends that platform vendors provide their users with a one-stop privacy dashboard, where they can easily review all of the permissions that have been granted to all of the apps on their devices.

The commission expects app developers to take the initiative to provide similar kinds of alerts and controls themselves, and to publish clear privacy policies. But it places equal responsibility on platform vendors to police their app stores by conducting thorough reviews of the apps that are submitted, and rejecting those that fail to observe privacy best practices.

Wanted: a Do Not Track for mobile

Where ad networks are concerned, the FTC would like to see them do a better job of coordinating with app developers to make sure they fully understand the privacy ramifications of their services, so that the developers can make full and correct disclosures to users.

But the commission isn't going to hold its breath on that score. In what is perhaps its boldest recommendation, the report calls upon all the major players to work together to develop a Do Not Track (DNT) mechanism for mobile devices, similar to the systems already being implemented in desktop web browsers:

Because advertising networks often work with multiple developers to provide advertising within apps, advertising networks are in a position to build consumer profiles by collecting consumer data across different applications. Some consumers may not want companies to track their behavior across apps. Indeed, one survey found that 85% of consumers want to have choices about targeted mobile ads. A DNT mechanism for mobile devices could address this concern.

Again, the FTC report offers only guidelines, not rules. There is currently no law that forces any company to abide by any of the commission's recommendations – and indeed, the report itself says that it is "not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC."

But companies would do well to heed the FTC's suggestions, because if they don't, legislation is the next logical step for Senator Schumer and other policymakers who share his mobile privacy concerns.

As outgoing FTC Chairman Jon Leibowitz said in a conference call with reporters on Friday, "Privacy is the quintessential bipartisan issue in Congress." ®

Boost IT visibility and business value

More from The Register

next story
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
Apple tried to get a ban on Galaxy, judge said: NO, NO, NO
Judge Koh refuses Samsung ban for the third time
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.