Future of Privacy Forum Launches App Privacy Site

Future of Privacy Forum Launches App Privacy Site

Privacy resource portal provides application developer

tools and guidance for responsible privacy practices

WASHINGTON – With hundreds of thousands of online and mobile applications already in use and more being developed, the Future of Privacy Forum (FPF) today launched a new website to help application developers provide users with privacy protections.  Supported by app developers, platforms and tech companies, ApplicationPrivacy.org is the only hub of its kind containing emerging standards, best practices, privacy guidelines, platform and application store requirements, as well as relevant laws and regulatory guidance.

A recent survey by FPF found that 22 out of the 30 most popular mobile apps lacked even a basic privacy policy where consumers could learn about what data is collected or exchanged when they download the app.  A recent study estimated that by 2016 the worldwide mobile app industry could achieve 44 billion downloads, and according to Facebook, people install 20 million applications every day on their site.   

Christopher Wolf, FPF’s founder and co-chair noted the importance of educating app developers on key data protection principles. “Apps often provide valuable services using people’s contacts, location and profile information.  But unless users trust that their privacy will be protected, the use of Apps will decline and that would be unfortunate, as Apps provide innovative ways to interact over the Internet and contribute to the Internet economy.”

FPF’s director and co-chair Jules Polonetsky emphasized the need to educate more developers about the importance of responsible data practices. “App developers with limited staff or resources can end up being responsible for the data of millions of users.  Platforms and operating systems have roles to play, but app developers themselves need to be responsible for their own practices. We hope that Applicationprivacy.org  will provide a one-stop shop for the one person start-up or the large scale company.”

Facebook, AT&T and Sprint will also be promoting the site to developers to help them navigate the development process.  FPF’s leaders are urging other companies to do the same to help provide developers with this information.

App developers also recognize the value of the site. Sze Wong, CEO at Zerion Software, Inc., a company which creates the app known as iFormBuilder, said, “As a general purpose data collection platform, iFormBuilder stores a lot of private information from our clients around the world.  When we first drafted our

data privacy policy and subsequently the safe harbor provision for Europe, we felt we were on our own. Now developers have a place to get general information and get help. I wish the project was there when we started! “

Peter Erickson, who is the founder of MoDev, a national mobile developers network, said, “I know our developers spend a lot of time focusing on the privacy issue. Resources like the Future of Privacy Forum’s ApplicatonPrivacy.org site will be a critical resource for navigating the tricky privacy terrain.”

The site will also have an active presence on Facebook and on Twitter, using the handle @AppPrivacy. The website was built with the support of application developers, platforms and tech companies, including:  AT&T, CardStar, the Center for Democracy and Technology, Facebook, Google, Infield Health, Intel, MoDev, Savvy Apps, TRUSTe, Zerion Software, Zynga, and 3ADVANCE.  Shaun Dakin, a fellow at the Future of Privacy Forum played a lead role in the development of the site. 

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

                                                                               ###

FOR IMMEDIATE RELEASE:  May 26, 2011             

Media Contact:

Ted Kresse

202.777.3719

[email protected]

Statement from CDT and FPF on the Development of App Privacy Guidelines

Statement from the Center for Democracy & Technology (CDT)

and Future of Privacy Forum (FPF)on the

Development of App Privacy Guidelines

WASHINGTON, DC – Today, the Center for Democracy & Technology (CDT) and the Future of Privacy Forum (FPF) released the following statement in response to this morning’s Senate hearing on “Consumer Privacy and Protection in the Mobile Marketplace.”  CDT and FPF are working together to improve mobile and app privacy and take the opportunity of the Senate hearing to make this statement on app privacy:

Today’s hearing demonstrated that the collection of personal information through Apps operating on mobile devices raises serious privacy issues. “Apps,” a shorthand for “applications” commonly used to refer to programs on mobile devices, are booming in popularity.  Apps are also beginning to appear on Internet-linked televisions, on desktop computer operating systems and on the Web.

Apps often collect, use, share, and retain a variety of information, including location data. Sometimes this data is important to the app’s functionality. Sometimes, however, the data is not actually needed for app functionality and may be collected inadvertently. In other cases, the data is collected for targeted advertising, helping developers provide free and low-cost programs.  However, any data collection practices can pose privacy issues, especially when the user is not aware of or has not consented to the collection. For users of mobile devices, a recent survey shows that privacy is their number one concern.

Accordingly, CDT and FPF are currently engaged with major stakeholders in the mobile ecosystem—app developers, device manufactures, and mobile platforms—to develop best practices and privacy principles for mobile devices. Once complete, we hope these principles will provide guidance to developers, platforms, and policymakers. For developers who are not familiar with the complex concerns surrounding user privacy, the CDT and FPF process will address the following fundamental issues:

1.  Privacy Policy.  Every app should have a written Privacy Policy explaining to users, in plain language, what data is collected, how it is used, how it will be displayed, shared, or transferred, and how long it will be retained.  If data is collected, even incidentally, for the financial benefit of the app developer, e.g. for advertising, this should be disclosed.   The Privacy Policy should be readily accessible.  At a minimum, a link to the Privacy Policy should be provided prominently on the app itself and the contents of the Privacy Policy should be easy for the user to read and understand. Consideration should be given to layered privacy notices that summarize and link to the more detailed contents of a Privacy Policy.  Other means of summarizing privacy practices, such as symbols or icons, should also be considered.

2.  Meaningful User Choice.  Users should be provided meaningful choices about the collection,  disclosure, and use of the personal or device information.  These choices should be explained in the Privacy Policy, but also presented “just-in-time” to users, when data is about to be collected.

3.  Data Minimization and Limited Retention.  Developers should only collect as much data as is necessary to perform the functions of the app and only retain this data for as long as it is needed, unless the user clearly has consented to greater collection and retention.

4.  Appropriate Data Security.  Developers should employ all reasonable physical, technical and administrative methods to protect the integrity and security of collected data.

5.  Education.  Developers should educate users about the types of data an app collects, and ways they can protect their privacy using the app.  Developers should educate themselves about the laws they are subject to and take note of possible obligations under COPPA, as well as self regulatory initiatives such as those proposed by CTIA, MMA and the GSMA.

6.  Privacy by Design.  Developers should think about privacy from the beginning of the app development process.  Developers should consider what personal or device data is needed for app functionality and design the app to collect only what is needed, share it only with those needed to perform the functions of the app, and retain it only for as long as is necessary, and only after proper notice and choice for the user has been provided.  This also means ensuring that needed physical, technical and administrative protections are in place for the data collected, and that accountability principles are employed to ensure that data is handled properly, including regular auditing and training of employees and contractors.

CDT and FPF are seeking input from platforms, carriers, device manufacturers, app developers and others on these issues and plan on expanding the forgoing concepts in order to provide the detail and specificity necessary for them to be effectively implemented. Given the incredible growth in the number of apps and the immediate need for a basic set of rules for developers, we urge all stakeholders to participate.

Center for Democracy & Technology (CDT)  is a non-profit public interest organization working to keep the Internet open, innovative, and free. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media. 

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

Media Contacts:

Brock Meeks (CDT)

202-407-8814

[email protected]

Ted Kresse (FPF)

202-777-3719

[email protected]

FPF Finds Nearly Three-Quarters of Most Downloaded Mobile Apps Lack A Privacy Policy

Earlier this week in the US Senate, the Privacy, Technology and Law Subcommittee of the Judiciary Committee  held a hearing on mobile privacy issues.  One focus of the hearing was the privacy of personal information collected and used by Apps on mobile devices, and one line of questioning concerned the absence of privacy policies for Apps used by consumers.  Without a privacy policy to review, consumers may not have the ability to understand and control the use of their personal data by the Apps.  And although privacy policies should not be the only way companies communicate with users about data use, posting a privacy policy is the essential first step for companies to take to be accountable for their practices of collecting and using online data.

With that in mind, the Future of Privacy Forum this week analyzed the top 30 paid mobile apps across the leading operating systems (iOS, Android, & Blackberry) and discovered that out of the top 30 applications, 22 of them — nearly three-quarters– lacked even a basic privacy policy.  A previous analysis of mobile apps by the Wall Street Journal this past December, found that forty-five of the top 101 i-Phone or Android apps they assessed did not provide privacy policies on their websites or inside the apps at the time of testing. 

 

FPF’s methodology included analyzing the top paid iPhone apps in the Apple App Store on May 10, 2011, and industry standard reporting from Distimo.  In the assessment, FPF looked for the website of the application developer and investigated whether the developer had a privacy policy that could be associated with their App. If a privacy policy was found on a website, the application developer was credited with having a mobile application privacy policy.  FPF also downloaded a sample of the paid apps to a mobile device and determined if at any time during the download and installation process a privacy policy was presented to the user of the device.  Out of the sample tested, FPF found that only one (Angry Birds iOS) had a privacy policy link from within the user interface.  

 

FPF believes that a fundamental element of protecting the privacy of consumers using Apps is the availability of a readily-accessible, written privacy policy.   FPF believes that, at a minimum, App Developers should have privacy policies (with which they comply) for all Apps offered to consumers.  Once a consumer reviews a privacy policy, he or she can choose whether to install or continue using the App, a fundamental part of privacy control.  FPF is working with Center for Democracy and Technology (CDT) to suggest additional ways that app developers can improve their privacy practices to protect consumers personal privacy.  

 

To see the list of 30 apps analyzed by FPF and whether or not they have a basic privacy policy in place, click here.

*Research and creation of app privacy policy matrix by Shaun Dakin and Shreya Vora, Future of Privacy Forum Fellows

FPF Summary of CPUC Smart Grid Rules

On May 6, 2011, the California Public Utilities Commission (CPUC) issued a proposed decision addressing privacy and security concerns around the Smart Grid.  The CPUC proposed decision is significant, because it presents the most significant step yet in the U.S. towards a comprehensive set of smart grid privacy rules. 

With that in mind, we have prepared a brief summary of the CPUC proposed decision to help navigate the terrain.  

Among the highlights: 

There are several principles targeted toward data management. Covered entities will be limited in their ability to collect data—only information that is “reasonably necessary” or “authorized by the Commission” to accomplish primary or secondary purposes.  Covered entities must have prior customer consent to collect, store and use information, except that electrical corporations may collect and store customer data without customer consent if for a primary purpose.  Subject to certain conditions, covered entities may share information with service providers without consent.  Covered entities must also ensure the quality, integrity, and security of the data. Finally, the PUC imposes data security and privacy audit and reporting requirements which include providing copies of the privacy notices for customers, internal privacy and data security policies, third party disclosure information and secondary uses authorization forms.  The PUC rejected suggestions that third parties should be required to register for certification to offer services that require access to customer energy consumption data.

For a more comprehensive look into the proposed decision, see the FPF summary here

The CPUC is accepting comments regarding its proposed rules until May 26, 2011, with reply comments due five days after that deadline.  FPF will be filing its comments in the upcoming weeks.

Many thanks to our colleague Tim Tobin for his excellent and comprehensive review of the decision.

Future of Privacy Summary of California Public Utilities Commission Proposed Decision on Smart Grid Privacy and Security

Future of Privacy Summary of

California Public Utilities Commission Proposed Decision

on Smart Grid Privacy and Security

May 9, 2011

 

On May 6th, the California Public Utilities Commission (CPUC) issued a proposed decision  by CPUC President Peevey addressing smart grid privacy and security.   The CPUC proposed decision presents the most significant step yet in the U.S. towards a comprehensive set of smart grid privacy rules.  The CPUC is accepting comments regarding its proposed rules until May 26, 2010.

The proposed decision develops a regulatory framework that is wide-ranging in reach.  It would apply privacy and security rules to customers of California’s three investor-owned electric utilities offering or proposing to install smart meters, Pacific Gas and Electric Company (PG&E), Southern California Edison Company (SCE), and San Diego Gas & Electric Company (SDG&E).  It would extend the proposed rules to companies that contract with these utilities.  Most notably, the proposed rules would also apply, by utility tariffs, to certain other third party companies that are not in contractual privity with a utility.

Specifically, a third party would have to comply with the PUC rules when it obtains access to customer’s usage data via Home Area Netwok (HAN)-enabled devices that are “locked” to automatically transfer usage data to the third party.  In addition, the proposed rules would require utilities to provide third parties with access to usage data that customers authorize if the third parties comply with the privacy and security rules.  The PUC rejected suggestions that third parties should be required to register for certification to offer services that require access to customer energy consumption data.

The following summarizes some of the key aspects of the proposed decision.

PUC’s Assertion of Jurisdiction Over Third Parties

In assessing its jurisdiction, the Commission examined its general regulatory authority as well SB 1476, the smart grid privacy law that took effect January 1, 2011.  The PUC focused especially on the provisions of SB 1476 that address requirements utilities must impose on third parties with whom they contract with either to perform utility functions or to enable customer monitoring of energy usage information.  See Cal. Pub. Util. Code § 8380.  Based on those provisions, the PUC concluded that it had authority to enact rules relating to third parties that contract with utilities.

The PUC also considered its jurisdiction over third parties that obtain energy consumption data through channels independent of the utility, either from a HAN device or from the utility customer.  The PUC concluded it has jurisdiction to ensure compliance with its privacy and data security rules for some of these third parties.  The PUC noted that a non-utility HAN-enabled device must already be authorized through registration with the utility to allow the direct transfer of data from the Smart Meter to the third party.  The PUC concluded that for HAN-enabled devices “locked” (i.e., designated for that third party alone) for automatic transfers of data to the third party, utility tariffs should govern these third parties’ activities.  Specifically, utility tariffs should require as a condition of registering the device with the Smart Meter, that the third party show that it has consumer consent for the proposed uses of data and that it is in compliance with PUC requirements for protecting consumer data.

The PUC declined to assert authority over other third parties offering HAN-enabled devices that do not automatically transfer information to a third party.  Instead, under the PUC’s framework, it would require utilities through tariffs, to provide consumers with information about the potential uses and abuses that arise from sharing energy usage data with third parties.  The PUC would also not attempt to regulate consumers and what they choose to do with their own usage data.

With the exception of consumer consent requirements, the PUC would exempt fully from the proposed rules third parties that obtain information regarding ten or fewer households.  The PUC proposes this exemption to avoid regulating situations where a friend or family member has access to usage information in the course of caring for others.

Summary of Proposed Rules

The PUC’s proposed rules draw from months of hearings and comments filed in its consideration of smart grid privacy and from the intervening passage of SB 1476 on September 29, 2010.  As a result of those proceedings, the PUC expressly embraces and follows an approach to protect consumer privacy based on Fair Information Practice (FIP) principles:  (1) Transparency, (2) Individual Participation, (3) Purpose Specification, (4) Data Minimization, (5) Use Limitation, (6) Data Quality, (7) Security, and (8) Accountability and Auditing.   The PUC’s proposed rules draw heavily from suggested rules presented to the PUC last year by the Center for Democracy and Technology (CDT) and the Electronic Frontier Foundation (EFF), with some modifications.

1.         Definitions

There are 5 primary defined terms used throughout the proposed rules whose meaning is important to the rules’ application: (1) Covered Entity; (2) Customer; (3) Covered Information; (4) Primary Purposes; and (5) Secondary Purposes.

Covered Entity:  A “covered entity” is “(1) any electrical corporation [currently just PG&E, SCE, and SDG&E] or any third party that collects, stores, uses, or discloses covered information relating to 11 or more customers who obtains this information from an electrical corporation or through the registration of a locked device that transfers information to that third party.”

Customer:  A “customer” is “any entity receiving retail generation, distribution or transmission service from an electrical corporation.”

Covered Information:  “Covered information” is “any usage information obtained through the use of the capabilities of Advanced Metering Infrastructure when associated with any information that can reasonably be used to identify a customer.”  However, “covered information does not include usage information from which identifying information has been removed such that a customer cannot reasonably be identified or re-identified.”

Primary Purposes:  “Primary Purposes” relating to “the collection, storage, use or disclosure of covered information” include (1) providing or billing for electrical power, (2) fulfilling other operational needs of the electrical system or grid, (3) providing services as required by law or order of the PUC, or (4) planning, implementing or evaluating demand response, energy management, or energy efficiency programs operated by, or on behalf of and under contract with, an electrical corporation.

Secondary Purposes:  Any purpose that is not a primary purpose.

2.         Transparency (Notice)

The proposed rule contemplates both a notice and a privacy policy.  The proposed rules would require that covered entities “provide customers with meaningful, clear, accurate, specific, and comprehensive notice regarding the collection, storage, use, and disclosure of covered information.”  Covered entities must provide the notice when confirming a new customer account and at least twice a year.  The notice must be written or electronic and it must advise customers how they may obtain a copy of the covered entity’s privacy policy.  Covered entities must also post or provide a link to the notice and privacy policy on the home page of their website and include a link to the notice and privacy policy in all electronic communications to customers.

The notice must make clear it is a privacy notice and shall “easily understandable” and “no longer than necessary to convey the requisite information.”  Both the notice and privacy policy must identify the covered entity, include the effective data, address how customers will be advised of alterations, and provide contact information for an official to answer questions or complaints.

3.         Purpose Specification

The proposed purpose specifications would require that the notice discussed above “explicitly describe each category of covered information collected, used, stored or disclosed by the covered entity” and the purposes for doing so.  In addition, as proposed, the notice must also describe:

4.         Individual Participation (Access and Control)

The proposed rule would require that customers have access to their covered information and control over its use and disclosure.  Covered entities must provide access to customers in an “easily readable format” at least as detailed as what covered entities provide third parties.  Customers must have “convenient mechanisms” to approve and revoke approval for secondary uses of their covered information.  Customers must also be able to correct and amend their information.

The proposal would strictly limit the circumstances where a covered entity could disclose covered information to third parties.  Except as otherwise permitted by the proposed rules (see, e.g., item 6 below) or other laws, a covered entity would be prohibited from disclosing covered information except pursuant to a warrant or court order, with the express consent of the customer, or to emergency responders in situations involving imminent threat to life or property.  Real-time information access requests would be governed by state and federal wiretap laws.  If a covered entity receives a subpoena, it would be required to notify the customer in writing and provide the customer with 7 days to appear and contest the information sought, subject to any legal prohibitions on advance disclosure.  The proposed rules do not prevent a covered entity from disclosing customer contact information pursuant to a subpoena.  Covered entities would be required, upon request, to provide reports to the PUC regarding requests made pursuant to legal process.

5.         Data Minimization

Covered entities would only be allowed to collect, use, store, retain, and disclose covered information as is “reasonably necessary” or “authorized by the Commission” to accomplish a specific primary purpose or a secondary purpose authorized by customers.

6.         Use and Disclosure Limitation

Under the proposed rules, electrical corporations may collect, store, and use customer information without customer consent if for primary purposes.  Other covered entities generally must have prior customer consent.

The proposed rules include a service provider exception to prior customer consent for all covered entities.  Specifically, any covered entity would be permitted to disclose customer information to a third party without customer consent:

Third party sharing with sub-contractors is permitted under similar restrictions.  Any covered entity that discovers a pattern or practice of third parties violating these provisions would be  required to stop disclosing covered information to those parties.

Covered entities would be required to obtain customers’ “prior, express, written authorization” for using or disclosing covered information for secondary purposes, except as permitted in section 4 above.  Residential customers would have the right to revoke authorization at any time through the same mechanism used to provide consent and covered entities shall notify customers at least annually of their right to revoke.

The proposed rules would not restrict covered entities from sharing aggregated de-identified data for “analysis, reporting or program management.”  Such data cannot reveal specific customer information.

7.         Data Quality and Integrity

Covered entities would be obligated to ensure data is reasonably complete and accurate or otherwise handled consistent with applicable rules and tariffs.

8.         Data Security

The proposed data security rule would obligate covered entities to implement reasonable administrative, technical and physical safeguards to protect covered information.  In addition, the proposed rules address data breaches.  Covered third parties must notify the disclosing party within one week of detecting a breach.  A covered electrical corporation must notify the PUC of any breach affecting 1,000 or more customers within two weeks of detecting its own breach or within one week of notification from a third party.  Beginning in 2010, covered electrical corporations must provide an annual report to the PUC notifying it of all security breaches.  The proposed rules do not define a security breach.  As to individual notice, the PUC stated it would expect covered entities to comply with federal and state breach notification laws.

9.         Accountability and Auditing

Under this proposed rule, the PUC imposes separate independent data security and privacy audit and reporting requirements on electrical corporations.  However, in addition, all covered entities would be required, upon PUC request or audit, to provide:

Covered entities would also be required to develop a process to address customer complaints.  The proposed rules also call for covered entities to provide employee and contractor training.

Other Issued Addressed by the PUC

The PUC also addressed the obligations of PG&E, SCE, and SDG&E to provide access to  customer energy consumption data to third parties.  Regarding data provided via the backhaul (i.e., an Internet connection with the utility), the PUC noted that SDG&E already enables third parties, such as Google through its PowerMeter, to make consumption information available to its customers.  The PUC concluded that “[t]here is no reason why SCE and PG&E should not provide access to authorized parties to consumer usage data available through the backhaul as SDG&E already does.”  It believes requiring access is reasonable and in the public interest. Accordingly, the PUC proposes that PG&E and SCE make appropriate filings with tariffs enabling third party access to usage data when authorized by the consumer and where the third parties agree to the privacy and data security protections adopted in the proceeding.

Regarding third party access to more granular consumption data for customers through devices that connect directly to the smart meter, such as HAN devices that “lock” and automatically transmit meter data to the third party, the PUC believes the considerations are the same.  Noting that the development of communication standard SEP 2.0 has been delayed, the PUC proposed that PG&E, SCE and SDG&E develop pilot projects for HAN enabled devices to connect to smart meters.  The goal would be to determine the best methods to afford customers with direct access to disaggregated data available in smart meters and to encourage these companies to work toward a common interface for third party and customer devices.

The PUC also addressed PG&E, SCE and SDG&E’s provisioning of pricing information to customers.  The PUC proposes that the companies should make approximate price information available to customers online, available at least one day later on a daily basis and updated in hourly or 15 minute increments.  This should include bill-to-date, bill forecast data, projected month-end tiered rate, and notices to customers when they cross rate tiers.  The PUC also called for the companies to work together to provide consumers with wholesale price information.  The PUC declined to propose an order to make near-real time price information available because of the complexity of current tariff schedules.  The PUC expects to revisit this issue in the context of HAN and HAN-enabled devices.

* * *

The proposed rules are significant in that they would become the first comprehensive set of rules in the United States.  The proposed rules state that further study is not required and that the time for rules is ripe.  As noted at the outset, the PUC is accepting comments on the proposed rules until May 26, 2011.  Reply comments will be accepted 5 days after that.