FPF & CDT Release Best Practices for Mobile App Developers
Today, the Future of Privacy Forum and the Center for Democracy & Technology publicly released a beta version of their “Best Practices for Mobile Applications Developers.” We have been working on this guidance over the past year in consultation with stakeholders from industry and civil society, both in the United States and abroad. We hope that this document can serve as a primer for developers who are interested in preserving their customers’ privacy but who aren’t necessarily privacy experts themselves.
We started on this project because of heightened privacy issues in the mobile environment. Application developers can access a considerably broader range of information about users than traditional web developers. Last year, the Wall Street Journal reported that of the top 101 apps, most were transmitting personal information about users, such as unique device identifiers, age, gender, and precise geo-location information to third parties. Research from the Future of Privacy Forum has shown that even in the most popular applications, less than half have privacy policies detailing what they do with customer data.
The best practices are based on long-established privacy principles that we believe should apply to everyone who collects and processes individual information, not just mobile developers. Among the recommendations that we make to developers are:
Be completely transparent about how you are using or transmitting customer data
Don’t access more data than you need, and get rid of old data
Give your customers control over uses that users might not expect
Use reasonable and up-to-date security protocols to safeguard data
As the app developer, you need to be responsible for thinking about privacy, and taking privacy into consideration during the various stages of your app life cycle
This is not a final pronouncement on our view as to what app developer best practices are. We’re soliciting public comment on this draft — if you have feedback, please send your thoughts to [email protected]
Also, check out the survey we released yesterday finding that Free Mobile Apps are Better than Paid on Privacy Policies.
FPF Releases Mobile Apps Study
The Future of Privacy Forum has released a study on the most popular apps. FPF tested privacy policies for the top paid and free apps and found that free apps that are paid for by targeted advertising are twice as likely to have privacy policies. To see the press release and the full study, please click here.
FPF Survey: Free Mobile Apps Better than Paid on Privacy Policies
Future of Privacy Forum Survey Finds Free Mobile Apps Better than Paid on Privacy Policies
Apps supported by advertising and tracking twice as likely to have privacy policies as paid apps
Washington, DC—In May, the Future of Privacy Forum reviewed the most popular paid apps for the iPhone, Android and Blackberry marketplaces, documenting which ones provide consumers with the most basic privacy protection- a legally binding privacy policy. In a new survey released today, FPF tested privacy policies for the top paid and free apps. Key findings from the new survey include the following:
1. Free apps are twice as likely to have privacy policies than paid apps.
[list class=”bullet-3″][li]Out of the free apps surveyed, 66 percent had privacy policies, while only 33 percent of the paid apps had privacy policies.[/li][/list]
2. Free apps make their privacy policies easier to find than paid apps.
[list class=”bullet-4″][li]Of the free apps with privacy policies, approximately 75 percent made the privacy policy accessible in the app itself or via a web link from the app. To find privacy policies for the other 25 percent, consumers had to visit the developer’s website.[/li][/list]
[list class=”bullet-3″][li]Of the paid apps with privacy policies, 50 percent made the privacy policy accessible through the app or via a link, and 50 percent made the privacy policy only accessible on the developer’s website.[/li][/list]
3. The percentage of paid apps that have privacy policies has slightly increased.
[list class=”bullet-4″][li]Out of the paid apps surveyed, 33 percent had privacy policies, marking an improvement over the FPF May 2011 survey in which only 26 percent of paid apps had privacy policies. (The May survey reviewed only paid apps.)[/li][/list]
According to FPF Director and Co-Chairman Jules Polonetsky, the reason that free apps have a better record on privacy policy has to do with their primary revenue source.
“We weren’t surprised to discover that free apps were doing better than paid apps, because free apps are more likely to be dependent on advertising and tracking and have more to disclose than paid apps,” explained Polonetsky. “Although a privacy policy isn’t the final word when it comes to communicating with consumers about how their data is used, companies providing policies show that they have taken an essential step to document their practices and provide legal accountability for their actions,” he added.
“With resources for app developers like our resource site, applicationprivacy.org, and privacy policy generators provided by TRUSTe and PrivacyChoice.org, there is no excuse anymore for app developers not to provide consumers with privacy policies,” said FPF Co-Chairman Christopher Wolf.
Research for and the creation of the app privacy policy matrix was conducted by FPF Fellow Kenesa Ahmad.
Click here to view the complete study. To schedule an interview with Jules Polonetsky, please e-mail [email protected].
Notes About Methodology:
The Future of Privacy Forum analyzed the top 10 paid and free applications for:
1) App Store, iPhone – U.S.
2) Google Android Market – U.S.
3) Blackberry App World – worldwide (all devices) according to the Distimo September 2011 industry report, released in late November.
In the assessment, researchers downloaded each app and looked at the application developer’s website to determine whether a privacy policy existed and could be associated with the application. If a privacy policy was either found in the application or located on the developer’s website, the developer was credited with having an application privacy policy. FPF denoted these distinctions with asterisks. However, if the application website had a privacy policy that did not cover the application, FPF did not give it credit for having a privacy policy.
The lists of apps are different from those used in the FPF’s first survey because the top apps for each OS/device vary from month to month. In this survey, FPF used the top ten lists in the September 2011 Distimo app industry report. The Distimo report provides the top paid apps in the U.S. for Android and Apple, and the top paid apps worldwide for Blackberry.
####
The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.
Tech-savvy shoppers have more tools than ever before. Jules Polonetsky discussed the benefits and best practices of using mobile technology on “The Paul W. Smith Show” on News/Talk 760 WJR in Detroit. Listen here for the interview.
Industry Leaders Discuss Benefits of Self-Regulation for OBA
On Tuesday afternoon, the Information Technology Innovation Foundation (ITIF) unveiled a new paper titled, “Benefits and Limitations of Self-Regulation for Online Behavioral Advertising” at a Microsoft event on self-regulation in the online behavioral advertising (OBA) environment. In the paper, author and ITIF senior analyst Daniel Castro explains, “[S]elf-regulation benefits the economy by creating a more flexible regulatory environment than is typically found with state regulation. Industry experts review current activities, identify best practices, and develop these into industry guidelines. These guidelines continue to evolve over time in response to feedback from industry leaders.”
Panelists discussed key issues about the current self-regulatory framework, including the multi-stakeholder environment, and issues surrounding the upcoming W3C Do-Not-Track standards. Rachel N. Thomas, Vice President of government affairs for the Direct Marketing Association, noted that she is already “seeing a shift in the way folks [consumers] are talking,” in terms of consumers having an easier time identifying what they are afraid of, while also understanding the benefits of OBA. Morgan Reed, Executive Director of the Association for Competitive Technology, pointed out that the 600,000 jobs created by the mobile apps economy is evidence that self-regulation is working.
Though most panelists expressed the view that self-regulation is more adept to change in contrast with government regulations, they also acknowledged that further FTC enforcement against the “bad actors” is a good thing. “People sometimes forget that we are not a membership driven program. We are an industry-wide program, which means that your bad apples are under my purview. And if you don’t abide by the rules, we aren’t afraid to refer you to the FTC,” said Genie Barton, Vice President and Director of the OBA program at the Council of Better Business Bureau.
-Lia Sheena
Who Would You Put on the Nice List?
2011 has been a year marked by criticism of industry data practices. Certainly many of the concerns have been warranted and we know that many businesses have increased their efforts to ensure they have the staff and processes in place to do better going forward.
At the Future of Privacy Forum, we believe in the carrot as well as the stick and we think it is important to give credit to the companies that are working hard to get privacy right. We maintain an annual “Gallery of Leading Practices” in order to encourage companies to develop innovative ways to advance responsible data practices. We hope that some of these practices become industry standards. We think it is important to highlight the companies that have adopted innovative practices in the last year and are leading the way so as to encourage other companies to follow.
As the year closes, we are soliciting nominations for the 2011 Future of Privacy Forum Gallery of Leading Practices. Please email [email protected] with your suggestions for companies that are leading the industry towards better privacy practices. Please highlight for us the specific practice you are applauding and provide an url or screenshot that will allow us to review the information firsthand.
To see the 2009 and 2010 galleries, please click here.
Thank you,
Jules Polonetsky and Christopher Wolf
Future of Privacy Forum
Dec. 4, 2011 – Jules Polonetsky Discusses Cyber Trends with Tom Grooms on Mix 107.3 FM
When it comes to the holidays, there’s an app for that! Jules Polonetsky discussed holiday cyber trends with “Spectrum” host Tom Grooms on Mix 107.3 FM in Washington, DC. Listen here for the interview.
Omer Tene
Omer Tene
Omer Tene is an Associate Professor at the College of Management School of Law, Rishon Le Zion, Israel; Affiliate Scholar at the Stanford Center for Internet and Society; and Visiting Fellow at the Berkeley Center for Law and Technology and the Institute for Jewish Law and Israeli Law, Economy and Society.
He is Managing Director of Tene & Associates, where he consults the Israeli government, data protection authority and private sector businesses ranging from technology start-ups to Fortune 100 companies in the financial, health, telecom, mobile and online industries on privacy, data protection and law and technology issues. He was appointed by the Israeli Minister of Justice as Member of the National Privacy Protection Council and is a member of the advisory board of the Future of Privacy Forum; European advisory board of IAPP; and Editorial Board of International Data Privacy Law (Oxford University Press). He headed the Steering Committee for the 32nd annual conference of privacy and data protection commissioners.
He is a graduate of the JSD and LL.M. programs at NYU School of Law and received an MBA degree from INSEAD as well as LL.M. and LL.B. degrees from Tel Aviv University. He was an associate at the New York office of Debevoise & Plimpton and at the Paris office of Fried Frank and a Senior Research Fellow at the British Institute of International and Comparative Law in London, where he directed the Data Protection Group.
He published numerous articles about privacy and data protection, including:
[list class=”bullet-4″][li]Omer Tene, Me, Myself and I: Aggregated and Disaggregated Identities on Social Networking Services, __ J. Int’l Comm. L. & Tech. __ (forthcoming Fall 2011).[/li][/list]
[list class=”bullet-4″][li]Omer Tene & Jules Polonetsky, To Track or ‘Do Not Track’: Advancing Transparency and Individual Control in Online Behavioral Advertising, __ Minn. J. L. Sci. & Tech. __ (forthcoming Fall 2011).
[list class=”bullet-4″][li]Omer Tene & Yucel Saygin, Privacy and Data Protection in Turkey: (Inching) Towards a European Framework, Privacy & Security Law Report (October 2011).
[list class=”bullet-4″][li]Omer Tene, Reforming the Law from the Ground Up: Recent Developments in Israel’s Privacy Regulation, 9 (38) BNA Privacy & Security Law Report 1341 (2010).
[list class=”bullet-4″][li]Omer Tene, Israeli Data Protection Law: Constitutional, Statutory and Regulatory Reform, 8(1) Privacy and Data Protection 6 (2007).
Kenesa Ahmad is a legal and policy fellow at Future of Privacy Forum. She works on issues related to privacy and security, focusing on mobile application privacy. Prior to joining FPF, she received her law degree from the Moritz College of Law of the Ohio State University, where she served as an Articles Editor of the Ohio State Law Journal, and received her LLM from Northwestern University Law School. Kenesa is co-author of the IAPP Privacy Foundations certification book (forthcoming Fall 2012) and is admitted to the Virginia Bar.
Peter Swire
Peter P. Swire
Peter P. Swire is the Nancy J. and Lawrence P. Huang Professor at the Scheller College of Business of the Georgia Institute of Technology. He is a Senior Fellow with the Future of Privacy Forum, and also a fellow with the Center for American Progress and Center for Democracy and Technology. In November, 2012 he was named the co-chair of the Tracking Protection Working Group of the World Wide Web Consortium, the Do Not Track process. He has been a recognized leader in privacy, cybersecurity, and the law of cyberspace for well over a decade, as a scholar, government official, and participant in numerous policy, public interest, and business settings. From 2009 to 2010 Professor Swire was Special Assistant to the President for Economic Policy, serving in the National Economic Council under Lawrence Summers. From 1999 to early 2001 Professor Swire served as the Clinton Administration’s Chief Counselor for Privacy, in the U.S. Office of Management and Budget, as the only person to date to have government-wide responsibility for privacy issues. Among his other activities when at OMB, Swire was the White House coordinator for the HIPAA Medical Privacy Rule and chaired a White House Working Group on how to update wiretap laws for the Internet age. Professor Swire is lead author of the official texts for the Foundations and U.S. Law examinations for Certified Information Privacy Professionals. Many of his writings appear at www.peterswire.net.