Mobile Application Privacy: NTIA Publishes Latest Multistakeholder Transparency Draft for Comment

The National Telecommunications and Information Administration ("NTIA"), part of the U.S. Department of Commerce, has been convening multistakeholder meetings to work on improvements to data collection/use transparency--an effort called for in the Obama Administration's Consumer Privacy Bill of Rights. On February 4th, 2013, the NTIA released the latest discussion draft of its Code of Conduct for Mobile Application Transparency. The goals of this initiative, as stated in the latest draft, are to "balance the objectives of transparency, brevity and functionality," or more specifically:

• Transparency: Consumers expect clear, succinct explanations of an app’s data collection and third party data sharing policies.
• Brevity: Short form notices must enhance app transparency and understanding in context.
• Functionality: App developers need transparency standards that they can easily implement in the context of an app without diminishing the user experience.
• Consumers hold a spectrum of attitudes towards sharing their data with apps. Consumers’ willingness to share data will vary with context and time, and apps should facilitate those choices.
• Regulators, legislators, and privacy and consumer advocates all seek a fair balance among all of the interests involved, recognizing some consumers’ choice to share data with apps in exchange for a wide variety of tools, content, entertainment.
• Apps will evolve over time to offer fixes, enhancements, and changes to the original functionality. Apps may need to offer new functionality and/or they may need to adapt their business models. When apps’ data policies evolve in material ways, the apps must promptly and prominently update their disclosures to consumers.
• Continued work will need to be done to help integrate the full range of fair information practices with effective methods of transparency for innovative data uses. App developers understand that the implementation of these principles is just one aspect of satisfying consumer expectations and they commit to leading their industry to develop common practices and tools that adhere to fair information practices (these principles include access to personal information, control over storing information and sharing it with third parties).
• App Developers who adhere to this code of conduct and provide short form notice as described in Section II, are engaging in a best practice that significantly enhances transparency of data practices. This code reflects the state of industry best practices for transparency. Although compliance with the code and provision of a short form notice does not guarantee that any individual developer is providing an accurate notice for their specific practices, the authors of this code believe that compliance with the standardization provided by this notice should be a compelling factor serving to limit claims that a notice is deficient.

According to John Verdi, Director of Privacy Initiatives for the NTIA,comments and proposed changes on the latest discussion draft should be sent either to Tim Sparapani or Verdi himself by February 18, 2013. Verdi further states that "[c]omments from prospective adopters are particularly encouraged!"

The informational page for the multistakeholder process on moible application transparency, including meeting schedules and other relevant links, may be found here.

New Article: Privacy, Transparency and Google's Blurred Glass

I have just posted a new short article, Privacy, Transparency and Google's Blurred Glass, which looks at Google's privacy disclosures and how they may fall short of being as transparent as Google (and many others) would wish. The piece can be downloaded (as a PDF) from this link. Comments and questions are always welcome.

Path Pays $800,000 to FTC for Alleged Privacy Violations

On the same day that the FTC released its new report on mobile privacy, the Commission also announced its latest online mobile privacy enforcement action, an $800,000 settlement with the operator of the Path social networking app. According to the FTC's news release:

Path operates a social networking service that allows users to keep journals about “moments” in their life and to share that journal with a network of up to 150 friends.  Through the Path app, users can upload, store, and share photos, written “thoughts,” the user’s location, and the names of songs to which the user is listening.

In its complaint, the FTC charged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information.  In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks.  The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.”  However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option.  For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information.  In fact, version 2.0 of the Path app for iOS automatically collected and stored personal information from the user’s mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account.

The agency also charged that Path, which collects birth date information during user registration, violated the Children’s Online Privacy Protection Act (COPPA) Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent.  Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and upload, store and share photos, written “thoughts,” their precise location, and the names of songs to which the child was listening.  Path version 2.0 also collected personal information from a child’s address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available....

The case documents may be found here.

The FTC has been actively enforcing violations of children's privacy for more than ten years, and is explicitly increasing its enforcement activities in mobile privacy and data security. (The FTC recently announced changes to its COPPA rule, but those have not yet gone into affect; the Path enforcement arises out of the current rule.) This latest action is consistent with the Commission's ongoing efforts to both encourage proper practices with regard to consumers' personal information, and punish those firms that fail to appropriately respect privacy and data security.

New FTC Mobile Privacy Report: Trust Through Transparency

On February 1, 2013, the FTC released its latest privacy-focused report, Mobile Privacy Disclosures: Building Trust Through Transparency. In the report, which arose from the FTC's May 2012 mobile privacy summit and other efforts and suggestions, the Commission offers guidance to the many types of organizations that contribute to how mobile devices collect and use personal information: the operating system providers/platforms (Apple, Google, Microsoft, Blackberry, Amazon and others), app developers, the advertising networks, analytics firms and other third parties whose products are integrated with mobile devices, and the broader trade and research communities. In the FTC's view, each has responsibility toward the overall goal of improving privacy disclosure and protection. (The FTC states that it will also be issuing updated guidance regarding the related issue of advertising disclosure.)

The new report lays out the FTC's history of privacy study and enforcement, especially its efforts since and including its March 2012 Privacy Report, its ongoing work on children's privacy, and risk issues such as financial privacy. Building on its own work, the ongoing multistakeholder mobile privacy initiative of the National Telecommunications and Information Administration ("NTIA"), a Government Accountability Office ("GAO") report on mobile device location data and enforcement and guidance by the California Attorney General's Office, the FTC summary recommendations include the following:

Platforms, or operating system providers offer app developers and others access to substantial amounts of user data from mobile devices (e.g., geolocation information, contact lists, calendar information, photos, etc.) through their application programming interfaces (APIs). In addition, the app stores they offer are the interface between users and hundreds of thousands of apps. As a result, platforms have an important role to play in conveying privacy information to consumers. While some platforms have already implemented some of the recommendations below, those that have not should:

• Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
• Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
• Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;
• Consider developing icons to depict the transmission of user data;
• Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
• Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores;
• Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

• Have a privacy policy and make sure it is easily accessible through the app stores;
• Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
• Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used. App developers need to better understand the software they are using through improved coordination and communication with ad networks and other third parties.
• Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

• Communicate with app developers so that the developers can provide truthful disclosures to consumers;
• Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

• Develop short form disclosures for app developers;
• Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
• Educate app developers on privacy issues.

As with other similar FTC reports, the Mobile Privacy Report does not mandate or legislate specific practices. It does, however, provide guidance on what the FTC might do in its own enforcement activity, or request in legislation from Congress should businesses consistently fail to follow the Commission's guidance on best practices. It will also be very influential on state attorneys general and their own privacy-related enforcement. As such, it should be read, understood and taken seriously by everyone involved in mobile device development and marketing.