EFF’s New Mobile User Privacy Bill of Rights
Late last week the Electronic Frontier Foundation (EFF) called for a Mobile User Privacy Bill of Rights. EFF argues that in order for the manufacturers, carriers, app developers, and mobile ad networks to earn and retain the trust of the public, they must respect user privacy. Application developers were specifically targeted by EFF because of their lead role on these issues. EFF says developers need to create applications that respect the following rights:
- Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it. Although some access control exists at the operating system level in smart phones, developers should seek to empower users even when it’s not technically or legally required by the platform. The right to individual control also includes the ability to remove consent and withdraw that data from application servers. The White House white paper puts it well: “Companies should provide means of withdrawing consent that are on equal footing with ways they obtain consent. For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion.”
- Focused data collection: In addition to standard best practices for online service providers, app developers need to be especially careful about concerns unique to mobile devices. Address book information and photo collections have already been the subject of major privacy stories and user backlash. Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information.
- Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation. Transparency is particularly critical in instances where the user doesn’t directly interact with the application (as with, for example, Carrier IQ).
- Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a “find friends” feature, for example, it should not be released to third parties or used to e-mail those contacts directly. When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.
- Security: Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer. Find out more about this in our post Privacy Please – Security Risks and How to Reduce Them.
- Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.
Here are some specific practices EFF says developers should use to preserve user privacy:
- Anonymizing and obfuscation: Wherever possible, information should be hashed, obfuscated, or otherwise anonymized. A “find friends” feature, for example, could match email addresses even if it only uploaded hashes of the address book.
- Secure data transit: TLS connections should be the default for transferring any personally identifiable information, and must be the default for sensitive information. You can learn more about AT&T’s network security features and the implications for protocols and technologies on our Network Security page.
- Secure data storage: Developers should only retain the information only for the duration necessary to provide their service, and the information they store should be properly encrypted.
- Internal security: Companies should provide security not just against external attackers, but against the threat of employees abusing their power to view sensitive information.
- Penetration testing: Remember Schneier’s Law: “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.” Security systems should be independently tested and verified before they are compromised.
- Do Not Track: One way for users to effectively indicate their privacy preferences is through a Do Not Track (DNT) setting at the operating system (OS) level. Currently, DNT is limited mostly to web browsers, and only Mozilla’s under-development Boot2Gecko supports the Do Not Track flag at the OS level. But developers would benefit from the clear statement of privacy preferences, and should encourage other OS makers to add support.
EFF isn’t the first organization to create a list of rules and best practices for application data privacy. In May 2011, the Future of Privacy Forum worked with developers, platform providers and tech companies including AT&T, Google, Facebook, Intel, Zynga and the Center for Democracy and Technology to build ApplicationPrivacy.org, an online resource that provides application developers with the tools and resources they need to implement responsible information collection and use practices. The site hosts emerging standards and best practices, privacy guidelines required by platforms and app stores, relevant laws and regulatory guidance.
As a developer, which best practices are you most focused on? What concerns do you have in regards to protecting your user’s data?