Mobile data privacy is terra incognita to users and developers

Pitfalls lurk for even savvy consumers

President Obama's move Thursday to establish a so-called Privacy Bill of Rights for the Internet can be seen as the consolidation of decadelong efforts by disparate groups to improve privacy protections via countless browser add-ons, settings and privacy policies. But while it's possible to guard privacy on the desktop, the rapidly growing mobile space is still the Wild West, with an almost endless landscape of privacy pitfalls that challenge even the most vigilant consumer.

Today's mobile phones collect an enormous amount of personal data -- from the user's email address to his or her location, contact list, calendar and even photos -- and tether it to a single unique device ID number. One location-based photo-sharing app reportedly activated users' microphones to narrow down their location beyond what GPS data could provide. There is as yet very little to protect the valuable data on these most personal of devices.

The news this week that California will require mobile apps to post privacy policies was widely praised, but also underscored just how much of a free-for-all the space is now. A developer survey conducted by the Future of Privacy Forum found that 60 percent of all mobile apps don't even have a privacy policy that would notify consumers which of their data the apps access. A study by TrustE and Harris Interactive found that 95 percent of all apps lack a privacy policy.

Given California's plan, and the major mobile platforms' participation in it, developers who market their apps in the App Store, Android Marketplace or any of the other major platforms will have to establish and disclose these policies, but there is still no requirement for them to limit the data they grab, store or share.

"The only piece of information that's restricted by the operating system is location information," said Ashkan Soltani, an independent researcher and consultant focused on privacy. The restrictions on what developers can share with third parties are minimal and not always clear.

As for protecting one's private data, "The industry tools don't even exist yet," said Jules Polonetsky, who runs the Future of Privacy Forum. For example, "It's nearly impossible" to opt out of tracking on a mobile device.

Data driving innovation

Ironically, unfettered access to hardware and data in smartphones has driven much of the innovation that has happened in the mobile arena. A flashlight app must have access to the phone's flash to work. Social networks need access to contact information to suggest friends for new users. And apps like Yelp use location data to ensure users get relevant information.

Privacy expert Ryan Calo, at Stanford University's Center for Internet and Society, described the challenge for regulators as protecting consumers while remaining "flexible enough to permit innovation."

Polonetsky, of the Future of Privacy Forum, which helps developers establish privacy practices, suggested that irresponsible privacy practices threaten innovation as much as clumsy regulation does. "The data that's there has been what's allowed [developers] to do really cool things," he said. "But if data is your fuel, you better treasure it or you might lose access to it in the future."

Sebastian Holst, a mobile apps developer and the chief marketing officer at PreEmptive Solutions, put it this way: "Absolutely collecting personal data is a means to fuel business. Labor is great fuel for business, too, but does that mean child labor is okay?" Regulation of mobile privacy is just as necessary as child labor laws, he said.

Both Holst and the California attorney general characterized the belief that users must choose between protecting their privacy and accessing innovation as "a false choice."

Just ask

Most privacy experts agreed that when asked, users will usually agree to share their private information with apps when the apps offer them value in return. But asking is essential, as the mobile social network Path -- which markets itself as a more private social network than Facebook -- discovered earlier this month when bloggers and users flogged the company for grabbing and storing users' contact lists.

"It's been good practice for apps to prompt the user," explained researcher Soltani. "It's like having privacy manners."

He gave the analogy of grabbing a soda out of the fridge at someone else's house. Doing so without asking would provoke irritation, but when asked, "most people would say yes."

The Path brouhaha showed another level of social ineptitude as well. When they learned what Path was doing with the data, coders and privacy experts alike wondered why the app maker hadn't bothered even to encrypt the information. Polonetsky called it "clueless behavior."

But because users rarely read privacy policies, experts, including Justin Brookman of the Center for Democracy and Technology, suggest that getting meaningful consent from users to share their data will require a more interactive form of notification -- a matter that poses significant logistical challenges given the tiny screen size of the mobile phone and the fact that users quickly tire of pop-up windows.

But some responsible practices are relatively straightforward. Limiting applications' access to user data to those bits of information that improve the user experience would ensure that the benefits businesses derive from data streams go to those who provided the raw material, experts said. It would also limit the surprise factor when users learn, for example, that a photo application accesses their microphone.

Others proposed limiting how long personal data can be stored and when it can be sold to advertisers.

Calo, of the Center for Internet and Society, also thinks lawmakers will have to expand the definition of what constitutes harm and use it to evaluate when regulations and/or sanctions are necessary.

Changing culture

The most important aspect of the agreement in California is that the platform operators "will send a signal to developers saying, look, privacy is important, you need to address it," Calo said -- though critics of Google's own privacy practices may find it a less-than-ideal messenger.

But as users become more educated and lawmakers are increasingly willing to regulate digital privacy, software companies big and small will be spurred to make the trade-off with users more transparent -- and possibly juicier. Tech companies benefit from "your private data," said Brian Blau, an analyst at Gartner. "So they're going to give you a good deal. In the future they may have to give you more value."

Some app makers could change more radically.

"We have to be careful not to think that the way we are doing things is the way they have to be done," Calo said. Targeted advertising currently draws on consumer data stored on advertisers' servers, but it could happen "on the client," he said. It's one of any number of ways users could get more control over their data.

Developer Holst argued that seeing consumer data as software's only value actually puts a drag on innovation. "There's tons of innovations that could be happening," he said, "but because the only check that's being written is for personal information, it's not."

Even so, Blau predicts that "During this period when technology is advanced enough to take advantage of the data, and until the laws catch up," mobile apps will continue "to catch as much data as they can get away with."

Join the CSO newsletter!

Error: Please check your email address.

More about BillFacebookGartnerGoogleHarris InteractiveStanford UniversityTechnologyWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Cameron Scott

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place