Federal push for mobile privacy code of conduct panned

A federal effort to get industry and consumer advocates to agree on a privacy code of conduct for mobile app developers is being lambasted for falling far short of protecting personal information.

The National Telecommunications and Information Administration, an agency within the Commerce Department, announced Thursday that app makers and advertisers could start testing the voluntary code to determine how it would affect business models. The test followed more than a year of haggling between government, industry and privacy advocates.

Companies adopting the proposal would agree to use standardized onscreen notices in detailing data collection in smartphone and tablet apps. The notices would cover a variety of information, including biometrics; browser history; phone or text logs; contacts; financial information; health, medical, or therapy information; location data; and user files, such as photos or videos.

The code would also require disclosure of whether data is shared with ad networks, carriers, consumer data resellers, data analytics providers, government entities, other apps or social networks.

While the code's requirements appear extensive, some privacy advocates said it heavily favored business interests over those of consumers, an allegation industry denied.

"I think it's a farce, but a tragic one," said Jeffrey Chester, executive director of the Center for Digital Democracy in Washington, D.C.

The CDD pushed unsuccessfully for independent testing to see if the code's requirements were effective in helping consumers understand what was collected and how it was used.

While privacy advocates could conduct their own tests, Chester said most of the organizations did not have the money to hire professionals.

Sarah Hudgins, director of public policy for the Interactive Advertising Bureau, said trade groups representing advertisers and developers were not against independent testing. However, because each product is unique, companies believed they were in the best position to do it.

"I look at the sophisticated people that are in product development at many of our companies and they frankly have the best expertise to do [the testing]," Hudgins said.

The Consumer Federation of America also denounced the code and the process used by the NTIA, saying they were "seriously flawed."

[Also see: California's mobile privacy crackdown praised]

For example, app makers would not have to disclose whether data was being shared with third parties, such as social networks and ad networks, if they are part of the same corporate structure as the developers, the CFA said in a statement.

Critics also complained that developers and advertisers were not first required to explain in detail the data collected, how it is shared and with whom. In addition, there was no legal framework on which to build the code, so terms, even those as simple as user data, were not universally understood.

"The NTIA acted like a surgeon who operates without first conducting an examination of the patient," Chester said.

Ã'Â IAB contended that the industry could not list all the data that advocates wanted upfront. "There's no reasonable way to identify every single data element that could ever be collected by any type of app in the universe," Hudgins said. "That is not a realistic list that one can make."

Instead, the industry opted to discuss the types of data collected and how users shared that information. "That's a more practical conversation and that's one that we repeatedly had," she said.

Other privacy advocates were less harsh in their criticism. The Electronic Privacy Information Center agreed that the code was plagued by problems, but was a "slight improvement" over what exists now.

Today, there are no standards for privacy notices on mobile devices and important pieces of information are often omitted, said David Jacobs, a consumer protection fellow of the EPIC. The group has not decided whether to support the code.

The American Civil Liberties Union, a supporter, called the NTIA-led effort a "modest but important step forward." By knowing in advance which developers had agreed to follow the code, consumers would at least be able to make an informed decision whether to reject those who haven't, the ACLU said in a statement.

Despite varying degrees of criticism, advocates universally agreed that federal legislation was still necessary to protect consumer privacy against abuse. Having a baseline privacy law would shift the discussion from the rules of behavior for industry to how to best put the law into practice, the CFA said.

Beyond protecting privacy, efforts like the NTIA's are important in trade negotiations between the European Union and the Obama administration.

The EU views privacy for its citizens as a legally protected right and has penalized U.S. companies for their handling of personal information. The administration has argued that its efforts at self-regulation by industry are sufficient to protect privacy.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsNational Telecommunications and Information AdministrationsoftwareCenter for Digital Democracydata protectionData Protection | Data Privacymobile privacyACLUcode of conduct

More about Electronic Privacy Information CenterEUInteractiveInteractive Advertising Bureau

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts