This has turned out to be an interesting week for privacy. Just a few days after the White House laid out is privacy agenda, the California attorney general has announced an agreement with several major mobile platform providers, including Apple and Google, that will have the companies provide privacy statements for apps before users download them.
The agreement with Apple, Google, HP, Amazon, Microsoft and RIM is designed to give users more information than they have now about what kind of information a specific app will collect and how it will use that data afterward. Under the agreement, companies that don’t comply with their stated privacy policies will be exposed to prosecution under California state laws.
“Your personal privacy should not be the cost of using mobile apps, but all too often it is. This agreement strengthens the privacy protections of California consumers and of millions of people around the globe who use mobile apps,” California Attorney General Kamala Harris said. “By ensuring that mobile apps have privacy policies, we create more transparency and give mobile users more informed control over who accesses their personal information and how it is used.”
The collection of personal data by mobile apps has become a highly controversial issue as there have been more and more incidents with researchers or consumers finding apps that gather information without users’ knowledge. Android apps typically give users notification about the permissions that they will request once installed, but iPhone apps do not. But even telling users what permissions an app will use doesn’t tell them how any data that’s collected might be used, stored or even sold.
The new agreement in California will see the platform providers create new fields that developers can fill in with information about their privacy policy. However, the fields won’t be mandatory. The EFF said the agreement is a good step, but isn’t a cure-all for mobile privacy concerns.
“Of course, providing a privacy policy is not enough to actually safeguard user data. Companies have a lot of leeway about what goes into the privacy policy. They can use vague, overbroad language so they can collect lots of data about users, share it with affiliates, sell it to marketers, or provide it to the government upon request. And even a strong privacy policy is little consolation; a privacy policy can change at any time, so today’s protective language could be tomorrow’s permissive exceptions,” Parker Higgins and Rainey Reitman of the EFF wrote in an analysis of the agreement. “We saw a powerful example of this with Google’s recent privacy policy changes, in which the company removed the silos from different Google products and allowed YouTube and Web History to be combined with data gathered from other Google products. And consumers expect a lot more when it comes to their online privacy; a study by the Berkeley Samuelson Clinic and Annenberg Public Policy Center found that users (incorrectly) thought that a posted privacy policy meant certain protections for their data against common advertising practices.”
As mobile devices become the main communications and computing platforms for many people, the way that data is gathered, stored and used by app developers and the platform providers themselves will continue to be a major sticking point for consumers and the platform providers. And one of the wild cards in all of that is the fact that many of these platforms are essentially closed systems that don’t allow much visibility into their processes.
“The AG’s agreement may be one way to address these issues, but this particular program — relying on walled gardens and closed door negotiations with the gardens’ gatekeepers — isn’t necessarily the ideal resolution for the privacy problems afflicting mobile app users. Users need to have a voice when it comes to controlling their data, and software developers need to respect their choices or be held accountable,” Higgins and Reitman of the EFF wrote.
