UPDATED 08:22 EDT / MARCH 14 2012

Mobile App Developers Must Weigh Collecting Data, Privacy

Developers, by nature, want to build the coolest and most useful applications on the market.  This often means packing a mobile application with all the latest features and functionality that the platform makes available. Accelerometer? Absolutely! Camera? Definitely! GPS? Yes, please!

We tend to forget that the user needs to give up personal information in order to make use of these cool features—and we don’t always think about the privacy implications that users will face in getting there. Given the recent outcry over Google’s changes to their privacy policies and the continued attention on privacy from Congress —privacy is once again the preeminent concern for developers.

End-users have gotten so used to clicking on Allow within an app and getting immediate gratification, without giving a second thought to what that means vis-à-vis their personal data.  Yet, when surveyed, most online and mobile users expressed concern over the collection of personal data via browsers, search engines or mobile apps but are not really sure how to protect themselves.  According to a Pew Research Center study, sixty-four percent of Americans mistakenly think that the mere existence of a privacy policy protects their data. Very few actually read the fine print within privacy policies.

So what’s a developer to do?  Even though flashy, shiny apps are all the rage, try to design with efficiency in mind.

Ask only for data that’s absolutely necessary and avoid bloating and slowing down your app with extraneous information that won’t be used.  Your end-users may not know it, but you will also be helping to protect their privacy.  This will also keep you clear from the privacy legislation debate which seems to be fueled by continual security breaches.

Legislation’s Impact on Privacy

In the wake of last year’s discovery that Apple iPhones were collecting and storing location data in unsecured, easily-hacked files (this security hole has since been fixed in iOS), Senators Al Franken and Richard Blumenthal introduced the Location Privacy Protection Act of 2011, which would require companies to obtain consent before collecting and sharing a user’s location data.  This year, Representative Ed Markey drafted a mobile device privacy bill in response to the revelation that Carrier IQ software on smartphones could track users’ keystrokes without their knowledge or consent.

Several other initiatives specific to online privacy and targeted advertising have also been introduced, though there is also an attempt by the advertising industry to self-police via the Digital Advertising Alliance’s (DAA) Self-Regulatory Program for Online Behavioral Advertising.  With Google’s privacy policy update earlier this month, the privacy policy debate rages on.

A big concern being addressed by the proposed legislation is protecting the privacy of children online. For developers, this is no-win situation. Even if developers program “age gates” into applications, there are always ways around them. Protecting children is vitally important, but kids are smart and will always find ways around software-based restrictions or verifications. Parents need to be aware of what their children are doing online and on their mobile devices.

As developers, the only thing we can do is to place checks in our software that when a user attempts to compromise their privacy, we alert them of the risks.

Social Media’s Effect on Privacy

With the advent of social media, however, people are not as sensitive on what they post or the information they allow our apps to share. Constantly posting to Facebook about an upcoming vacation, then posting via Yelp, Twitter or checking into a location on Facebook from Maui only to return home and find out your house was broken into is the responsibility of the user—not the developers of those applications. Your personal information is similar to your virginity, once it is out there, you can’t get it back. But, as everyone knows, once a user clicks “Allow” it gets easier with each subsequent click until the warning becomes nothing more than an inconvenience.

Even though the onus remains on the user to protect their personal data, there have been numerous covert ways for apps and websites to access their data that it’s very difficult for users to be completely in-the-know. As an example, Path’s app last month was called out for basically tapping into users’ personal address books without overtly specifying they were doing so.  This was all in the interest of “adding friends” with whom you would share information via the app, but it’s one thing for the app to access a subset of your email addresses and then delete them, and it’s another thing to store that information on their servers without your knowledge.  What’s interesting in this scenario is that the company got called out on it, apologized for this breach of privacy and promised to delete users’ address book info, and then got lauded for this after the fact.

Why don’t companies who responsibly handle privacy from the beginning get praised?  And is there a way to control what app developers are doing?  It turns out that Apple’s App store has been allowing other apps to collect and access address books, photos, music files and other personal data – it doesn’t mean that all apps are collecting this type of data, but perhaps Apple, Android, Windows, and other marketplace “owners” should do a better job of policing apps vis-à-vis privacy.

The key to a good privacy policy is transparency. The now defunct IE P3P policy files was a great example of this. Tell the user, in plain, non-legalese language, what data is being collected, why we are collecting it, how the data will be used, how long it will be retained and how it will be destroyed after the retention period. Also, have a contact section where users can write to view the data the hosting entity has collected from them and request for it to be destroyed.

Developers should be very careful in collecting the minimum amount of data possible to implement the features of the application. It’s tempting to just collect everything available as we look forward to future product enhancements—even simple utility apps that ask for full network and GPS access. Keep it simple and take only what you need.

In conclusion, there are some simple privacy best practices for mobile application developers:

  • Have a compelling reason for collecting user data
  • Let them know what data you are collecting and what you are doing with it
  • Allow users to opt out of having their personal information collected, perhaps by limiting functionality
  • Draw a line between PII (personally identifiable information) and generic user information
  • Have a plan. Where is sensitive information stored? Who has access? What is your destruction policy?

About the Author

Stuart Conway, Development Lead, and Olga Spaic, Manager of Analytics, at Metia always keep users’ privacy in mind when developing applications and collecting data for analysis.
Metia Digital marketing leader Metia/Seattle is the North American headquarters of global agency Metia Group, headquartered in London with additional offices in New York and Singapore. As digital craftsmen, Metia/Seattle blends a deep understanding of technology with strategy, creative, content, analytics and optimization. Their results-focused digital marketing solutions are used by brands including Microsoft and AT&T in websites, email, social, digital applications and other online communication programs. Follow on Twitter @metiasea.

Photo credit: Pink Sherbert

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU