Rep. Hank Johnson (D-GA) introduced the “Apps Act,” a bill  that would require developers to have privacy policies detailing their data sharing practices. Developers would also need to obtain consent from consumers before collecting data and securely maintain the data they collect. The proposed bill is based off of AppRights, the Congressman’s online effort to build mobile privacy legislation from the bottom up. “These engaged citizens also wanted simple controls over privacy on devices, security to prevent data breaches, and notice and information about data collection on the device,” Johnson said when officially announcing the bill at yesterday’s State of the Mobile Net Conference. “The Apps Act answers the call.”

At yesterday’s workshop titled, “Future of Privacy + Innovation,” held at U.C. Hastings, participants heard from thought leaders on the evolving privacy space for app developers. California Attorney General Kamela Harris spoke to the audience about the need to balance consumer privacy and innovation while finding new ways to innovate on privacy: “Let’s not stop the innovation. I don’t want to shut it down…But what we do have to do is give the user information, and let the user, not anyone else, make the choice about the trade off.”  The AG urged developers to give consumers the appropriate “tools” to let them make choices regarding uses their information.  Ultimately, developers need to be aware of the legal and privacy requirements they must fulfill when building apps.

The California Attorney General and UC Hasting’s Privacy and Technology Project is holding a workshop, “Future of Privacy + Innovation” for app developers in California. Participants will hear from thought leaders at the intersection of technology, entrepreneurship, and policy, on the future of privacy and innovation. The Workshop will cover the evolving privacy space for application developers as we strive to balance consumer privacy and innovation, and find new ways to innovate on privacy. 

The workshop will be held on Wednesday, April 10th.

Click here for more details!

Apple stated on its developer blog that starting May 1st, ”the App Store will no longer accept new apps or app updates that access UDIDs. Please update your apps and servers to associate users with the Vendor or Advertising identifiers introduced in iOS 6.”

In August 2011, Apple announced that it would phase out third party use of UDIDs – third party app developers were instructed to stop tracking iPhone, iPod Touch, and iPad users by the unique identifier number attributed to each of its devices and instead, create their own unique identifiers. Apple provided the Advertising Identifier, an alternative to the UDID, when it released iOS 6 last September. The recent Apple iOS 6.1 update included the option to reset this “non-permanent, non-personal, device identifier” feature, that is located below the Limit Ad Tracking feature.

As Gigaom notes, by May 1st the Advertising Identifier will have been available for eight months, “plenty of time for those who want to understand how their apps are being used to switch over to the new system.”

Google has added a new feature to their Google+ platform:  application sign-in. As stated on their developer blog, “whether you’re building an app for Android, iOS or the web, users can now sign in to your app with Google, and bring along their Google+ info for an upgraded experience. It’s simple, it’s secure, and it prohibits social spam. And we’re just getting started.” 

Depending on the permissions that the app requests and the user chooses to authorize, mobile and web developers can accept Google sign-ins and gain access to Google+ social sharing. According to CNET, “aggressive sharing” –  sharing items with specific Google+ users that appear in their public streams – requires affirmative user consent. We look forward to learning more about this new feature as developers integrate the Google+ sign-in with their apps – stay tuned!

Just in time for Valentine’s Day, a developer released a new iOS app that hides your private photos and videos from prying eyes. We are always excited by the prospect of privacy-friendly apps, but we are disappointed by the app’s lack of transparency. Ironically called, Private Locker for Photo and Video, the developer posted no privacy policy in the app store, within the app or on the developer’s website.  Though we assume the app simply creates a protected folder on your phone, there is no way to know whether data is sent back to the developer in Thailand. And as the app asks for location and sends data to ad networks, would it be too much to ask for some brief privacy info?

Named after the upcoming Star Trek film by director J.J. Abrams, “Star Trek Into Darkness,” is one of the first apps available in the US to utilize Gimbal‘s new ”context awareness platform.” Developed by Qualcomm labs, Gimbal, “expands the ecosystem of offerings that are turning the smartphone into the new digital ‘sixth sense,’ opening up new ways for app developers, service providers, brands, agencies and other industries to offer contextualized utility and new user experiences.” The Star Trek app is a great example of how apps are now starting to use a wider range of sensors.

Furthermore, Gimbal keeps privacy in mind by making its platform opt-in, as well as requiring that the user, ”explicitly allow applications to access the data collected by Gimbal, all of which is stored directly on your device, rather than in the cloud.” That way, users won’t scream “KHAAAN” when the app uses your data! 

BlackBerry has rolled out a new privacy notification service that issues notices to app developers and consumers anytime it finds a BlackBerry World app that “does more than consumers might think.” As stated on their website, “Privacy notices are for applications that do not appear to have malicious objectives or aim to mislead customers, but rather don’t clearly or adequately inform users about how the app is accessing and possibly managing customers’ data. These notices provide information about an application’s behavior in order for customers to make an informed decision about whether to continue using the app. In addition, privacy notices will provide information on how to remove the application, if a customer determines that’s the best course of action for them.”

We have reached out to the folks at BlackBerry regarding the details of this service and are excited to learn more. Stay tuned!

The Federal Trade Commission kicked off the month of February with the release of a staff report on mobile privacy disclosures, a settlement decree with social networking app, Path, and a security education guide for app developers.

In the staff report titled, Mobile Privacy Disclosures: Building Trust Through Transparency, the Commission recommends various ways that key players in the mobile app ecosystem can better inform consumers about their data practices. The Commission offers recommendations for the different parties in the ecosystem based on current initiatives and practices. For app developers, the report specifically recommends:

• “Have a privacy policy and make sure it is easily accessible through the app stores;
• Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information;
• Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers;
• Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.”

The Commission also offers an incentive to developers, stating that it would favorably view adherence to a good NTIA privacy code when considering future enforcement actions.

We found the simultaneous announcement of a consent decree with Path to provide some interesting takeaways for developers. As some of you may know, Path was called out last year for automatically collecting and storing users’ contacts on the iOS version of their app. The app included an “Add Friends” feature that displayed the option of finding friends from your address book. However, as the Commission found in its complaint, Path “automatically collected and stored personal information from the user’s mobile device contacts even if the user had never selected the ‘Find friends from your contacts’ option.  As a result, the user had no meaningful choice as to the collection and storage of personal information from the user’s mobile device contacts, and the user interface options were illusory.”

It’s interesting to note that the enforcement action focused only on the iOS version of the app. Android automatically displays the permissions that an app requests at application install time. The Android Path app was therefore not found to be in violation because Android had already taken care of providing notice. In calling for “just-in-time” notices, however, the FTC appears to be favoring the Apple model of triggering pop-ups at the point in time that the particular information is being requested. Indeed, post this snafu, Apple added pop up permissions for contacts as well as four other categories.

As devices add new sensors and collect new types of information, it’s not yet clear whether the Android “declare-it up-front” model or the Apple “just-in-time” model will better serve consumers. Too much transparency in the form of pop ups may be interruptive and intrusive, but inadequate transparency can be considered legally deceptive. The ideal solution will likely be a design that manages to provide a snapshot of key information up front and just-in-time notices in special circumstances.  Standardization here will be useful and we are optimistic that the NTIA effort is heading towards a balance of both usability and transparency.

Last year, the Wall Street Journal published a story as part of the “What They Know” series that focused on the use of device identifiers by mobile analytic companies and ad networks. The companies were using this identifier on the iOS and Android platforms in order to recognize unique users, enabling site analytics reporting, ad reporting and behavioral advertising. On the web, companies rely on cookies for this type of user tracking. Although in-app browsers can still leverage cookies,  developers typically transmit device identifiers to analytics companies or ad networks in place of cookies. The story resulted a good deal of controversy, since consumers were surprised to learn that companies were using device identifiers as an alternative to cookies.

What’s the difference? The problem was that unlike cookies, which can be deleted, the device identifiers did not come with any user privacy settings. On Android, resetting the device identifier was possible, is but requires wiping clear the entire operating system.  On Apple’s iOS platform, this identifier could not be deleted or cleared at all.

Apple responded when it released iOS6, introducing a new advertising identifier as a replacement for the device identifier.  It also provided a setting for users to “Limit Ad Tracking.”  And now, with the release of iOS 6.1 update this week, Apple has provided consumers with the ability to reset and clear the advertising identifier.

This move comes just in time because pressure on the use of permanent identifiers for ad related tracking has continued to mount.  The recent guide for app developers released by California Attorney General recommends against the use of “persistent globally unique identifiers.” Now that Apple’s advertising identifier can be cleared and reset, this concern has been alleviated.

Companies that are using the Android ID should be sure that they hash or encrypt it so as to not store or log the Android identifier itself.  And on either platform, companies should ensure that they are properly disclosing the use of identifiers in their privacy policies and should advise users about how to decline targeting practices using device settings or with opt-out options.

For further tips about getting mobile privacy policies right, see our previous post on the topic.