Mobile privacy advocates are calling for more protections for consumers, but it remains to be seen whether providers will play along and what effect, if any, the measures will have if they do.
The Electronic Frontier Foundation’s call Friday for a privacy bill of rights for wireless users is a good way to raise public awareness. The question is if the idea is embraced, how do you enforce the principles against those who would violate them?
The EFF's recommendation comes a week after the Obama administration released its framework for protecting consumer privacy on the Internet. The centerpiece of that proposal was a consumer privacy bill of rights similar to the EFF's.
The recent upsurge in privacy protection activity comes on the heels of several controversial moves by Google. They include circumventing the Do Not Track settings in Apple's Safari and Microsoft Internet Explorer browsers, and the revamping of its privacy policies to consolidate the information the Internet search leader gathers about users of its services.
"[G]iven the sensitivity of the data that many consumers store on their phones, the stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public," the EFF said in a statement.
The group suggests that developers, when creating mobile apps, respect consumer privacy by:
- Offering a means for withdrawing consent to collect data that's as visible as the means for obtaining consent.
- Collecting the minimum amount of information necessary to provide a service, especially when collecting information from address books, photo libraries, location and phone logs and text messages.
- Making known to users what data an app's collecting, how long it will be kept and who it will be shared with.
- Offering "human readable" privacy policies that are accessible both before and after installation.
- Honoring the context in which data is collected. Data collected to link an app user with their friends, for example, shouldn't be used by the developer to contact those friends directly without specific permission from that user.
- Securing data collected by an app both where it's stored and in transit between phone and cloud.
- Holding themselves accountable for the behavior of their software. That should be true for all actors in the mobile industry, not just developers, the EFF added.
EFF also made a number of technical recommendations for developers. They include "hashing" information they collect, making TLS connections a default when transferring data, encrypting stored data, securing data from internal as well as external threats, testing system security by independent testers and encouraging operating system makers to support Do Not Track technology at the operating system level.
"These recommendations represent a baseline, and all the players -- from the application developers to the platform providers to the ad networks and more --should work to meet and exceed them," the EFF said.
"As the mobile app ecosystem has matured, users have come to expect sensible privacy policies and practices. It’s time to deliver on those expectations," the group said.