About a year ago, the National Telecommunications & Information Administration (NTIA) launched a multistakeholder privacy process to develop a code of conduct around mobile applications and transparency. Today, it appears that such a code of conduct will be finalized by stakeholders, promising increased transparency for consumers by showing what mobile “apps” are doing with their information.
This effort stems from the Obama administration’s Consumer Privacy Bill of Rights released in February 2012 that expressed concern with the state of consumer privacy in general. The way forward favored by the administration involved consensus decision-making processes amongst diverse stakeholders. One particular area of concern to the administration was the extent to which mobile apps collect and use personal data in ways that consumers find annoying and invasive. This includes sharing their data with many third-party companies that monetize data, serve ads, resell data and ultimately pay the app developer for funneling consumer data their way, often with no notice or control on behalf of the user.
The newly introduced code of conduct requires mobile application developers to show users an easy-to-understand description of what kinds of data the app collects and what kinds of entities with which the app shares this data. Developers would accomplish this by showing a couple of “short notice” screens, an example of which is shown at right (developed by the Future of Privacy Forum (FPF) and Intuit). Another great example of these kinds of short notice screens is this version — in HTML5 — by the Association for Competitive Technology.
The released draft code of conduct has been developed over many months of intense work and negotiation between stakeholders, with the bulk of the hard work by a core drafting group led by the Application Developer’s Alliance and including Future of Privacy Forum, ACLU, the World Privacy Forum and Consumer Action. While initially app developers, industry groups and advocates were substantially far apart in their approaches to mobile app transparency, the current code reflects a flexible approach to communicating data collection and sharing practices to consumers, while also providing substantial grounds for enforcement by the Federal Trade Commission. CDT participated in the multistakeholder process throughout the past year and we are pleased to see that a number of our priorities are addressed in the final code, including the need for flexibility in presentation of short notice and requiring apps that have a “long form” privacy policies to link to those from the short notice screens.
Of course, such an approach will need to be refreshed periodically as the ecosystem and technologies change, and there is a recently released technical report from CMU researchers Rebecca Balebako, Richard Shay, and Lorrie Cranor that indicates some of the terms used in the current code are not ideal in terms of mobile user understanding. That being said, this code of conduct represents substantial progress in transparency for users of mobile apps. We hope many trade groups, industry associations, and app developers will adopt the code of conduct and commit to increased transparency.