Dealing with Privacy Principles with Regards to Mobile App Development
Mobile computing devices and their various accessories can be seen as some of the most successful computing devices of all time, with the adoption of smart phones and tablets seeing wide-scale uptake. A recent Business Insider article reports that there are currently 1.5 billion smart phones in the world, with 1 in every 5 people owning a smart phone (http://www.businessinsider.com/15-billion-smartphones-in-the-world-22013-2), and those numbers are only expected to grow. Moreover, the market for software that runs on these devices has blossomed as well with the Wall Street Journal estimating a $25 billion dollar mobile app market (http://online.wsj.com/news/articles/SB10001424127887323293704578334401534217878).
Yet, despite the success of these devices and their applications, they are also a technology that one should express concerns for as well. Few technologies to date have had the potential to negatively impact the security and privacy of their user base more than mobile computing devices. For example, most smart phones have built-in GPS capabilities. Although this can be great method of enabling apps that give directions, helping apps suggest nearby restaurants, or recording where and how far you run, the capability if abused provides someone the ability to see where you are at all times. Furthermore, few users of mobile apps give any heed to what applications seek to access what data on their phone. For example, while typically for the delivery of targeted advertising, you think more people would question why many games that do not have any geographic components require access to your GPS coordinates in order to play them (see Figure 1), especially and since approximate location would likely be precise enough for advertisements.
Figure 1: An example of a game that requests GPS permissions
Moreover, when one considers many of the accessories that are now being used in conjunction with mobile computing devices, many of the privacy questions become even more paramount. Consider a device like the Fitbit, which records every step you take, your waking and sleeping hours, calories burned, and so forth, and syncs the data with your smart phone. Even though this is clearly useful for tracking health and fitness levels, health data has always been considered some of our most private data and one of the reasons that regulations such as HIPAA exist. Although the Fitbit is not a device that would currently fall under regulations such as HIPAA, this is representative of another class of data collected by mobile devices that should raise privacy questions for both developers and users of these applications. This is particularly true given the growing preponderance of headlines such as "Privacy lapses riddle majority of mobile apps, data protection authorities find" (http://www.pcworld.com/article/2682712/data-protction-authorities-find-privacy-lapses-in-majority-of-mobile-apps.html). Privacy and privacy rights are becoming an increasingly prominent issue and something that a developer of mobile applications should begin paying attention to.
Privacy vs. Security
Before we begin discussing privacy in earnest, however, let's first address a common source of confusion amongst developers. Even though privacy and security often have aligning goals, they are not the same thing. Privacy can be viewed as a subset of security in that it is not typically possible to have privacy without security, but it is certainly possible to have security without privacy. As a case in point related to mobile computing, let's consider the Mobile Device Management (MDM) software implemented by companies as a means of enhancing the security of mobile devices. MDM platforms, such as AirWatch, often offer features that allow for the GPS integrated into the device to track the location of the phone. This tracking can help in the recovery of lost or stolen devices and can enable sophisticated data protection mechanisms such a geofencing, which restricts the access of certain data to certain geographic locations. Both features provide clear security benefits, but do result in the potential privacy issue of allowing a user to be tracked (see Figure 2). This is one of the reasons that companies that employ such security features typically obtain consent at the time of the MDM software install.
Figure 2: An AirWatch screen shot showing a user's location history
Privacy and Privacy by Design
Although privacy can be defined a multitude of different ways and ideas of privacy can often be greatly impacted by cultural influences, for our purposes we are going to consider privacy as the ability of a person to control what information pertaining to them can be collected/disclosed, how it can be collected/disclosed, under what conditions it can be collected/disclosed, and who it can be disclosed to (collected by). From an organizational standpoint, privacy practices typically center around the core OECD principles of:
- Collection Limitation: Measures should be taken to ensure that the data collected is limited to the data that is actual required to perform whatever function the user consented to. Simply put, the less data collected, the less risk there is of privacy issues arising.
- Data Quality: Measures should be taken to ensure that information is accurate and that it is not inappropriately modified during transmission, storage, or processing. A mechanism should also exist for users of your application to correct inaccurate data.
- Purpose Specification: Prior to the collection of any data, the reasons for the collection of the data and intended uses of the data should be made clear to the user. This should be done in a way that is readily comprehensible by your user base, and any chances to the use cases for collected data should not be done without prior consent.
- Use Limitation: Similar to collection limitation, measures should be taken to ensure that data that has already been collected is only used for the purposes that were previously specified and consented to. Moreover, one might want to give some thought to the HIPAA principle of "minimum necessary" with regards to use limitation, and take measures to ensure that only the minimum necessary amount of data required to achieve the intended purpose is used.
- Security Safeguards: Even though not always perfectly aligned, proper information security controls at the administrative, technical, and physical level are critical to maintaining privacy. The type and level of these controls should be commensurate with the sensitivity of the data being protected, with sensitive data warranting more stringent controls.
- Openness: The organization should be open about what kind of data it collects, how it maintains the information, and what it does with the information. Openness is often key to building customer trust and this is often accomplished with a privacy notice that is easily understandable.
- Individual Participation:A user should have the ability to determine if a company has data about them and should have the ability to request a copy of the data that the company possesses.
- Accountability: A mechanism should exist to hold an organization or its employees accountable for complying with the principles listed above.
As a developer, privacy is an important issue to take under consideration for both compliance purposes (for example, HIPAA, COPPA, European Union Directive, the UK Data Protection Act, and so forth) as well as means of gaining trust from your user base. With privacy issues seeing major headlines ranging from issues raised by the Snowden leaks (http://www.computerworld.com/article/2489508/security0/snowden-leaks-prompt-tech-firms-to-tout-privacy--transparency-policies.html) to FTC consent decrees against major companies for privacy violations (for example, http://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep), it is likely that a greater proportion of your app's potential user base will give some thought to privacy considerations. This potential growth of this trend is supported by the fact that agencies, like the Entertainment Software Ratings Board (ESRB), now have a privacy certification program for mobile applications (http://www.esrb.org/privacy/index.jsp).
While the preceding statements support the importance of developing apps that respect privacy, it still leaves the question of how does one develop an app that fosters privacy? As with information security, privacy is no different in that privacy cannot be bolted on later. Privacy must be taken into consideration from the earliest stages of the development process and be fundamental to both the application requirements and part of the design from the very beginning. Privacy must be taken into account before a single line of code is written. One of the best ways to begin to think about specifying privacy requirements and designing around them is to take into consideration Privacy by Design (PbD) principles. PbD encompasses the following seven principles:
- Privacy should be proactive and not reactive: This means that designers and developers should try to anticipate privacy risks and incorporate the appropriate privacy controls into their application from the very beginning of their development cycle. A privacy impact assessment may be beneficial in identifying these risks.
- Privacy as the default setting: The user should not have to take any action to protect their privacy because the application should be configured to respect privacy as a part of its default setup. Privacy should not be opt in.
- Privacy embedded into the design: This goes hand in hand with being proactive. The application should be designed with privacy in mind. Effective security and privacy controls cannot be added on later; they must be incorporated in from the very beginning.
- Full functionality: The goal should be to develop your application in such a way that it can fully function while still maintaining user privacy. Ideally, privacy should not have to be a trade off with regards to functionality or security.
- End to end security: The security of collected data should be maintained throughout the entire data lifecycle. In other words, the data should be kept secure from the moment of collection up until the moment of destruction.
- Visibility and transparency: This aligns with the privacy principle of openness and ensures that the user always has insight into what data is being collected and what it will be used for.
- Respect for user privacy: In addition to the privacy defaults and the principle openness already mentioned, application settings with regards to user privacy should be laid out in a way that they are easy for users to find, easy for them to understand, and easy for them to work with.
Privacy is a vast topic and one that will be increasingly drawn into the consumer spotlight as time progresses. This article was intended to provide an overview of the most important privacy principles a mobile app developer needs to consider, and in doing so, get readers to begin thinking about what it would take to improve upon how their apps respect consumer privacy and in doing so increase the user appeal of their apps.