22
Feb
android_privacy_investigation_580

Privacy is a good thing in the digital world - you'll get no argument from me. I don't like my data floating around in cyberspace without my consent, but I also realize that much of what makes the internet (and computing generally) so great is that I can use my own judgment to decide who I will and will not trust with my information.

Things like app permissions, which have been a part of the Android package installation process for quite some time, are nice, but let's face it: 95% of us don't read them. And if we do, we may not even be sure what those permissions really entail, or how the app will use those permissions to gather information, or even what kind of information will actually be collected.

California's Attorney General decided he didn't like this, particularly after the whole Path debacle on iOS. So, he got Google, Apple, Microsoft, Amazon, and other mobile app providers together for a round-table discussion on the privacy of personal information gathered by apps. The end result of that meeting-of-the-minds was this agreement. The parts of importance to pull out are the following:

  1. Where applicable law so requires, an application ("app") that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app's privacy practices that provides clear and complete information regarding how personal data is collected, used and shared.
  2. ... the Mobile Apps Market companies will include, in the application submission process for new or update apps, either (a) an optional data field for a hyperlink to the app's privacy policy or a statement describing the app's privacy practices or (b) an optional data field for the text of the app's privacy policy or a statement describing the app's privacy practices.

Joint Statement of Principles

This agreement was drawn up based on (and will be enforced through) a piece of legislation that went into effect in the state of California back in 2004, called the Online Privacy Protection Act of 2003.

Basically, the act requires any online business collecting personal information to disclose the collection, the type of information collected, and any third parties it might be shared with. Here's what qualifies as "personal information:"

  1. A first and last name.
  2. A home or other physical address, including street name and name of a city or town.
  3. An email address.
  4. A telephone number.
  5. A Social Security number.
  6. Any other identifier that permits the physical or online contacting of a specific individual.
  7. Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

CA. Business and Professions Code Sec. 22577

Essentially, if your app is collecting and storing any kind of unique identifier for individual users, you now have to disclose that in a privacy policy. In addition, your app's privacy policy must also disclose, specifically, the following information:

  • Identify the categories of personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit its site or service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;

  • Describe the process by which an individual consumer may review and request changes to any personally identifiable information collected, if the operator provides such an option to consumers;

  • Describe the process by which the operator will notify consumers who use or visit its site or service of material changes to the policy; and

  • Identify its effective date

CA. Business and Professions Code Sec. 22575

The 2nd bullet is optional, if you give users an opt-out method, you need to disclose that in your privacy policy. But basically, this all means every app developer out there collecting any kind of personally identifiable information for any purpose, shared or not, must draft a privacy policy for their application. This means lawyers, which means spending money in order to get in compliance.

Now, it's possible Google may provide a draft privacy policy that is sort of a "fill in the blank," or an interactive system which allows developers to disclose to Google all the requisite information about the data their app collects, and generate a suitable generic privacy policy - but somehow I'm not so sure this is how it will play out. More likely, developers will note a new text entry or hyperlink field for a "Privacy Policy" when submitting or updating an app, and the field will be optional (in the event your app collects no personal data).

Drafting your own policy is certainly an option, but if you're a part time developer or a one-man (or woman) development team, you may not know exactly how to describe the data your app collects in a legally sufficient way. You may not know if it qualifies as "personal information." You may not know how much you need to disclose about how it is used in order to be in compliance. You also may find yourself at the wrong end of an argument on what constitutes "collection." It could all get very messy, very quickly.

In fact, it's entirely unclear to me how today's agreement with the California AG meshes with the language of the applicable statute - the statute says nothing about disclosing how information is used, merely what information is collected and who it is shared with. Yet, the AG's agreement clearly says that the policy must be one that "provides clear and complete information regarding how personal data is collected, used and shared." Talk about confusing.

Oh, and violating this little requirement? Not a good idea unless your bank account is well-padded:

Any violation of this division by any person, except as otherwise provided, is a misdemeanor. Each offense shall be punished by a fine not to exceed five thousand dollars ($5,000), or imprisonment not exceeding one year in a county jail, or both the fine and imprisonment.

CA. Business and Professions Code Sec. 22981

It appears that a "violation" is merely the failure to post a compliant privacy policy within 30 days of a complaint (Google will have to provide a mechanism for users to complain about an app's privacy policy under the joint agreement), and will not accrue for each user who downloads the allegedly offending app. However, the existence of this statute in conjunction with the new joint agreement could also open developers up to more easily asserted civil suits alleging various tort causes of action, such as negligence. There's also the fact that many developers publish more than one app, which means multiple violations could ensue. It's not exactly something to be excited about.

It's unclear when the agreement will exactly go into effect, but the parties involved have pledged to take steps to implement it over the next 6 months. So, if you're a developer, expect to be hearing from Google about this relatively soon (if you haven't already). And to clarify - you don't need to be a CA resident for this law to apply to you, it applies to all app developers who make their applications available to the US and have at least one download from a user in the state of California (this is pretty normal for any internet law, though).

What do consumers get out of all this? Privacy policies - that 99% of them will never read, but that developers will now have to publish. I'm not saying no disclosure at all is good, but when you get the government involved, it's rarely a sign that things are about to get simpler for anyone. There are better, easier ways to give users concise and understandable information about data being collected from them, without having to write a 1000-word privacy policy that no one will read, and even if they did, that they probably wouldn't understand very well (thank legal language for that).

So, let's hope Google is planning on helping developers through this, rather than simply placing this obligation on them to come up with a privacy policy out of thin air. Or worse - having to pay a lawyer to do it for them.

California Office of the Attorney General

David Ruddock
David's phone is an HTC One. He is an avid writer, and enjoys playing devil's advocate in editorials, imparting a legal perspective on tech news, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • Rob

    Citing, "that provides clear and complete information regarding how personal data is collected, used and shared.", it would seem that the intent of the legislation is for said privacy policies to be written and/or presented in a fashion (my interpretation of "clear"), which permits the end user to understand what the policy saying should they choose to actually read it. ;)

    • David Ruddock

      Heh, "clear" isn't a word in the legal dictionary. Like I said, Google could go about implementing this in a way that's better for consumers and easier for developers, but it's hard to say if they could do that and simultaneously satisfy the statutory language.

  • caliber

    What do consumers get out of all this? Privacy policies - that 99% of them will never read, but that developers will now have to publish. I'm not saying no disclosure at all is good, but when you get the government involved, it's rarely a sign that things are about to get simpler for anyone. There are better, easier ways to give users concise and understandable information about data being collected from them, without having to write a 1000-word privacy policy that no one will read, and even if they did, that they probably wouldn't understand very well (thank legal language for that).

    This reminds me of the argument open source is pointless because 99% of users can't understand the code.

    Just because a user doesn't understand the policy, or the code, doesn't mean he doesn't benefit by the developers putting it out there.

    Now when a bad guy wants to do something nefarious with your private data, like has happened many, many times in the brief history of app stores, he'll have to write in the policy that he is doing so. And once he does that, it becomes easy for the 1% that do understand this stuff to find it and draw attention to it.

    It's not like an online firestorm hasn't been started over privacy policies before (there's one going on right now for that matter involving Google).

    • David Ruddock

      It actually doesn't solve anything, considering the vast majority of all "bad guys" stealing personal information in app stores are based in Russia or China - applying this requirement to them would be folly - they'll just outright lie, even if they do publish a policy, and if their accounts are suspended, they'll make new ones. It happens every day. It's not like Google's going to cross-check your policy with the actual data your app collects, that would be curation, which is not something the Android Market does or (without a huge change in policy from Google) will ever do.

      As for the open source comparison, I fail to see how that's at all a compelling or applicable point. Open source has zero relation to the rights of consumers - it's a philosophical construct for the benefit of the programming and computer science community. Those who do read the policies also aren't lawyers (most likely), nor are they likely at all to have an understanding of the statutory requirements of these policies.

      It's useless legal padding, everyone knows it, no one is willing to admit it. If a company is doing anything truly nefarious, it's exceedingly unlikely that will be shown in their policy, anyway - it's like passing a law requiring corporations to report the taxes they're evading. Good luck with that. Developers can pick apart an app and find out what information it's collecting - but they can never tell how it's being used. If a company says it uses that information for "improving the app" or "user experience research," you have to take them at their word on it. Besides, the PR flack these companies can take for failing to disclose what they collect (as you point out) can be pretty extreme. Seems like that's a pretty effective method of self-policing.

      It's the government involvement that irks me here - it's a problem these companies are fully able to sort out without having to get the attorney general involved. There is nothing wrong with disclosure and protecting privacy, but that doesn't mean any solution attempting to further those goals is automatically a good thing. This solution seems far less than ideal, and potentially puts small developers in harm's way if their policy isn't up to snuff. At the same time, it will also probably do nothing to change the data collection practices of big developers. Let me know how many people quit Twitter (net figure) because it was uploading your contacts without permission.

      Adding another legal obligation like this doesn't "fix" anything, it just makes publishing an app a bigger pain in the ass.

      • Matt

        While I hear your general small government conservatism, I don't agree with it.

        You're right to say that this law will act as a deterrent for those who develop apps, it's not clear to me that is a bad thing. The most apps out there have no need to collect personal information. And most apps that do collect such information (i.e. Facebook, Last.fm, Amazon, Dropbox, Evernote, ect.) already have well developed privacy policies (and lawyers) because they are usually established businesses running a for-profit organization.

        I think that your concern about so-called baddie Russian developers is misplaced. Identity theft is already illegal and google (and I presume other distributors of apps) have strong incentives to police those apps to avoid independent liability on their part and to allay the fears of people using the market. The real target of this legislation isn't the fringe identity theft actors but rather those individuals who are running a legitimate business (regardless of organization type) and who would use the information to gain an upper hand in the market. Think Carrier IQ.

        This shouldn't be a huge problem. To illustrate how rare the collection of personal information is, it should be noted that even apps that use Google's built-in APIs to access the data you have stored on a Google account likely wouldn't need to promulgate a privacy policy.

        Finally, Caliber was right when he suggested that not every consumer need read the privacy policies to benefit from their distribution. Just like in securities law, everyone (including mom and pop investors) benefit from the disclosure requirements because there are people - most notably lawyers and journalists - who scrutinize these documents to find policies they think are unjust, wrong, or otherwise unwise. I think your skepticism is misplaced and the potential problems you're imagining are either illusory or much smaller than you're suggesting.

  • Rob

    Perhaps Google should figure out a way to detect when end users have scrolled through the privacy policies without actually reading them.

    Surely there must be a way to detect the speed at which the screen is moving down to the end of the page (to the Agree/Decline buttons) and contrast that against the known maximum speed of human reading.

    Then present the end user with a dialog. "Hey, we noticed you didn't actually read the privacy policy. You might want to read it because it's some very important stuff...." or something along those lines.

    • Mesmorino

      People read at different speeds, so that isn't EVER going to work. And this even before things like getting distracted, your screen turning off before you finish reading a section due to low battery, scrolling back and forth to re-read items, etc.

      Not to mention, forcing the user to read such a dialog means you'll annoy them and they'll just find another way to circumvent it. Like you know, simply scrolling down slower, without actually reading anything.

      Even if someone invented a program that tracks a user's eye movements via a front facing camera, how would it know that the user was actually reading and absorbing the text, and not simply moving their eyes over it? And such a method could be defeated by wearing sunglasses, goggles, or even regular spectacles. Not to mention the people who have only one eye, are cross eyed, etc etc

  • justin

    Good for California. Now I just need a way to block selling my apps in California so I don't have to deal with this BS. Way to go Mr. Attorney General. Wont have any privacy issues with any apps if you can't download any.

  • Bill

    You fail to explain what part of this bill is unfair. Yes, life will be "harder," in that app developers who take our information will now have to tell us that. But why *shouldn't* they?

    • David Ruddock

      Because there's no reason for a law requiring them to do this when it's fairly obvious the community is doing a decent job self-policing this sort of thing, and that the law could potentially do more harm than good.

      If no one is going to read it, if the people who are actually doing nefarious things won't follow it, and the big companies we're so concerned with won't change their practices because of it - why do we need an extra legal hurdle for everyone? Those who would be most burdened by the requirement would be the least likely to be guilty of the abuse it attempts to curb.

      • toot sweet

        Your argument reminds me of what people say about Ubisoft's DRM practices - it only hurts the good guys.

        • reala

          And thats the American leagal system. Good guys wait a week to buy a gun. Criminals get them off the street on demand and invade your home before you are clear to pick it up from the store.

      • wyngo

        Based on the frequency of frantic posts on this blog and others about some app that's collecting some information users didn't know it was collecting, I question your claim that "the community is doing a decent job self-policing this sort of thing".

  • reala

    I feel bad for you devs becuase this does absolutely nothing, but it appears to protect safety. If I were you devs I would petition Google not to have your apps displayed in California to exempt you guys. Civil lawsuits will destroy the app store because devs wont want to supply the apps.

    Cant compete with facebook if you cant link users with friends.

  • http://Website Mike

    I can't think of more ridiculous legislation coming out of California since... what time is it?

    • Craig

      +1. Sorry Californians, this is my surprised face that your effed up state came up with even more ridiculous effed up legislation.

      • Matt

        Haters gonna hate.

        You jelly?

  • Mike

    More please. When Starbucks or Panera bread or supermarket X asks my name, make them provide legalize I need to scroll through and hit okay. And I need a way to review and change my name as I do that often and their database is so important to me.

  • wyngo

    I hope Google and others will make this as easy as possible for developers to create and for users to read, but I think seeing what's being collected and who it's being shared would be a great addition to the list of permissions.

    Let's assume for a second that what you say is true and 95% of users never look at app permissions. Based on the smartphone statistics I was able to dig up, that still leaves more than 20 million people worldwide who DO look at them. That's a lot of people who's right to know what's being collected about them you're willing to dismiss.

  • David

    Just wondering how this would affect apps that contain adverts? Would the location information that some ad networks collect to choose what ads to show you be covered by this? If so, is it the developer's responsibility to show you a privacy policy for collecting information that they don't actually have control of, or would it fall to the ad networks to provide something?

  • Desverger

    I'm getting ready to release an app that uses Flurry analytics. I believe the info it collects is anonymized and does not include things like name, address, or even phone number. My app doesn't collect any data at all and the only permission needed is network permission as it makes HTTP requests. Is that something that would require a privacy policy? If so, could I just refer the end user to Flurry's privacy policy as they are the ones collecting the data?

  • Matt

    Ads use google's ad service. The ads themselves collect no information.

  • DCMAKER

    i think this is a great start in the right direction..i know some developers will be annoyed but hey i always see apps saying they need access to all sorts of things and i honestly don't have a clue what it could be doing....it could be transferring my evernote data and GPS points and passwords and keystrokes for all i know.

  • KimAlaBim

    well developers I've been up to begin with I could have avoided I am david do something I should have done to begin with.

    "...but when you get
    the government involved, it's rarely a sign
    that things are about to get simpler for
    anyone.
    There are better, easier ways to
    give users concise and understandable
    information about data being collected
    from them, without having to write a 1000-word ...policy..."

  • KimAlaBim

    While I will bristle at governmental overreach that creates unnecessary red tape, wasteful hoop-jumping, & a negative return on resources expended, I do not find this law that way at all - it's actually quite benign.
    Seems to me that had developers been more proactive/forthright to begin with, they could've avoided the snare of this "regulation" which upon close inspection is barely protective of the app user's its intended to protect.