Mobile device users’ privacy will be safeguarded under a new transparency code of conduct created in an effort involving 40 groups ranging from businesses to advocacy groups and led by the National Telecommunications and Information Administration.
NTIA Administrator Lawrence E. Strickling hailed the code as “a seminal milestone in the efforts to enhance consumer privacy on mobile devices.”
Perhaps Strickling spoke too soon: Only two participants endorsed the code; 20 supported it, while 17 voted for further consideration and one objected.
The code as it stands now is “an incremental step at best and nobody is required to do anything,” John Simpson of Consumer Watchdog told the E-Commerce Times. “Pretending that it is a landmark step forward serves no one well.”
A Multiplicity of Views
The issue has divided advocacy groups, with the American Civil Liberties Union, the World Privacy Forum and the Electronic Frontier Foundation endorsing the code, and Consumer Watchdog, the Consumer Federation of America and the Center for Digital Democracy criticizing it heavily.
Some supporters, such as the Software & Information Industry Association, have reservations — but for different reasons than advocacy group objectors.
The bottom line is that no one is really happy with the code and we may see more wrangling over time.
Principal Points of the Code
The data categories include biometrics; browser history; a phone call or text message log; contacts; financial information; health, medical or therapy information; location information; and user files.
The notice should inform consumers if any user-specific data is shared with social networks, ad networks, carriers, consumer data resellers, operating systems and platforms, data analytics providers, and other apps.
However, adhering to the code is voluntary, and there are several other loopholes. For one, a short form notice is not required for sharing consumer data with third-party service providers under certain conditions.
“My guess is, this is seen as either a starting point or just enough to placate the more vocal proponents of privacy protections,” Steven Bristol, a developer and a cofounder of Less Accounting, told the E-Commerce Times. “I’d say it’s more to placate than anything else.”
Who Loves the Code
Supporters of the code apart from the SIIA include the Online Publishers’ Association and the Application Developers Alliance.
“We believe the code provides a very useful road map for mobile app short form disclosures,” David LeDuc, the Software & Information Industry Association’s senior director for public policy, told the E-Commerce Times.
However, the code “is too prescriptive in some areas,” such as specifying the data elements, third parties for sharing, and the “call for an approach akin to a nutrition label,” LeDuc contended. If followed too literally, the result would be notices that “are less effective than they could be” and app providers might reject the code if they should view it as too prescriptive or impractical.
A Soupcon of Scorn
The Consumer Federation of America has lashed out at both the code and the process, calling them seriously flawed.
The code does not allow for adequate disclosure and could mislead app users, CFA said.
Further, the process did not incorporate clear procedures for implementing it or for determining what would constitute success, the federation maintained. Nor was there a legal framework on which the code could be built, which resulted in ambiguity over terms such as “user data.”
The last meeting of the stakeholder group, on July 25, was confusing — and a small subset of stakeholders who had drafted the code simply declared victory, charged CFA.
Still, it was at that meeting that “39 out of 40 stakeholders agreed it was time to put down the drafting pen,” NTIA spokesperson Juliana Gruenwald told the E-Commerce Times.
Although it was a “small group of core drafters” who negotiated the document, Consumer Watchdog’s Simpson acknowledged, supporting the code does not carry any obligation to implement or adopt it.
Caring for the Consumer?
The voluntary nature of compliance with the code may be a cause for concern.
Google and Facebook have been fined repeatedly for infringing on consumer privacy, and Pulsepoint recently agreed to pay US$1 million to settle charges that it circumvented the privacy settings of some New Jersey consumers’ Safari browsers in order to deliver them targeted ads.
“There are certainly ways where a developer or company can say they are compliant but bring no value or protection to their users,” Less Accounting’s Bristol said.
There Oughta Be a Law
“Americans aren’t very good at thinking through hard problems and choosing what’s best for them and their children,” Less Accounting’s Bristol said.
Legislation should be passed to ensure consumer privacy, he suggested.
That may not work, though. The transparency code is one result of the White House’s call in February to protect consumer privacy, but the administration apparently has problems comprehending the concept of privacy, as repeated fresh revelations about the extent of the NSA’s spying on Americans show.
Further, the FBI has been seeking a tool to monitor social networks, and the revelation that the DHS lied about tracking Americans on social media led the Electronic Privacy Information Center to write to the House of Representatives Subcommittee on Counterterrorism and Intelligence in February last year.
“We need President Obama to put his money where his mouth was over a year ago, and to propose specific privacy legislation that would implement his consumer privacy bill of rights,” Consumer Watchdog’s Simpson suggested.