The Evolution of Mobile App Transparency: NTIA’s Multistakeholder Journey
On July 12, 2012, the Department of Commerce’s NTIA division kicked off a Multistakeholder proceeding focused on deciding a standard for mobile app transparency – the format and elements of a mobile app privacy notice (or as we’ll refer to it, the NTIA code).
Sitting with the many other attendees in the vast cavernous hall of the Herbert Hoover Auditorium that day and observing the wide range of interests represented in the room, I was admittedly skeptical about whether this group could reach consensus on anything that could provide meaningful guidance to app developers.
Even for the most Pollyannaish of privacy heads, the possibility that representatives from government, industry and the advocacy community could actually sit down together (let alone decide on a mobile privacy standard together) seemed remote.
Navigating the NTIA Code: A Crucial Step Towards Privacy and Transparency
Fast forward a little over a year to July 25, 2013. At its 16th (and for now final) meeting, a majority of stakeholders voted to “freeze” a draft NTIA code and start testing it in the marketplace before finalizing later this year. Issues remain about some of the draft code’s provisions, around user comprehension of terms used in the code, and how these terms should be laid out in a mobile notice.
For the majority of stakeholders however, the draft NTIA code is a win.
It’s worth stepping back and thinking about what has been decided and agreed upon by the NTIA Multistakeholder group. For the first time, a broad coalition representing consumers and industry has agreed on some basic data elements that should be noticed by mobile apps (for the full story, the current version of the draft code is posted on the NTIA’s site).
Mobile app developers who want to comply with the NTIA’s self-regulatory standard must notify users about whether they collect and share personal information – defined broadly to include data generated from a user’s activity on that device (browser and phone history), user uploaded files (contacts, photos) and sensitive data (health, financial, location).
Providing this type of information to consumers is important; TRUSTe’s research shows that 72% of smartphone users are more concerned about privacy than they were a year ago.
Having participated in and attended the NTIA meetings, it is clear that there are critical issues around implementation that remain open – but I also believe that these issues can be resolved by test driving different versions of an NTIA compliant format in the marketplace.
For instance, an outstanding issue that is key for many stakeholders, including TRUSTe, is whether an app developer should list all data elements (nutrition label) or just the ones collected/shared by the app (ingredient approach)?
Clearly this particular issue can be resolved through usability testing – are users confused by a mobile app’s privacy notice that informs them about the entire universe of data collection that could be happening on their device?
In this regard, TRUSTe is working with ACT, the Innovators Network and companies like AT&T, Apple, Facebook, Microsoft and Verizon, to conduct a program of consumer and developer testing that determines the answers to the remaining open issues and ensures that an NTIA compliant notice effectively communicates with consumers.
In fact, ACT is already testing this version of an NTIA compliant notice with a few of its developers. The Future of Privacy forum also worked on some UI mockups of an NTIA compliant notice and you can view these here.
In the next few months, we hope to share the results of these consumer tests with you and roll TRUSTe’s own version of an NTIA compliant mobile short notice.
In the end, is the NTIA code a win for consumers and the app developer community? Absolutely.
The current draft of the NTIA code builds on the “Transparency” principle in the Obama Administration’s Consumer Privacy Bill of Rights, which gives consumers the right to access “easily understandable information about privacy and security practices.” The mobile notices being contemplated by the NTIA code will not only inform, but also educate consumers about they types of data being collected by a mobile application, and with whom that data is being shared. That’s why testing will be such an integral part of this process.
The NTIA code will also provide much needed guidance to the app developer community, by establishing a self-regulatory standard that this community can build and improve upon. The fact that the NTIA code was developed through the Multistakeholder process gives it credibility with a wide range of audiences – academic, advocacy and industry – all of who actively contributed to and participated in the process that resulted in the current version of the NTIA code.
In closing, I thought I would provide a quick rundown on what’s currently required of app developers who want to provide consumers with an NTIA-compliant mobile short form notice.
The mobile app’s short form privacy policy should inform the consumer whether or not the app collects the following types of data:
- Biometrics (information about your body, including fingerprints, facial recognition, signatures and/or voice print)
- Browser History (a list of websites visited)
- Phone or Text Log (a list of the calls or texts made or received)
- Contacts (a list of contacts, social networking connections or their phone numbers, postal, email and text addresses)
- Financial Info (credit, bank and consumer-specific financial information such as transaction data)
- Health, Medical or Therapy Info (health claims and other information used to measure health or wellness)
- Location (precise past or current location of where a user has gone)
- User Uploaded Files (files stored on the device that contain your content, such as calendar, photos, text, or video)
The app’s privacy policy must also inform consumers if they share the above-referenced data categories or personal data with third parties such as:
- Ad Networks (companies that display ads to you through apps)
- Carriers (companies that provide mobile connections)
- Consumer Data Resellers (companies that sell consumer information to other companies for multiple purposes including offering products and services that may interest you)
- Data Analytics Providers (companies that collect and analyze your data)
- Government Entities (any sharing with the government except where required by law or expressly permitted in an emergency)
- Operating Systems and Platforms (software companies that power your device, app stores, and companies that provide common tools and information for apps about app consumers)
- Other Apps (other apps of companies that the consumer may not have a relationship with)
- Social Networks (companies that connect individuals around common interests and facilitate sharing)