News

Devs To Blame for Mobile App Privacy/Security Failures?

It's a sad state of affairs for mobile app privacy and security, and some of the blame is on developers, says one study.

• By David Ramel
• 09/17/2014

The sad state of affairs in mobile app privacy and security failures is partly to blame on developers, says a study by the Global Privacy Enforcement Network.

GPEN's report criticized many aspects of privacy considerations in mobile apps, including unclear policies on the use of personal information, hard-to-find information about privacy polices and excessive requested permissions.

The GPEN study examined 1,211 mobile apps for privacy information and found 85 percent didn't clearly explain how they were collecting personal information or how it was being used. Some 59 percent made users struggle to find basic privacy information, while almost a third seemed to request too many permissions to access such information. Furthermore, the study found, developers failed to tailor communications about privacy to small device screens. The information was presented in tiny typefaces or was difficult to find in lengthy privacy policies that required scrolling or viewing many pages.

The privacy enforcement organization stemmed from a 2007 Organization for Economic Co-operation and Development (OECD) initiative recommending cross-border cooperation in enforcing privacy protection laws. The resulting GPEN comprises organizations from 39 nations, ranging from Albania to the U.S. In the this year's privacy "sweep," some 26 privacy enforcement authorities from 19 nations helped examine mobile apps and report findings.

"Apps are becoming central to our lives, so it is important we understand how they work and what they are doing with our information," said Simon Rice of the UK's Information Commissioners Office, (ICO), which issued a news release about the study. "Today's results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.

"The ICO and the other GPEN members will be writing out to those developers where there is clear room for improvement," Rice continued. "We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps."

The ICO last December published such guidance on how to conform to the UK's Data Protection Act, with tips ranging from how to give users feedback and control of their personal information to how to test and maintain apps.

Not all of the findings from the most recent sweep were negative, however, and some best practices found by sweepers were published last week by the Office of the Privacy Commissioner of Canada, which participated in the study:

• Many popular apps are embracing the potential to build user trust by providing clear, easy-to-read and timely explanations about exactly what information will be collected and how it will be used, pursuant to each permission.
• Sweepers found many positive examples of apps properly tailoring privacy communications to the small screen through pop-ups, layered information and just-in-time notifications.
• Some apps didn't just tell users what they would do with their personal information, but also clearly articulated what they would not do with the information. Some apps even provided links to the privacy policies of their advertising partners. Others gave users the option to 'opt-out' of the 'help us with analytics' feature, which uses software to collect user information to improve the performance of the app.
• Sweepers noted a number of best practices in the area of children's privacy and parental consent. One international partner highlighted, for example, an app that required parents to complete a consent form before their child could register.

You can read the full report here.

(Editorial note: A more complete version of this story is at ESJ.com here.)