Code of Conduct for Mobile Apps
Written by Alex Armstrong   
Tuesday, 06 March 2012

Electronic Frontier Foundation has drafted a Mobile User Privacy Bill of Rights that seeks to codify the best practices for app developers.

The EFF's document starts from the premise that given the sensitivity of the data that many consumers store on their phones, manufacturers, carriers, app developers, and mobile ad networks need to respect user privacy in order to earn and retain the public trust. It uses as a basis its existing Bill of Privacy Rights for Social Network Users and and the recently released White House white paper "Consumer Data Privacy in a Networked World". 

The document lists six rights that have to be respected by applications:

Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it.

Focused data collection: App developers need to be especially careful about concerns unique to mobile devices - address book information, photo collections,  location data, and the contents and metadata from phone calls and text messages. Applications should only collect the minimum amount required to provide the service and attempt to keep personal information anonymous.

Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation.

Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a "find friends" feature, for example, it should not be released to third parties or used to e-mail those contacts directly.

Security:  Data should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer.

Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.

It then provides the following best practices:

Anonymizing and obfuscation: Wherever possible, information should be hashed, obfuscated, or otherwise anonymized. A "find friends" feature, for example, could match email addresses even if it only uploaded hashes of the address book.

Secure data transit: TLS connections should be the default for transferring any personally identifiable information, and must be the default for sensitive information.

Secure data storage: Developers should only retain the information only for the duration necessary to provide their service, and the information they store should be properly encrypted.

Internal security: Companies should provide security not just against external attackers, but against the threat of employees abusing their power to view sensitive information.

Penetration testing: Security systems should be independently tested and verified before they are compromised.

Do Not Track: One way for users to effectively indicate their privacy preferences is through a Do Not Track (DNT) setting at the operating system (OS) level. Currently, DNT is limited mostly to web browsers, and only Mozilla's Boot2Gecko supports the Do Not Track flag at the OS level. But developers would benefit from the clear statement of privacy preferences, and should encourage other OS makers to add support.

EFF notes that some of these issues will need other parties such as mobile carriers to get on board, but this code of practice looks like a good place to start for app developers.

More Information

Mobile User Privacy Bill of Rights


blog comments powered by Disqus

 

To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on Google+, Twitter, Linkedin or Facebook or sign up for our weekly newsletter.

Banner


Plan 28 Makes Progress In Understanding Babbage's Mechanical Notation
23/04/2015

Plan 28 is a project to build Charles Babbage's Analytical Engine by the 2030s, two hundred years after it was originally designed. Recent work has been on Babbage's notational design language, which  [ ... ]



Replace By Fee - Bitcoin Modifications
02/04/2015

When we think of the Bitcoin algorithm, we tend to concentrate on the proof of work and how it allows the block chain to be built in a decentralised way. However, the algorithm is so much more and as  [ ... ]


More News

Last Updated ( Tuesday, 06 March 2012 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2015 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.