App development: is ‘privacy by design' the new standard?

Over the last few years, privacy has become a trending topic when it comes to the mobile internet. Mobile app developers and providers of app stores have increasingly been put under pressure by privacy advocates.

Many of these small computer programmes, of which there are thousands developed and offered in app stores worldwide, have reached new levels of opaqueness with regards to the collection and unauthorised re-use of user data. It was established that certain apps could retrieve, record and read personal data such as addresses in your address book, geolocated data and text-messages, without prior consent or even awareness on the user’s behalf.

Privacy-related incidents in the last five years have had lasting impacts on user behaviour. A 2012 report of the US-based Pew Research Center has found that users of mobile phones are increasingly worried about how apps handle personal data. More than half of those surveyed have uninstalled an application or avoided installing one in first place, when knowing what this meant in terms of data collection and transfer.

Self regulation through Privacy by Design

In reaction, commercial providers and regulators have felt the need to quickly address the mounting insecurity around privacy in apps, especially at a time where the mobile app market is still in its infancy.

Industry and regulators broadly favour ‘privacy by design’ as the best route to pursue in order to secure user privacy on the mobile internet. Beside direct stakeholders such as development firms, associations of programmers and mobile network operators, the principle of technically implementing privacy into the product further echoes with consumer groups.

The privacy by design principle is based on the idea that in an era of fast-paced technological change in hardware and applications, privacy cannot solely be safeguarded by laws. Effective privacy, it is believed, is better served by the app firms or developers themselves - by self regulation rather than government intervention.

Privacy by design and current regulation

Privacy by design has been recently promoted on several occasions:

• In February 2012, the Attorney General of California, Kamala D. Harris, announced that she reached an agreement with the six leading app store providers - Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion. The agreement asks programmers to educate users about the implementation of privacy-enhancing measures before they even decide to buy or download an App.
• The GSM Association - a worldwide industry network of mobile operators - was quick to react with the publication of Privacy Design Guidelines for Mobile Application Development. Although explicitly supported by the largest European operators, these guidelines, so it is hoped, should serve as a framework for what is to become a global standard.
• In 2011, the EU Commission put privacy by design at the very core of its adopted legislation on privacy and data protection for RFID applications (PDF). In the EU Commission’s draft for a EU-wide Data Protection Regulation, privacy by design is again framed as a guiding principle.

California makes it even more concrete

In January 2013, California’s Attorney General Harris published a collection of recommendations to improve privacy on the mobile internet (PDF), aimed primarily at app developers:

At the start of the app development, developers should set up a data checklist which records all personal data that will be used by the app. They should not gather more data than the minimum required for the app to function. Also, a clear and straightforward privacy statement should be established, so as to ensure that the user can make an informed decision. Taking the basic approach to minimise any privacy-violating measures from the get go, the report recommends providing the user with hints on how to avoid unpleasant surprises.

From soft solutions to binding rules?

While advertising networks are resisting the advances of privacy by design, programmer associations and the GSM Association have already taken sides in favour of Harris’ recommendations. At first sight, this seems surprising, as the recommendations - formulated as best practice advice - already reach beyond the requirements of Californian privacy laws. But when thinking about it, the mobile industry has most probably pondered its position before biting the bullet: data protection through self regulation – until now without control mechanisms – certainly converges with this stakeholder’s interests more, at east more so than enforceable laws would.

For regulators and the industry, a new test phase begins: can privacy by design work?