Are law enforcement agencies infiltrating servers to steal customer data? And, if so, what can we do about it? Simon Bates, MEF’s Senior Advisor for Policy & Initiatives details the steps you can take to protect your personal data.

We all know how valuable data is to apps companies – many business models are based around sharing consumers’ personal information with advertisers and other third parties. In return, the app is often heavily discounted so, as long as the developer is sensitive to privacy concerns, everyone wins.

However, people are waking up to the fact that there might be people outside the commercial value chain who are accessing the data. Documents provided by US whistleblower Edward Snowden allege that spy agencies NSA (US) and GCHQ (UK) have infiltrated the major mobile operating systems.

It’s easy to see why they might want to. Smartphones are a goldmine for the world’s spymasters, combining in one device a user’s social contacts, location, online interests, photos and other media. They increasingly contain information of the most sensitive kind – financial and health data.

What are they accused of?

Snowden’s files – first published in the Guardian and Washington Post – allege that the NSA has hacked into the cables that connect data centres run by Google and Yahoo.

But they didn’t stop here. According the documents, the NSA set up teams charged with analysing then breaching the cyber-defences of the leading mobile operating systems. Apple iOS, Google Android and Blackberry’s systems were all assigned their own task force. One high profile target was the backup files generated by smartphones which include lists of contacts, call logs and text message drafts.

The news was met with outrage. Google and Yahoo were angry that users’ emails and other information had been compromised despite significant investment in data security. Privacy campaigners asserted that such activity was simply illegal.

Those of us interested in a sustainable market for apps should be worried. These revelations can only make consumers more suspicious of what’s happening on their smartphone. In previous posts I’ve highlighted the mistrust that has already been built up by high profile abuses of personal information. The less confidence people have in their mobile device, the less they will use it and the apps on it. That’s bad news for everyone.

Privacy as a key differentiator

One man’s trouble though is the next man’s opportunity. Apps, search engines and networks that make a virtue of privacy and security are already seeing rapid growth and will stand a far better chance in a world where consumers are wary of what information is being shared or taken.

One good example is DuckDuckGo, a search engine which doesn’t save searches, send information to third parties or store any personal information from users. DuckDuckGo took almost four years to reach a million searches but has seen traffic explode since word got out about the NSA’s actions. Within days it saw an uptick of 50%.

There is now a thriving market for apps which offer calls, texts and emails over a more secure network. Companies like Duvamis, Redphone and Gibberbot use end-to-end security – encrypting data on the device before it is sent and then decrypted by the receiving device – which helps keep it out of reach of prying eyes and ears.

Law enforcement requests

It may be that you are asked to provide user data by a law enforcement agency either at home or abroad. First, find out whether they are requesting your voluntary cooperation – i.e. the decision to provide data is up to you – or whether you are required by law to do what it is they are asking.

This is important because, believe it or not, by answering the request you might be breaking privacy laws. That’s right – by complying with one law you might be breaking another. Talk about getting caught between a rock and a hard place! If you find yourself in this position, we recommend you ask for professional legal advice.

Either way, if you do provide the information that was requested of you, ask yourself whether you ought to inform the user(s) affected about what has happened. It may be that the law requires you to stay silent – especially if we’re talking about an open investigation – but, if not, you might decide that your user(s) have a right to know.

Secure your data

All data handlers (that means app providers that collect or handle information) have a responsibility under the law to protect data. You must be able to show that you have taken reasonable steps to secure customer information. In light of recent revelations, you might consider beefing up that security, but this will depend in part on the expectations your users have of your service.The reason a lot of people reacted angrily to the NSA story was that they were alleged to have been acting outside of standard judicial procedures. Namely, that they simply went in and took the information without asking first.

At the end of the day we all have two responsibilities. One is to the nation state(s) we operate in, and their law enforcement agencies . The second is to our customers, our life blood. Most of the time, the needs of both are in lock-step. Sometimes, however, they might not be. In those few cases, we need to have thought through in advance how we will respond before the situation arises.

Simon Bates is MEF’s Senior Advisor for Policy & Initiatives – you can contact him here or share your views in the comments.