MEF’s recent Global Consumer Trust Survey found that 30 per cent of mobile media users cite trust as the single largest obstacle to using mobile to purchase goods and services.  Concerns focus on the privacy of user data.  Why would an app want to access data on my location, my photos, or contacts for example?  Yet app developers and publishers need user data to monetize their services.  There is a clear need to balance the industry’s requirement to gather data with consumer trust and privacy and transparency.

Here Paul Palmer, Vice President, APAC region of F-Secure explores how consumers can better understand the value exchange when interacting with “free” apps while providing personal data, and what people can do to stay safe online.

There has been an explosion in the number of apps available today (over 1.3Million)  for both consumers and enterprises and most of which can be downloaded from app stores for free. Of course there is no such thing as a free lunch. It is evident that most of the app developers are finding ways to monetize their investment.

• Provide the app on a free “trial” basis after which the user has to pay to use the app
• Release a cut down version of the app that users have to pay for the optional extras via in app purchases (premium version)
• The app is provided free and the developer makes money by serving in-app advertisements
• The app is provided “free”, but the app vendor collects user data and sells it to advertisers and other interested parties

The last method described above can be used in isolation as a revenue source but has invariably been used in addition to all the other methods.

The collection of user data and associated privacy protection (or lack of it) is currently a grey area both from a legal and moral perspective.  It appears that while it remains so there are plenty of companies only too willing to exploit its ambiguity.

The most concerning aspect on this is that most users downloading an application are oblivious to the Terms and Conditions (T’s & C’s) that they have just “Agreed” to. The reason for this is twofold, firstly because the company has made the T’s & C’s completely unintelligible to the average consumer, the second reason is that the user really does not have the time or the inclination to wade through the details. More worrying is that a large number of the end users are children.

It is common practice for apps to access to various device capabilities once a user has agreed to certain T’s & C’s including identity, location, device ID and even access to your photos and videos. You can see this illustrated below with a popular game that children might download. ‘Why on earth would they require access to your photos and videos?’ Some apps go even further asking for access to the device contacts, microphone and camera. Other apps can even make calls or send text messages in the background without asking you once you have given permission leading to bill shock or surprised loss of credit.

A recent survey conducted by the GSMA and DiGi in Malaysia regarding privacy concerns over app permission revealed real concerns by mobile consumers.

With the revelations of Edward Snowden, that the data acquired by these “Leaky” apps like Angry Birds has been a lucrative source of data to the NSA for the past couple of years. With over 1.5 Billion downloads globally, combined with the data now being acquired by these apps it is not difficult to see why the global awareness generated on the back of the Snowden report has generated a good deal of concern and anger (both amongst the general public and within Governments (the parts that are not actively spying on their own citizens).

Thankfully this is not going completely unnoticed and there are now a number of bodies looking at ways to redress the balance of power and regulate the situation including The Global Privacy Enforcement Network.  GPEN was established by the Organisation for Economic Co-operation and Development. Its’ aim is to foster cross-border cooperation among the numerous privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to actively work together to strengthen personal privacy protections in this global context. The informal network is now comprised of 47 privacy enforcement authorities in 37 jurisdictions around the world.

A GPEN study examined 1,211 mobile apps for privacy information and found 85 per cent didn’t clearly explain how they were collecting personal information or how it was being used. Some 59 per cent made users struggle to find basic privacy information, while almost one-third seemed to request too many permissions to access such information. Furthermore, the study found, developers failed to tailor communications about privacy to small device screens. The information was presented in tiny typefaces or was difficult to find in lengthy privacy policies that required scrolling or viewing many pages.

Are initiatives such as GPEN too late? Many people do not seem to care what their personal data is used for as long as they get access for free. Others are rightly far more concerned about how their data is being used and what it’s being used for.

Paul Palmer

VP, APAC

F-Secure

  

The key is that consumers should be given a clear choice and the default should be that such data and permissions should not be granted without good reason or clear consent. Privacy policies should be in a standard format, concise and easily understood.

Ultimately, people need to be more aware about what their data may be used for and take a cautious view on app permissions. Some great advice is provided on the StaySafeOnline.org website prepared by the National Cyber Security Alliance. Stay Safe Online!

MEF’s Consumer Trust Survey is part of its ongoing activities to champion and advance Consumer Trust in the mobile industry. This was formalised in 2012 through the creation of a member-led Global Privacy in Mobile Applications Initiative. MEF also launched www.AppPrivacy.net – a free online resource that provides developers with a best practice short form privacy policy that delivers the transparency their users want.