Mobile Application Privacy: NTIA Publishes Latest Multistakeholder Transparency Draft for Comment

The National Telecommunications and Information Administration ("NTIA"), part of the U.S. Department of Commerce, has been convening multistakeholder meetings to work on improvements to data collection/use transparency--an effort called for in the Obama Administration's Consumer Privacy Bill of Rights. On February 4th, 2013, the NTIA released the latest discussion draft of its Code of Conduct for Mobile Application Transparency. The goals of this initiative, as stated in the latest draft, are to "balance the objectives of transparency, brevity and functionality," or more specifically:

• Transparency: Consumers expect clear, succinct explanations of an app’s data collection and third party data sharing policies.
• Brevity: Short form notices must enhance app transparency and understanding in context.
• Functionality: App developers need transparency standards that they can easily implement in the context of an app without diminishing the user experience.
• Consumers hold a spectrum of attitudes towards sharing their data with apps. Consumers’ willingness to share data will vary with context and time, and apps should facilitate those choices.
• Regulators, legislators, and privacy and consumer advocates all seek a fair balance among all of the interests involved, recognizing some consumers’ choice to share data with apps in exchange for a wide variety of tools, content, entertainment.
• Apps will evolve over time to offer fixes, enhancements, and changes to the original functionality. Apps may need to offer new functionality and/or they may need to adapt their business models. When apps’ data policies evolve in material ways, the apps must promptly and prominently update their disclosures to consumers.
• Continued work will need to be done to help integrate the full range of fair information practices with effective methods of transparency for innovative data uses. App developers understand that the implementation of these principles is just one aspect of satisfying consumer expectations and they commit to leading their industry to develop common practices and tools that adhere to fair information practices (these principles include access to personal information, control over storing information and sharing it with third parties).
• App Developers who adhere to this code of conduct and provide short form notice as described in Section II, are engaging in a best practice that significantly enhances transparency of data practices. This code reflects the state of industry best practices for transparency. Although compliance with the code and provision of a short form notice does not guarantee that any individual developer is providing an accurate notice for their specific practices, the authors of this code believe that compliance with the standardization provided by this notice should be a compelling factor serving to limit claims that a notice is deficient.

According to John Verdi, Director of Privacy Initiatives for the NTIA,comments and proposed changes on the latest discussion draft should be sent either to Tim Sparapani or Verdi himself by February 18, 2013. Verdi further states that "[c]omments from prospective adopters are particularly encouraged!"

The informational page for the multistakeholder process on moible application transparency, including meeting schedules and other relevant links, may be found here.

New Article: Privacy, Transparency and Google's Blurred Glass

I have just posted a new short article, Privacy, Transparency and Google's Blurred Glass, which looks at Google's privacy disclosures and how they may fall short of being as transparent as Google (and many others) would wish. The piece can be downloaded (as a PDF) from this link. Comments and questions are always welcome.

Path Pays $800,000 to FTC for Alleged Privacy Violations

On the same day that the FTC released its new report on mobile privacy, the Commission also announced its latest online mobile privacy enforcement action, an $800,000 settlement with the operator of the Path social networking app. According to the FTC's news release:

Path operates a social networking service that allows users to keep journals about “moments” in their life and to share that journal with a network of up to 150 friends.  Through the Path app, users can upload, store, and share photos, written “thoughts,” the user’s location, and the names of songs to which the user is listening.

In its complaint, the FTC charged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information.  In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks.  The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.”  However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option.  For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information.  In fact, version 2.0 of the Path app for iOS automatically collected and stored personal information from the user’s mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account.

The agency also charged that Path, which collects birth date information during user registration, violated the Children’s Online Privacy Protection Act (COPPA) Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent.  Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and upload, store and share photos, written “thoughts,” their precise location, and the names of songs to which the child was listening.  Path version 2.0 also collected personal information from a child’s address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available....

The case documents may be found here.

The FTC has been actively enforcing violations of children's privacy for more than ten years, and is explicitly increasing its enforcement activities in mobile privacy and data security. (The FTC recently announced changes to its COPPA rule, but those have not yet gone into affect; the Path enforcement arises out of the current rule.) This latest action is consistent with the Commission's ongoing efforts to both encourage proper practices with regard to consumers' personal information, and punish those firms that fail to appropriately respect privacy and data security.

New FTC Mobile Privacy Report: Trust Through Transparency

On February 1, 2013, the FTC released its latest privacy-focused report, Mobile Privacy Disclosures: Building Trust Through Transparency. In the report, which arose from the FTC's May 2012 mobile privacy summit and other efforts and suggestions, the Commission offers guidance to the many types of organizations that contribute to how mobile devices collect and use personal information: the operating system providers/platforms (Apple, Google, Microsoft, Blackberry, Amazon and others), app developers, the advertising networks, analytics firms and other third parties whose products are integrated with mobile devices, and the broader trade and research communities. In the FTC's view, each has responsibility toward the overall goal of improving privacy disclosure and protection. (The FTC states that it will also be issuing updated guidance regarding the related issue of advertising disclosure.)

The new report lays out the FTC's history of privacy study and enforcement, especially its efforts since and including its March 2012 Privacy Report, its ongoing work on children's privacy, and risk issues such as financial privacy. Building on its own work, the ongoing multistakeholder mobile privacy initiative of the National Telecommunications and Information Administration ("NTIA"), a Government Accountability Office ("GAO") report on mobile device location data and enforcement and guidance by the California Attorney General's Office, the FTC summary recommendations include the following:

Platforms, or operating system providers offer app developers and others access to substantial amounts of user data from mobile devices (e.g., geolocation information, contact lists, calendar information, photos, etc.) through their application programming interfaces (APIs). In addition, the app stores they offer are the interface between users and hundreds of thousands of apps. As a result, platforms have an important role to play in conveying privacy information to consumers. While some platforms have already implemented some of the recommendations below, those that have not should:

• Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
• Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
• Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;
• Consider developing icons to depict the transmission of user data;
• Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
• Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores;
• Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

• Have a privacy policy and make sure it is easily accessible through the app stores;
• Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);
• Improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers can provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used. App developers need to better understand the software they are using through improved coordination and communication with ad networks and other third parties.
• Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

• Communicate with app developers so that the developers can provide truthful disclosures to consumers;
• Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

• Develop short form disclosures for app developers;
• Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;
• Educate app developers on privacy issues.

As with other similar FTC reports, the Mobile Privacy Report does not mandate or legislate specific practices. It does, however, provide guidance on what the FTC might do in its own enforcement activity, or request in legislation from Congress should businesses consistently fail to follow the Commission's guidance on best practices. It will also be very influential on state attorneys general and their own privacy-related enforcement. As such, it should be read, understood and taken seriously by everyone involved in mobile device development and marketing.

Bird Watching: Twitter's Transparency Report

Following in the example of Google, Twitter is also releasing a semi-annual Transparency Report disclosing the number and type of user information requests it receives from various governments, and the percentage of the requests to which Twitter responded positively. In its most recent report, covering July through December 2011, Twitter stated that it had received 1,009 information requests, 42 content removal requests, and 3,268 takedown and related notices regarding alleged copyright infringement on the service. The former two numbers were up substantially from the preceding six month period; the copyright notices declined slightly (from 3,378 to 3,268) in that time.

Twitter additionally broke down the data by country, and specifically focused on its home country, the United States. According to Twitter, requests from governmental bodies within the United States from July through December 2012 included the following:

User Information Requests	Percentage where some or all information produced	User / Accounts Specified	Subpoenas	Court Orders	Search Warrants	Others
815	69%	1145	60%	11%	19%	10%

As with that of Google, Twitter's transparency report is a useful reminder both of the attractiveness of social media services to governmental information gathering, as well as the overall privacy issues arising out of social media use. Law enforcement and other government officials understand how much information people share on social media services; it's crucial for users to understand this as well.

Impressions from LegalTech New York

Greetings from the lobby of the New York Hilton, site of this year's LegalTech NY conference and trade show. I've been touring the show floor this afternoon, learning about the state of the art and best practices in all aspects of the technology supporting legal practice. The vast majority of the exhibiting companies are offering products and services relating to electronic discovery (or e-discovery), from computer forensics to predictive coding (a big buzzword this year) to document review and production to analytics.

There are, though, other industry categories that are well represented here, mainly relating to law practice management. Numerous vendors offer ways to put your practice online and loft it to the cloud, whether for software as a service (SaaS), backup, document sharing or all of the above. There are a fair number of back office management solutions as well: bookkeeping, billing, resource management and cost controls. Data security makes a good showing, whether from companies with tiger teams to seek out and identify firms' and companies' security holes, or hardware and software to close the holes before they are found; some do both. Finally, there are some translation service companies, mobile practice tools, and printing/document creation and management offerings.

From the number of people here, and the filled-to-bursting floor space, it appears that legal technology is a thriving area, and no wonder:electronic discovery is now a part of almost every litigation, firms and in-house departments alike are desperately seeking ways to reduce their costs and increase efficiency, and clients are demanding instant response and full access to case files. As a legal educator, I see some small challenges in this technological expansion (some of the most common entry-level lawyer jobs for our graduates could be made obsolete by technology and outsourced service providers), but much more opportunity for law school graduates to learn about, master and implement these solutions in their own practices and with colleagues.

There are a few other points that are clear after walking around LegalTech NY. First, based upon the "drop a card and win" prize assortment, iPad Minis are thought to be the hot item to pull in people's contact data. Second, based upon the food being given away, vendors are well aware that lawyers and IT professionals alike live on caffeine and sugar (coffee and chocolate abound). Finally, there seems to be no geographic center of legal tech companies; I've spoken with vendors from Utah, Kentucky, all over Canada and many other places.

For more about LegalTech NY, you can follow the #ltny hashtag. Meanwhile, I'm on my way back in. Wish me luck winning an iPad Mini! {Jonathan}

The Other Google Search: 8438 Data Requests by U.S. Gov't

Google has released the latest version of its Transparency Report, covering the period from July 1 through December 31, 2012. In the report, Google states that the U.S. government made 8,438 requests of user data from Google during the period, covering a reported 14,791 users/accounts, and that Google responded fully or partially to an aggregate of 88% of those requests, broken down as follows:

July to December 2012	Records Requested	Users/Accounts	Percentage Fully/Partially Complied With
Search Warrant	1,896	3,152	88%
Subpoena	5,784	10,390	88%
Other	758	1,249	90%

The number of of these requests, particularly from the U.S. government, has been steadily increasing over the past few years; the U.S. government made only 3,580 total requests in the same period in 2009. Google states in the introduction to its report, "We review each request to make sure that it complies with both the spirit and the letter of the law, and we may refuse to produce information or try to narrow the request in some cases." It also attributes some of the increase to its own growth: "Usage of our services have increased every year, and so have the user data request numbers."

While Google is to be commended for its efforts to disclose (some of) the requests for information it receives, the report and the increases it shows serve as a reminder of the size, scope and value of Google's collection of data about its users. Given how many products Google owns, many of which may not bear obvious Google branding (such as the Zagat Restaurant Guide) but may still be feeding user data into Google's central servers (Zagat's privacy policy is the Google shared one, as is that of its fellow non-obvious Google acquisition, the Frommer's Travel Guides site), one may legitimately question whether all users are able to provide truly informed consent to Google's data collection, which is increasingly a governmental resource as well.