Archives

Meaningful Privacy Protections for Mobile Services

Privacy protection in digital environments is of major concern for institutions, civil liberties organizations and consumers in general. This year, the Federal Trade Commission (FTC) hosted a public workshop in May 2012, which addressed privacy and security challenges in mobile environments. The event covered important issues including online disclosure challenges, social media and mobile marketing and mobile privacy disclosures.  This article introduces some of the major privacy concerns within mobile environments.

Threats in Mobile Environments

Mobile environments present unique threats and risks to user privacy. Threats can be broadly categorized into two main types: signal interception and access to user information.

Signal interception is closely related to eavesdropping, the act of secretly listening to a private conversation, which can either be understood as unethical or advantages, depending on the parties involved.

Examples of this include phone tapping, email, instant messaging and other modes of communication considered private. The rapid proliferation of signal interception hardware and the development of software techniques which render mobile devices prone to hacking are all indications that signal interception represents a major threat to the privacy of mobile service users.

Another threat is access to text messages, which is defined as the acquisition of stored or even deleted text messages from users’ mobile devices, or operators’ servers by special parties (e.g. mobile operators, law enforcement officers, hackers), for both legal or illegal purposes.

Access to user records is yet another threat to privacy in mobile environments. Customer records stored on the mobile network operators’ servers are predominantly considered confidential information. Much of this information is in the form of call logs (incoming/outgoing); detailed information about dialed/dialing number; records of times and duration of phone calls; user location at times of calls; and billing information.

Unauthorized access to user information happens through mishandling and mismanagement of data by service providers. There is also a growing number of mobile phone spy software, websites and tutorials, which worry industry insiders, business experts and government officials.

EPIC’s Comments & Recommendations

In response to the FTC’s May 2012 workshop, EPIC (the Electronic Privacy Information Center) made the following comments and recommendations to encourage the FTC to pursue more than simply a notice-centric approach to privacy protection:

  • A notice-based privacy regime provides inadequate protection for consumers.
  • Privacy labels or icons suffer from many of the same flaws as traditional privacy notices.
  • The FTC’s conception of disclosure should include transparency, access and correction, in addition to notice.
  • Explore the connection between disclosure and a broader regime of privacy protection.

The following sections take a brief look at EPIC’s recommendations.

Insufficient Privacy Regime

A notice-based privacy regime is largely inadequate as it places the burden of protecting privacy to the consumer, imposing huge obstacles in terms of restricting the use of one’s data in mobile environments. It’s common knowledge that privacy policies often go unread by consumers. In order for a notice-based privacy regime to work:

“… the typical smartphone consumer would need to read, understand, and act upon the privacy policies of different actors, including but not limited to the hardware manufacturer, the carrier, the platform developer, app developers, and third party advertising or analytics networks.”

Flaws of Privacy Labels & Icons

Privacy icons or labels are limited in many ways. Just like privacy notices, consumers are unlikely to use them. Like traditional privacy policies, privacy icons will most likely be ignored. Summarizing privacy practices is problematic as the icon/label approach is not comprehensive and will not be able to adequately explain the privacy practices of all those involved throughout the lifecycle of the mobile device/application.

Expanding the Concept of Disclosure

The FTC and other industry officials tend to focus on notice – the mechanisms for transmitting information at or before the point of purchase – when explaining the concept of disclosure. It is EPIC’s contention that disclosure should also include transparency – the mechanisms for transmitting information throughout the remainder of the consumer’s interaction with a product/service.

According to EPIC,

“Meaningful transparency can facilitate greater user control over their personal information held by others in ways that are not possible (or are difficult) to accomplish using notice… When transparency is combined with the right to ensure accuracy, the result is even more favorable to consumers.”

Connecting Disclosure with a Broader Privacy Regime

While notice is a procedural form of privacy protection, it is not a substantive form. Alone, notice does not dictate any limitations on the collection, storage, manipulator, or dissemination of information. Even the best notice is unable to provide substantive privacy protections for consumers. The majority of privacy approaches regard notice as just one aspect of a more comprehensive set of privacy protections.

EPIC recommends that:

“Notice should be part of a broader regime that incorporates substantive privacy protections for consumers. Specifically [the FTC] should consider how best to establish substantive privacy protections for mobile services. Too often, “notice” operates as a waiver or disclaimer to the disadvantages of users of Internet-based services.”

Summary

Mobile environments present unique threats and challenges to privacy and security. This article takes a look at two main types of threats in such environments: signal interception and access to user information. It then examines four important recommendations made by EPIC to the mobile industry regarding the current state of privacy protection approaches. These recommendations are: 1) A notice-based privacy regime provides inadequate protection for consumers; 2) Privacy labels or icons suffer from many of the same flaws as traditional privacy notices; 3) The FTC’s conception of disclosure should include transparency, access and correction, in addition to notice; and 4) Explore the connection between disclosure and a broader regime of privacy protection.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • The information lifecycle – PII and contractual information (I.A.c.)
  • Privacy by policy – notice and choice (III.B.a.)
  • Wireless technologies (VI.B.)
  • Location-based services (VI.C.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>