Protecting consumers' privacy is fundamental to app development

Privacy needs to be part of the core user experience and is integral to the mobile app.
Tools

Location-based mobile social applications are getting more personal by the day, and mobile app developers have a responsibility to protect the personal user information they collect and share. As a result, the government is looking over the wireless industry's shoulder to facilitate how it happens.

Security

Developers use secure protocol and encrypt data, so the information is not decipherable.

"Privacy needs to be part of the core user app experience, and not a separate document," said Derek Halliday, the lead security product manager at mobile security firm Lookout.  "Done well, it can be seamless to the overall app experience." However, Halliday cautions against burying privacy information and policies in the often unread terms of service or privacy policies document. "It's not a sustainable approach to assume that users will read and digest such obtuse documents."

Providing privacy transparency was integral to the recent rollout of Raved, a local/social mobile app allowing users to "rave" about things they like and share posts with friends. Built on top of Facebook, foursquare and other social apps, Raved leverages the standards and practices people are familiar with on the big platforms.

Give users choice

Raved takes privacy one step further by providing a high level of customer control on how and what information is shared. Giving users a choice is key and one aspect Raved CEO Henry Vogel feels separates the most successful mobile apps from the rest of the pack. Users can choose to bookmark a rave for their own personal use, share them with other application users or go wide and include the underlying social network communities with postings and notifications--all on a per-case basis.

Vogel and others believe developers need to be cognizant of application security, the third layer of privacy. Developers should only collect any type of personally-identifiable information using secure protocol and with encryption, so the information is not decipherable. "We don't transact in very sensitive (user) information but we make sure security is in place to prevent breaches where the bad guys could get in and get access to personal information," he said.

GPS apps require tighter privacy

FriendThem

Friendthem designed its app to give users a sense of privacy and security while connecting to potential strangers around them.

Applications using GPS location data walk a tighter privacy rope when it comes to sensitive user information. Highlight, Sonar, Glancee and Friendthem, are a few social apps using location data to connect nearby users for potential personal or business interactions. But it's the anonymity of the connection that raises greater privacy concerns.

Friendthem, for example, designed its app to give users a sense of privacy and security while connecting to potential strangers around them. "If a user, especially female, feels like their space has been violated, they will no longer use the app," says Liron Fishman Sabbah, co-founder and vice president of programming of Friendthem. The application provides users with multiple control options as to what and how much information is exposed to others, thereby preventing unwanted and unnecessary exposure.

These mobile privacy concerns have been on the academia research radar since the advent of smartphones. Shortly after the Apple App Store launched in 2008, Guanling Chen, associate professor in the computer science department at the University of Massachusetts in Lowell, co-authored a paper studying privacy issues in 31 social networking applications.

"Mash-up" potential is particularly troublesome

Girls Around Me

Foursquare pulled Girls Around Me, which alerted male users when women checked in nearby.

The concept of application "mash-up"--where sharing information with one application led to publication in another--was especially insightful. Chen referenced a website using foursquare and Twitter information to identify people who were not at home. "You may be comfortable sharing with your friends but once it's on Facebook or other apps you may be sharing with a lot of other users you weren't aware of," he said.

Earlier this year foursquare shut down Russian application Girls Around Me, which allowed male users to view nearby girls checking in on foursquare. The application has since been removed from the Apple App Store, however it illustrates the unintended consequences of sharing information on social networks.

This "mash-up" or indirect privacy attack was discussed in another academic paper co-authored by Mike Gartrell, a graduate student at the University of Colorado in Boulder. A solution to the "K-Anonymity Problem" as described, was to share location information only if there were "K" other users in the area. "You aren't giving away any information if you are the only other user in an area of fewer than "K" users," he said.

Gartrell's paper suggested the use of an identity server to act as a secure proxy for sharing location and user identity. Mobile devices connect with an identity server and get an anonymous ID, which is shared with other mobile users, limiting distribution of private information. But its effectiveness is questionable when so many mobile and social network users readily share the minutiae of their personal lives in the first place.

The legal implications of the privacy issue are perhaps only starting to be fully realized--in part because no one knew what happened behind the scenes of mobile applications. Apple, Twitter, Facebook and fifteen other application providers were sued in the U.S. District Court in Austin, Texas for allegedly "stealing" owners' address book date without knowledge or consent.

As an attempt to get out in front of the mobile privacy issue, the National Telecommunications and Information Administration (NTIA) convened a July multi-stakeholder meeting centered around mobile privacy. It's a follow-up to the Obama Administration's Consumer Privacy Bill of Rights, announced this February. Hundreds of stakeholders participated in the first meeting, which laid the groundwork for drafting a code-of-conduct transparency in how consumer data is handled by mobile applications. Two additional meetings follow later this year.