Mobile application creators need to ensure that customers know exactly how their user data is collected and stored. So far, it’s not an industry standard.
Often, when someone downloads a free app, she is giving up her data in exchange for that service. For example, she might download an app that requires her to link her Twitter account (or her Facebook) to use the app. In a typical financial transaction — say, $3 for a dozen eggs — you know how much you’re giving up. With these types of apps, though, the user enters an implicit agreement with the app and its brand. Usually that agreement is blind, with no notice of what exactly the app will collect and store or explanation of what will happen to that data.
Previously, mobile apps used unique device identifiers to identify mobile users and keep track of the data they generated. However, Apple recently announced the deprecation of UDIDs, possibly out of privacy concerns. UDIDs could be associated with other, personally identifiable information to create a mobile fingerprint that users might not have realized they left, or even had.
OpenFeint is a cautionary tale in the privacy-on-mobile discussion. (My company, Socialize, is a competitor of OpenFeint.) A mobile gaming network similar to GameCenter, OpenFeint landed in hot water because it did not clearly explain to its users (the mobile gamers) how it would collect and share their user data. The company now faces a class action lawsuit that alleges it linked users’ UDIDs to Facebook and Twitter profiles, as well as GPS coordinates, thus revealing identifying information such as gender, age, education level, geographic location and household income to app developers and potential third parties. OpenFeint’s users didn’t realize they were exposing all this data about themselves, that the data would be tied to their UDIDs, and to what extent OpenFeint and its enabled apps could track their activity.
At the very basic level, it’s necessary to store certain types of data for an app to run properly. Frankly, though, it’s not uncommon for apps and mobile brands to collect data to the extent that OpenFeint did. In light of the deprecated UDID, OpenFeint recently announced a single sign-on process to take the place of identifying users by UDIDs. The new identification process will limit the scope of user data that OpenFeint apps can collect, but it doesn’t eliminate privacy concerns entirely.
The fact of the matter is that most end users are ignorant of how much they expose about themselves when they authorize through Facebook or Twitter or any other sign-on process—and that this information would be shared to entities outside just the app developer. OpenFeint’s misstep was not collecting and sharing user data. Rather, OpenFeint made this practice seem covert and dishonest by neglecting to disclose their data handling. You want your app to build brand reputation, not harm it.
In order to establish best practices in the mobile industry, apps need to disclose. Their users are left in the dark as to how these brands collect, store and handle user data. Most users don’t even realize that there is data they share with the brands…and sometimes third-party advertisers too. And these users? According to a recent Nielsen poll, 59 percent of women and 52 percent of men say that they have privacy concerns related to their mobile apps.
Think about the children. No, really, apps need to be especially careful with users under 13 years of age. The Children’s Online Privacy Protection Act (COPPA), which extends to mobile devices, provides special stipulations for dealing with children and their data. App creators must obtain parental consent to obtain personal information from children, and failure to do so can prove costly for children’s mobile games and even apps not necessarily geared toward children. In the last month, one developer settled with the Federal Trade Commission to the tune of $50,000 after charges of COPPA violations. That sort of oversight isn’t cheap.