It is appropriate that on Data Privacy Day (January 28) the news should be discussing the latest revelations about alleged NSA data gathering, this time focusing especially on the popular game Angry Birds. Data Privacy Day is a day dedicated to raising awareness around issues of online privacy and protecting your personal information. And the latest disclosure is certainly raising awareness. But while a lot of the talk is focused on the NSA and Angry Birds, it would be both a mistake and a lost opportunity to keep the discussion focused just on them. These most recent revelations should spur a much broader discussion around the state of privacy in the mobile era and especially around the data that mobile devices and apps are gathering, what they’re doing with it and the clarity of the notice being given about that. The lesson we should be taking from these recent revelations isn’t that the NSA is overstepping (that’s a separate, policy discussion) or that Rovio, the maker of Angry Birds, is or isn’t helping them (that’s also being debated). Rather, the lesson is that mobile devices and apps of all kinds are gathering more data than they need, in ways that aren’t clear and doing things with it that most, if not all of us, don’t understand. Even more importantly, we should be taking this discussion a step further and using it to discuss the coming Internet of Everything (IoE) where these problems will be even more acute.
Two key principles of privacy are the ideas of notice and consent regarding data gathering. Good privacy practices rely on these two principles to help users clearly understand what data is being gathered, what’s being done with it (notice) and to choose to accept the product or service or not (consent). For there to be informed consent, clear, understandable notice is required. Otherwise we face what I’ve called the “Oh crap!” moment: as in, “Oh crap! I didn’t realize you were getting that data and using it when I agreed to this.”
When we read about the information the NSA is purported to have gathered from mobile devices and apps (including but not restricted to just Angry Birds), it reads like a huge “Oh crap!” moment. According to the Guardian’s story:
Depending on what profile information a user had supplied, the documents suggested, the agency would be able to collect almost every key detail of a user’s life: including home country, current location (through geolocation), age, gender, zip code, marital status – options included “single”, “married”, “divorced”, “swinger” and more – income, ethnicity, sexual orientation, education level, and number of children.
The reports make clear this information isn’t from malware on the system: it’s gathered from ostensibly legitimate apps users who have willingly installed. Meaning: these users have given their consent to have this data gathered. And yet, nearly everyone who reads this list is experiencing shock and alarm. Why is that?
It’s for two reasons. First, notice is just not clear. Second, it’s clear that mobile devices and apps are gathering way more data than they need. And as this situation shows, they’re not securing it well since the NSA is purported to be gathering this data due to it “leaking”.
Clear notice has been a problem in the industry for a long time. And people know it’s a problem: a recent study by Microsoft shows people feel helpless when reading privacy policies. But to-date people have just accepted not clearly knowing and consented anyway (only 25% of people in the study said they even read privacy notices). But while the problems around clear notice may have been acceptable in the PC era of the past, in the mobile era they become much more acute because of the amount and type of data that can now be gathered.
Mobile devices tie our physical selves closer to the Internet. By their very nature, they gather more data about who we are and what we’re doing than computers do. And developers of mobile devices and apps have been taking an approach of “when in doubt, gather it” as it regards to data, as these claims show. If we are shocked to learn what can be gleaned from our mobile devices and apps, it means that notice has failed miserably.
And the problem of apps “leaking” data, like is allegedly being used here, is a pervasive on. Over 25% of the nearly 6 million apps we’ve analyzed suffer some form of data leak.
But while people are focusing on the questions of whether the NSA is or should be gathering this data that misses the broader point. Whether they are or not, or they should or not, others can and are. There are surely other entities such as other governments, private corporations, and non-state actors that are gathering this data for their own purposes that we’ve not heard about. And they’re doing it because they can, because the makers of mobile devices and apps are enabling them to do so. If we don’t like hearing about our data being collected and used, we need to focus the discussion on it being gathered in the first place.
These claims hitting on Data Privacy Day should serve as a wake-up call to make clear the deplorable state of privacy on mobile platforms. While it will further discussion about whether governments are and should be gathering this data, it’s more important that it spark real discussions about mobile device and app makers giving clear notice, whether this data should even be gathered and what’s done with it once gathered.
Even more importantly, it should start a discussion around clear notice and data collection and use around the next generation, IoE devices. These will tie our physical selves even more closely to the Internet, gathering even more data on who we are and what we’re doing. At least now, though, we have a chance to have the conversation before these devices are widely used. We have a chance to prevent “Oh crap!” moments around the Internet of Everything. But only if we act soon.