Designing for privacy in mobile applicationsPresentation Transcript
Designing for Privacy in Mobile ApplicationsGuidelines for Vodafone application developers 18 July 2011
What is privacy? Keep in mind that the guidelines here form part of our Developer Agreement, so you’re bound to comply with them when you participate in our programme. The guidelines here are intended to help you ensure that your applications don’t violate your users’ privacy. But what does that mean? Privacy means different things to different people in different contexts, but, when we use it here, we mean making sure that, when your application collects and uses personal information, it does it in ways that meet users’ expectations and gives them proper control, and it doesn’t disturb them or behave intrusively.
What is personal information? Personal information is personal information no matter how it’s collected. For example, you could: Ask your user for it directly (for example, in a registration flow). Collect it directly from your user’s handset (for example, a unique identifier like IMSI, MSISDN or EEID). Infer it indirectly, like when you profile or segment users based on their observed behaviours or locations. Collect it when it’s generated by the user (for example, tweets, status updates and other user-generated content, such as photos). But there is not necessarily a privacy problem because your application collects and uses personal information – that’s what the guidelines below are intended to help you determine. There are lots of legal definitions we could throw in here, but we’ll try to keep it simple: if information relating to an individual could identify, locate or enable you to contact them, then it’s personal information. But that individual doesn’t need to be identified by name, for example, or by phone number. A name or a phone number are each personal information, but not the only examples. A user is identified (and could be contacted or located) even when you’ve only associated them with an anonymised (or, really, pseudonymised) unique identifier if it persists over multiple sessions.
Why should I care? Some other important expressions What happens if your application does have a privacy problem? In a worst-case scenario, a regulator or consumer protection authority might investigate you for a legal or regulatory violation – which might cause you to have to pull your application, pay fines or even face criminal penalties. A privacy problem with your application will also likely lead to unhappy consumers and bad ratings, or you might find yourself being “named and shamed” by a privacy advocate – many of them are paying particular attention in this space and are actively engaged. Of course, if your application is identified by our testing or reported by your users as violating privacy, it goes without saying that we will not approve your application or we’ll pull it from our platforms. When we talk about applications needing active consent, we mean an affirmative indication of agreement by the user to a specific and notified use of their personal information. Active consent can typically be captured by ticking a consent box or clicking an ‘OK’/‘Allow’ button. Active consent must be captured in a way so that consent is not the default option (for example, if there’s an ‘I Accept’ tick box, it should not be pre-ticked so that consent is bundled in with agreeing to install). When we refer to location information, we mean any information that identifies the geographical location of a user’s device, including Cell ID, GPS, Wi-Fi, or other, less granular, information, such as town or region.
Index Guidelines for all applications Guidelines for applications that use location Guidelines for applications with social networking elements Guidelines for age-appropriate applications Guidelines for applications that use mobile advertising or analytics
Guidelines for all applications
Guidelines for all applications BACK Don’t sneak around. An application must not secretly access, collect or share personal information.
Identify yourself. Users must know who is using their personal information and how they can contact you for more information or to exercise their rights. ABOUT US App Adventures is a company that develops apps. You can reach us on our email address email@example.com. Our address is on App street n5, App country. i
Guidelines for all applications Financial Times App My Great App CANCEL Gain the user’s consent, where necessary. Sometimes users will need to give their active consent to uses of their personal information.
Collection or use of personal information not necessary for the application’s primary purpose.
Sharing personal information with third parties.
Storing personal information after immediate use of the application.
Name: Richard Stacey Age: 52 Hobbies: Golf, Sailing, Food Religion: Agnostic My Great App is requesting access to your address book to invite friends to join the game. SEND ALLOW DON’T ALLOW Example 1 Example 2
Guidelines for all applications Settings Give users control over prompting. Where possible, users should have choices about how – and how often – they are reminded about features and functionality that use their personal information. Please let us know how often we should prompt you with this message Every day Once a week, Monday Once a month Never Save
Guidelines for all applications Games No silent updates. Users must agree to any updates pushed to their device. And they need to be able to understand what the update contains. UPDATE SUPER GAME Development: Game Inc. This new version includes the following features:
Ten extra missions
Scoreboard sharing to Facebook and Twitter
In app advertisement
If you make changes to your app, let the users know what changes have been made so they can make decisions about whether to continue to use it; don't cover those changes under a text like “only minor changes”.
Guidelines for all applications On the server side, do not log locations that can be associated with individual users. Instead log aggregates of what you´re interested in. For example, just keep a list of how often people are using your app in London; there is no need to remember which user was in London and when. Minimise the information collected. Personal Information collected by an application must be reasonable, not excessive, and within the scope of the user’s expectations. Keep data secure. Take appropriate steps to protect users’ personal information from unauthorised disclosure or access. Note: The more sensitive the data, the more security you need.
Guidelines for all applications RSS Feed App Authenticate where security calls for it. Authenticate users where possible using risk-appropriate authentication methods. Set retention and deletion periods. When you no longer need the data you’ve collected for the reasons you collected it, make sure it’s appropriately and completely deleted. If data must be kept (for example, for billing, tax or other good reasons), make sure you keep only the minimum that will meet those needs. Reporting. Give users the tools to report privacy problems within or about your application.
Send us feedback Type text Send Log report Send
Guidelines for all applications MyDreamTrip Give users control over remote storage. Tell the user if your application will send data to a remote server and use or store it there. Let them know how long you’ll keep the data and why you need it. You should also let them review and delete the information if possible.
AMSTERDAM Price 100 Eur Low Cost Bcn 3:00 pm Ams 5:00 pm Price 125 Eur Iberia Bcn 5:00 pm Ams 5:00 pm Your search info will be stored on a remote server for three months so we can improve our search engine Okay
Guidelines for applications that use location
Guidelines for applications that use location Book Recommender Inform the user that location will be used. Access, use and share location data only when users have a clear understanding that you will do so and of the consequences of participating. Don’t facilitate stalking or surveillance. Applications must not collect, use or share location data about someone other than the user, except where another user has chosen to publish such information.
This app would like to use your current location to be able to pull the list of nearby book stores Locate me Cancel Sometimes, it will be very clear in context why and how you’ll use location. In those cases, minimal notice is necessary.
Guidelines for applications that use location Tetris Capture appropriate consents where necessary. For many location-enabled applications, the use of location is clear, and is in fact why your user chooses your application. But where location isn’t the primary purpose of the application, or where users might need a little more help in understanding how you use location, more active prompting and consent may be necessary.
This app would like to detect your current location to be able to post your points in your national ranking Post my score and location Locate me No, Thanks If location is not the primary purpose of the application or enables a secondary feature, let the user choose to activate location at the time that they use the feature.
Guidelines for applications that use location HIKING ROUTES This app would like to use your current location Consent and control are necessary if you collect or retain a location history. If you will retain a history of location, tell the user how long the data is retained and why. Let them review and delete their history. Yes No Share location with the park ranger Yes No Keep location history of my hiking routes Yes No Edit history View history Settings
Guidelines for applications that use location Walk with your friends Consent and control are necessary if location use persists when the application is active or closed. If you will continue to collect, use or share location data during operation of the application or after a user has closed the application:
Get the user’s active consent.
Alert the user when the location feature continues to operate with a persistent indicator. If technically possible, this indicator should appear even when the application is running in the background or does not otherwise appear to be active.
Prompt the user that location will continue to be collected, used or shared after the application is turned off, or placed in the background, and allow them to turn this feature off.
Provide easily accessible settings that allow the user to immediately turn location on or off, including a “location off” feature that overrides all other location settings in the application.
Even when closed, App Skywalker will keep collecting your location data in order to trace your walking route Don´t Allow Allow
Guidelines for applications that use location Running Community Strawberry finder When you start your run, the app will shared your location automatically with: Consent and control are necessary if you share location. If you will share location data with other applications, sites or services:
Get the active consent of the user.
Identify and provide a link or other means to access the recipients.
Give users a way to easily manage recipients (for example, to withdraw their consent if they want).
This app will make use of your GPS location Facebook Twitter Hyves Foursquare Yes Yes Allow Yes Yes Bad practice
Guidelines for applications that use location Carefully set defaults and give users control over social location features. When users can share their location with the public or with their contacts, the default setting must be private. That is, the user must give active consent to begin sharing location, and must affirmatively choose individual users or groups of users who will have access to their location. In addition:
Show a clear indicator when location-sharing is active.
Allow the user to set the level of granularity of the location (city, street, exact physical location etc.).
Allow the user to manually override the location presented, e.g. by typing in an alternate location
Allow users to turn off location-sharing at any time.
Guidelines for applications that use location This application is offered for free, and sponsored ads are included. You can download the ad-free, paid version here: LINK Give appropriate choices for location-based advertising. Label your application as ad-supported if it will include contextual location-based advertising or sponsored results. Make sure to get active consent before sending advertising or sponsored results based on a stored history of a user’s location.
Can we use your location to show you relevant advertising in your area? Allow Enter location manually
Guidelines for applications that use location My Shops My Shops Protect children from endangering themselves with social location features. Users who are identified or age-verified as children must be prevented from publishing their location (that is, sharing with the general public). If children are able to share location data with their contacts, granularity must by default be set at the city level or wider. (See more in Guidelines for age-appropriate applicationsbelow). @ Shop X @ Shop X Road 360 number 5, City City Your detailed address will not be shared – only your city. More Info @ Shop X @ Shop X Road 360 number 5, City City Refresh Share location Refresh Share location Settings More More Settings
Guidelines for applications with social networking elements
Guidelines for applications with social networking elements KAMASUTRA You are about to share adult content in a social network. Are you sure? Encourage responsible social sharing. Allow users to choose to share personal information, but make sure they know and understand the consequences. Give users control of their personal profiles and ensure that defaults protect privacy. Prompt users to register for social networks, but be careful about mapping registration information to profiles. Ensure that children are prevented from endangering themselves on social networks. Underage users require more restrictive defaults and other protective measures. (See more in Guidelines for age-appropriate applications). YES NO
Guidelines for age-appropriate applications (children’s applications or adult applications)
Guidelines for age-appropriate apps SchoolBook Tailor applications appropriate to age ranges. Applications that are intended for children and adolescents should ensure that they understand the consequences of using the application by describing features and functions in age-appropriate language. Children will, in some instances, require more restrictive default settings than adult users. Create age-appropriate defaults. The younger the user, the more conservative or restrictive your default settings should be. If you don’t have an actual age, then use the context as a proxy - e.g. applications that are aimed at or are likely to be used by younger children should assume a user age consistent with that type of application Name: Richard AGE: 8 To keep you safe, SchoolBook will not share your current location with your friends OK Messages Map Friends
Guidelines for age-appropriate apps We are sorry, you may not use this application. Please check the section About Us to read more information about our products and services. Please enter your date of birth: Where possible and appropriate. Under certain circumstances, you may need to verify a user’s age (for example, where applications contain social networking features or allow access to adult content). Where impossible to verify age using automated means, self-certification may be an acceptable alternative, but should not be done in such a way that children are encouraged to falsify their ages. 18 8 2000 OK EXIT Do not ask this question again. We do not save or share your date of birth. It is checked locally on your device. About Us EXIT Ask for users' date or year of birth instead of are you older than X years, but let them know how you will use it. Let them know why and offer them an exit button. Give adults the same choice too. Let them know what type of adult content to expect and give them the option to opt out.
Guidelines for applications that use mobile advertising or analytics
Guidelines for applications that use mobile advertising or analytics Sports/Games CONFIRM Comply with direct marketing standards, laws and best practices. In most countries, before you can send direct marketing communications (e.g. email or SMS) to users who install your application, they must at least be given: 1) an opportunity to opt out of receiving those messages when and where you collect their contact details; and 2) unsubscribe directions in each communication.
Inform users about embedded advertising features. Let users know when an application is ad-supported before they choose it. CACHULI Development: Julian Muñoz The free version of Cachuli is ad-supported. If you would like to remove the ads and support the continued development of Cachuli, you can do so. From the main screen, press your phone’s menu button, then tap the “remove ads” button. This will let you install the paid app, which removes the ads.
Guidelines for applications that use mobile advertising or analytics My Great App i Use third-party analytics tools appropriately. Tools like Google Analytics can be important and useful. But users should be notified that you’re using them and given an opportunity to choose not to participate. Give them an opt out within your application or, where available, instructions on how to use the third-party tool’s opt out. If possible, prevent these tools from collecting full unique identifiers like IMSI, MSISDN, IP address or EEID. To improve our app, we´d like to log some basic information about how you use it. This data will not be linked to you – we’ll combine it with other users’ information to create aggregate statistics. Under My Profile you will be able to change your choice at any time. Continue To improve your app, collect information on how users interact with it. But let your users know, what and why you're collecting. Do it without personal information, and let them opt out if it makes them uncomfortable.
Guidelines for applications that use mobile advertising or analytics Capture appropriate consent to advertise to a user. Users must agree to advertising targeted to them based on behavioural profiles about how they use your application collected over time, and give active consent to profiling across applications or by third parties. Before you embed code from third-party advertising companies, make sure they meet these requirements and don’t violate your users’ privacy.
Guidelines for applications that use mobile advertising or analytics My Great App CANCEL Respect privacy when viral marketing. Get the active consent of the user to access information about or send information to their contacts. My Great App is requesting access to your address book to invite friends to join the game. ALLOW DON’T ALLOW
Guidelines for applications that use mobile advertising or analytics Financial Times App i Target based only on legitimately collected personal information. The only personal information you may use to target advertising is the information you have legitimately collected as necessary for your application’s primary purpose. Please note that our rules require us to reject your application if it collects additional information solely for the purpose of targeting advertising.
Name: Richard Stacey Age: 52 Hobbies: Golf, Sailing, Food Religion: Agnostic Submit TAP HERE TO GET A CHEAP GOLF COURSE IN SPAIN Bad practice