The document outlines principles and practices related to mobile privacy, emphasizing the importance of protecting personally identifiable information (PII) and sensitive data collected through mobile applications. It discusses regulatory frameworks, privacy by design, and specific guidelines for location privacy, mobile advertising, social networking, and protecting children's privacy. The document also highlights nine high-level privacy principles and the significance of data anonymization and pseudonymization in safeguarding user information.

1. Principles of Mobile Privacy

2. Policy aspects of mobile privacy
• General privacy policy is a comprehensive statement of
a company’s or organization’s policies and practices
related to an application, covering the accessing,
collecting, using, disclosing, sharing, and otherwise
handling of personally identifiable data.
• Privacy controls are settings available within an app or
an operating system that allow users to make or revise
choices offered in the general privacy policy about the
collection of their personal identifiable data

3. Policy aspects of mobile privacy
 Personally identifiable data are any data linked to a person or persistently
linked to a mobile device: data that can identify a person via personal
information or a device via a unique identifier. Included are user-entered
data, as well as automatically collected data
 Sensitive information is personally identifiable data about which users are
likely to be concerned, such as precise geo-location; financial and medical
information; passwords; stored information such as contacts, photos, and
videos; and children’s information.

4. Types of Regulatory
frameworks of privacy
 Omnibus privacy law
 It is not sector specific as it apply to mobile internet the same way it
apply to other platforms and companies
 omnibus law and a sector-specific law
 privacy requirements exists for all sectors and then additional
requirements for providers of communications services exists that
is primarily relates to confidentiality
 separate sectoral laws
 Those covering telecommunications privacy, and for example,
health data, credit data, etc.
 sectoral law AND a license obligation with a confidentiality or
privacy obligations

5. Data anonymization and pseudonymisation
 There is an increased regulatory efforts to promote data anonymization and
pseudonymisation
 Data anonymization is the process of either encrypting or removing
personally identifiable information from data sets, so that the people whom
the data describe remain anonymous.
 Data Pseudonymization is a data management and de-identification
procedure by which personally identifiable information fields within a data
record are replaced by one or more artificial identifiers, or pseudonyms.

6. High-level Privacy Principles
 This includes the following 9 principle
1. Openness, Transparency and Notice
2. Purpose and Use
3. User Choice and Control
4. Data Minimization and Retention
5. Respect User Rights
6. Security
7. Education
8. Children and Adolescents
9. Accountability and Enforcement

7. Privacy by design
 Privacy by design is an approach to projects that
promotes privacy and data protection compliance
from the start
 It is embedded into the design and architecture of IT
systems and business practices. It is not bolted on as
an add-on, after the fact. The result is that privacy
becomes an essential component of the core
functionality being delivered. Privacy is integral to the
system, without diminishing functionality.
 Privacy by Design extends to a “Trilogy” of
encompassing applications: 1) IT systems; 2)
accountable business practices; and 3) physical design
and networked infrastructure.

8. Mobile applications privacy by design
development modules and guidelines
 It has four modules
1- location
2- mobile advertisement
3-social networks and social media
4-Children and adolescents

9. 1-Location Privacy in Mobile Systems
 Advances in sensing and tracking technologies create new opportunities
for location-based applications but they also create significant privacy risk
 It is the risk that an adversary learns the locations that a subject visited, as
well as times during which these visits took place through which they can
receive private information such as political affiliations, alternative
lifestyles, or medical problems
 Even when a subject does not disclose her identity at a private location, an
adversary may still gain this information through location tracking or
space and time correlation inference. In case that a subject is identified at
any point, her complete movements can also be exposed

10. Cond -Location Privacy in Mobile Systems
 Location-enabled applications must provide clear notice, before a
user’s location is accessed or collected , about:
• what location data an application intends to access (e.g., cell ID,
GPS, village or town)
• how the data will be used
• whether data will be kept and how long for
• who location data will be shared with.
 Some uses of location data require giving users additional privacy
information and getting their active consent.

11. 2-Mobile advertising privacy
 It is assumed that technological design, which is in line with the legal framework,
will ensure that the benefits of mobile advertising and the consumer willingness to
accept mobile advertising will increase.
 The general guidelines that govern mobile advertising privacy are :
 Users should be informed that the application is ad-supported before they
download and/or activate the application
 User consent is essential . Capture appropriate agreement to target advertising to a
user.
 Target based on legitimately collected data.
 Respect privacy when viral marketing.
 Ensure content is appropriate

12. 3-Social networking and social media
privacy
 Socially enabled applications allow users to connect to and share
information with a community of other users or the general public.
 As facebook founder stated (“People have really gotten comfortable
not only sharing more information and different kinds, but more
openly and with more people. That social norm is just something that
has evolved over time.”
 two main types of attacks exists in social networks :
o attacks that exploit the implicit trust embedded in declared social
relationships
o attacks that harvest user’s personal information for ill-intended use.

13. Children and adolescents privacy
 They might know how to use applications but lack the maturity to appreciate the
wider social and personal consequences of revealing their personal information or
allowing others to collect and use it.
 The general guidelines set by GSMA are :
1. Tailor applications to appropriate age ranges
2. Set privacy protective default settings
3. Comply with laws on the protection of children.
4. Age verify where possible and appropriate

14. References
 http://scihub.tw/http://ieeexplore.ieee.org/xpl/artic%C2%ADleDetails.jsp?arnumber
=1437123
 https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf
 https://ipc.on.ca/wpcontent/uploads/Resources/7foundationalprinciples.pdf
 GSMA course materials , May 2016 ,
https://www.gsmatraining.com/lessons/principles-of-mobile-privacy
 https://www.tandfonline.com/doi/abs/10.1080/13600860701701421
 https://www.sciencedirect.com/science/article/pii/S2468696417300332
 www.gsma.com/mobileprivacy