IEyeNews

iLocal News Archives

Mobile app privacy: The hidden risks

371186-mobile-privacyBy Christopher G. Cwalina, Richard Raysman and Steven B. Roosa, Holland & Knight LLP with PLC Intellectual Property & Technology

From practicallaw.com

A Practice Note discussing privacy considerations in the context of mobile applications (apps), including liability risks associated with mobile app information collection and practices for addressing those risks.

This Note provides an overview of how mobile apps use technology to collect information about and track end users, identifying key differences between mobile apps and websites in terms of how they collect and store end-user information and end users’ ability to control that collection and storage. It also discusses the legal framework governing mobile app privacy, including FTC rulemaking, guidance and enforcement actions.

Privacy is among the key legal risks associated with mobile application (app) development and deployment. These risks arise, in particular, because:

Mobile apps collect user information in new ways that often are not understood or capable of being controlled by the average end user.

The smaller screen size of many mobile devices can make it harder for an app to communicate user information practices to end users.

Apps are increasingly under the scrutiny of regulators and advocacy groups, who use independent researchers to identify undisclosed user information collection and sharing.

To properly manage these risks, legal counsel must be involved throughout the process from the early stages of development and continuing after the app has been launched. This includes actively monitoring:

Cutting edge forms of marketing and advertising.

The background collection and sharing of end user information.

The content and mode of presenting consumer disclosures.

This Note focuses on the privacy issues associated with mobile apps. In contrast, a number of mobile browsers and related

privacy controls have evolved to operate similarly to their PC-based counterparts. Specifically, this Note examines issues regarding:

Mobile app information collection and retention.

The legal exposure and risks associated with mobile app privacy concerns.

Children’s online privacy and apps.

Achieving compliance and reducing risk.

MOBILE APP INFORMATION COLLECTION

Understanding the technical ways mobile apps collect and share information is key to identifying and managing the regulatory and litigation risks associated with mobile app privacy.

Counseling in this area requires familiarity with the:

Types of information apps must collect and share (see

Necessary Information Collection and Storage).

Ways mobile app technology collects and shares information

(see Mobile App Tracking Technology).

Website Privacy Legacy

A major challenge for managing mobile app privacy risk is that ideas about online privacy and security gained prominence as the internet evolved as a mainstream communication platform, and common understandings about online privacy remain grounded in the website model. However, mobile apps differ from websites in certain critical ways:

How they collect, store and use user information.

The types of user information they can collect and use.

In particular, key privacy-related differences between websites and mobile apps include that:

Apps collect, store, use and share end user information in ways different from browser software and, therefore, can often surprise even web-savvy end users. This occurs at a technical level of mobile device’s operations that is invisible to the average end user.

While end users have ways to avoid most browser-based tracking with a small amount of effort, mobile apps frequently use hardware device identifiers (hardware IDs) that cannot

be deleted or reset. For more on browser-based information collection and storage, see Box, Website Information Collection.

Necessary Information Collection and Storage

Recognizing and educating end users that certain information collection and retention is necessary for an app, like websites, to provide a satisfactory user experience is critical to managing privacy risks. Many mobile app functions either require or are enhanced if the servers remember certain facts about an end user. This information may include, for example, the user’s:

Identity.

Usage history.

Past log-ins.

Navigation.

This remembering is critical for both app providers and third parties who provide services to them, for example, to:

Enable certain functionality, for example, shopping carts.

Customize content based on the user’s preferences.

Provide a secure environment.

Serve targeted advertising.

Analyze usage (analytics), which can be used to improve the app or its features.

However, it also presents a privacy trade-off. The more an app or service provider knows about a particular end user and his usage, the better it can tailor certain features for a better user experience. However, it also increases the risks that the information will be leaked or misused.

Decentralized Information Collection

Many mobile apps, like websites, use third parties to:

Serve ads.

Perform analytics.

Deliver content.

As with websites, when an end user downloads or uses an app, parties in addition to the app publisher are likely collecting information about that user.

However, because apps are not browser-based (see Box, Website

Information Collection: Browser-based Privacy Framework), there are no browser cookies available to allow third parties to remember end users across mobile apps in the way that third parties remember website users across large portions of the web. Therefore, in contrast with the website model, mobile app

information collection is decentralized and controlled by the app itself in an isolated environment. In instances where apps use browser functionality, the browser and the app functions generally operate separately at the technical level.

Mobile App Tracking Technology

To track end users, apps generally use one or more of the following:

Hardware IDs (see Hardware IDs).

Geolocation (see Geolocation).

Metadata and information associated with other stored files, including photos, audio files, video and contacts (see Stored Files and Metadata).

Information collected and stored in the app itself (see App- specific Storage).

As these practices have become more pervasive and provoked

public backlash over data collection practices, some mobile software developers have begun to provide settings to enhance privacy. Therefore, some users, particularly those with new operating systems, may now have the means to control whether some apps may access location information or certain files on the device. However:

Disallowing certain data collection may impair an app’s usefulness (see Necessary Information Collection and Storage).

Even with these privacy enhancements, most mobile app data collection remains beyond the end user’s control.

Hardware IDs

Mobile app developers rely on hardware IDs to track end users and, in many cases, enable their apps’ functionality. Hardware IDs also enable content and advertising providers to track end users across many mobile apps. Hardware IDs are unique permanent identification numbers or character strings associated with a device. Types of hardware IDs include:

Cellphone radio (Mobile Equipment Identifier (MEID).

International Mobile Station Equipment Identity (IMEI)).

WiFi radio (Media Access Control (MAC)) address.

Bluetooth radio identifier.

Platform-specific identifiers, for example, Apple’s Unique

Device Identifier (UDID).

The key difference between hardware IDs and identifiers associated with website browser cookies is that hardware IDs are permanently associated with the device. By deleting cookies and local shared objects, an end user can typically prevent a certain amount of tracking and retain some degree of anonymity from third parties. Each time the third party’s servers connect with the end user, the third party must set new, different, unique identifiers.

However, in the mobile app context, even if a user deletes the app, clears all web content, wipes all storage and restores factory defaults, the hardware ID remains unchanged. Third parties that have tracked the end user’s network traffic and stored that information can still associate it with the end user’s device. Therefore, a hardware ID can identify the mobile device for the life of the device. This has prompted objections from privacy advocates regarding the use of hardware IDs for tracking purposes.

Apple has taken some steps to address concerns that privacy

advocates and others have raised about hardware IDs, including that it:

Has created a software-generated identifier known as the

Identifier for Advertising (IFA).

Is expected to include in future versions of its mobile operating system a sliding toggle that will allow users to easily clear and reset the IFA.

Together, these would have a similar effect to deleting cookies in a browser.

However, UDIDs still exist on iOS devices, and many third parties continue to collect and use them to track users. The collection of end user MAC addresses also remains pervasive, as observed on both the iOS and Android platforms. Therefore, it is unclear whether:

The IFA and similar measures will be widely embraced in the mobile app community.

Even if they are embraced, developers and others will still collect hardware IDs alongside the IFA.

Other mobile device and platform providers, notably Android, will take action to address hardware ID concerns.

Geolocation

Mobile apps also collect information about devices and end users through geolocation. Apps can collect location information using:

Global positioning systems (GPS).

Cell-tower proximity.

WiFi hotspot locations.

Internet protocol (IP) addresses.

Third-party code embedded in mobile apps may also collect geolocation information. App providers typically collect this information for:

Analytics.

Serving location-based targeted advertising.

Geo-fencing, which is location awareness that prompts certain activity when a device enters or leaves a specified physical location. It also may be used for analytics related to physical places.

Stored Files and Metadata

Certain mobile apps also access various types of files stored on a mobile device, for example:

Photographs.

Audio and video clips.

Personal contacts or other address book information.

This functionality may be included, for example, to enable users to:

Share these items with others.

Upload them to social networks or other websites.

Connect with contacts, including for purposes of participating in games or interacting with them.

Some of these files may also contain metadata that can be used to identify, for example:

When the file was created.

Where the file was created.

App-specific Storage

For mobile apps as well as websites, user data can be stored remotely on servers on the web. A key distinction between mobile apps and websites, however, is that:

In the website context, most user data that is stored locally is stored centrally in browser files.

In the mobile-app context, information is stored locally by each app. Therefore, it is not centrally located, but is splintered and app-specific.

As observed using the forensic tools provided by Santoku Linux, app-specific, local storage may include special storage areas for third parties that the particular app uses for analytics or tracking ad-serving data. For example, ad-serving information stored locally may include:

The device’s UDID (see Hardware IDs).

The number of ad impressions served.

Timestamps for when ads were served.

An identifier for ads served.

Other unique identifiers and data.

Additionally, mobile apps generally do not provide tools for the average end user to:

Examine local storage.

Manage its contents.

The only control a user may have to control mobile app privacy may be to delete apps or doing a hard reset of app data. Some apps use app-specific cookies that, unlike browser cookies, cannot be accessed or deleted by the lay end user. The average end user typically does not even know that local, app-specific storage exists on mobile devices.

To read a lot more of this article you can download it at: http://www.hklaw.com/files/Uploads/Documents/Blogs/BlogPrivacy/Mobile_App_Privacy_The_Hidden_Risks_8-523-6918.pdf

 

Practical Law Company provides practical legal know-how for law firms, law departments and law schools.

Our online resources help lawyers practice efficiently, get up to speed quickly and spend more time on the work that matters most.

This resource is just one example of the many resources Practical Law Company offers. Discover for yourself what the world’s leading law firms and law departments use to enhance their practices.

To request a complimentary trial of Practical Law Company’s online services, visit

practicallaw.com or call 646.562.3405

.For the links to the documents referenced in this note, please visit our online version at http://us.practicallaw.com/8-523-6918

IMAGE: www.pcmag.com

 

 

 

LEAVE A RESPONSE

Your email address will not be published. Required fields are marked *