W3i's Hayden Creque on why developers need to be open about how they are using personal data

W3i's Hayden Creque on why developers need to be open about how they are using personal data
Hayden Creque is W3i’s General Counsel and Chief Compliance Officer. Hayden oversees W3i's privacy program and he counsels W3i on corporate governance, intellectual property, internet law, and employment law issues.

Recently there have been concerns in the popular press over the acquisition and use of personal data by mobile apps. The companies behind apps like Pandora and Pumpkin Maker have even received subpoenas over their collection of user data, a worrisome precedent.

The cornerstone of the complaint is that smartphone apps are illegally obtaining and/or transmitting information about their users without proper disclosures.

Whether that’s true or not is a case for the courts in individual cases; there are two further problems at play here however.

First, the public is mostly unclear about what unique device identifiers (UDIDs) are and how they are used. Second, developers seem to have an apparent aversion to disclosing what they’ve been up to. Luckily both can be fixed.

Acronym bonanza; UDID and PIILet’s get one thing out of the way, right away. The UDID (in terms of iOS), doesn’t tell us much by itself. It is simply a way to identify a unique device. It’s like a serial number.

When an app ties the UDID to geolocation data, you can approximate the location of the device but, at the bottom line, the UDID is not tied to a person. There is no way for an app to know that UDID # XXXXXX belongs to Hayden Creque and Hayden Creque is right now in Minnesota - unless we tell it that.

Are you still not convinced? When you upgrade to the iPhone 5 and you hand down your current phone to your mother, the number goes with the phone, not the sim card.

So what’s the big deal? The problems arise when developers tie UDID to personally identifiable information (PII).

For example, if an app asks for your taxpayer ID, it can now track your UDID, tied to your taxpayer ID which provides real name and tax records. If it has your name, it can associate that with data acquired from other sources, which you might not want it to, or erroneously continue to associate your profile with that device when it’s you’ve passed it on.

Already you can see that there can be issues if developers are going further than just using the UDID. When they do, it is even more important for developers to specifically disclose what they are doing with any personal information that they are obtaining, how they are complying with privacy laws, and whether they’re covered themselves legally with EULAs and the like.

Establishing best practiceEvery emerging marketplace incurs a learning curve and it takes time for best practices to be established. The Mobile Marketing Association (disclosure: I serve on the MAA’s Privacy and Advocacy Committee) is discussing this very issue as it looks to set industry best practices around the use of UDID and PII. Until there are more generally-agreed industry guidelines, developers should be extremely cautious in their usage of this data.

Our position at W3i is to include prominent disclosures in our mobile apps.

A recent app of ours was the target of erroneous privacy claims, ironically stemming from our willingness to disclose the standard activities many app developers opt not to. While the extent of identification that can be drawn by the collection of UDIDs is miniscule in comparison to data collected online, it is our company policy to disclose and provide users clear choice, consent and control.

We believe that our fellow developers have a moral, legal and practical imperative to disclose how they’re using their information. The legal aspect is especially important; Apple’s developer agreement (section 3.3.9) spells out clearly the requirements for use of private or device data; it states that an app cannot collect user or device data without user consent.

We believe Apple’s policy is sound, and we’d applaud stronger enforcement of this clause. In the meantime, app developers can also take the high road by educating users on what’s happening with their personal data.

If we don’t start behaving responsibly and self-regulate, then either Apple will make us do it or governments will do it for us. It’s far better that we make a start ourselves.

W3i has more than ten years of marketing mobile and desktop apps and specialises in network marketing, using its bespoke InstallIQ installation manager.

For more information, visit W3i's website.


No comments
View options
  • Order by latest to oldest
  • Order by oldest to latest
  • Show all replies