You told us that you wanted simple controls over privacy on devices, security to prevent data breaches, and notice and information about data collection on the device.

And we listened.

After an open and honest dialogue, Congressman Johnson today introduced the bipartisan Application Privacy, Protection and Security (APPS) Act of 2013 (H.R. 1913), a bill to increase consumer privacy on mobile devices:

The APPS Act would require that app developers give effective notice about data collection and obtain consent from consumers before collecting personal data. Trust in the mobile marketplace is crucial to its continued growth. Transparency is the cornerstone of this trust.

The APPS act would also require that developers securely maintain personal data. And it would give consumers a clear way to permanently delete their personal data once they stop using an app.

John Simpson, Privacy Project Director at Consumer Watchdog, calls the APPS Act “a significant and important step forward in protecting consumers' privacy.” Susan Grant, Director of Consumer Protection at Consumer Federation of America, agrees: “This bill is a common-sense approach to an urgent problem – millions of consumers are using mobile applications for a host of activities, some very personal, and yet they lack basic rights with respect to the data that may be collected about them.”

Interested in learning more about the APPS Act? Click here to view H.R. 1913 and a summary of the need for the APPS Act.

To join the online mobile privacy discussion, weigh in via our secure form on www.AppRights.US or interact via Twitter (@AppRightsUS) and Facebook.

#PrivChat is a weekly discussion on emerging privacy issues, moderated by Amie Stepanovich, a privacy attorney at the Electronic Privacy Information Center (EPIC), and Shaun Dakin, a data privacy advocate and founder of Dakin & Associates.  The discussion included a diverse list of participants, from lawyers and advocates to security experts and other people who are interested in privacy and innovation.  

Before the discussion, we proposed several questions to the group based on provisions in the APPS Act.  These included:  

Q1: The APPS Act only applies to developers who collect personal and de-identified data. Is this a balanced approach to mobile privacy, or should the bill apply more broadly to third-party data collection? (background available at CDT: Shielding the Messengers: Protecting Platforms for Expression and Innovation (pdf))

Q2: Is de-identified data a useful definition, or is all data personal? (background available at Ars Technica: "Anonymized" data really isn't—and here's why not)

Q3: The APPS Act also creates a safe harbor for developers that comply with the NTIA's industry code (forthcoming). Does this approach provide too much leeway? (background available at EPIC: NTIA Privacy Multistakeholder Process)

Q4: The bill would require developers to provide a data-retention policy and create a mechanism for users to signal their intent to opt-out. Is it possible to delete third-party data, or should this provision continue to look to first-party data collection? (background available at Media Post: Did iOS 6 Save Mobile Advertising)

The responses to these questions were lively, particularly over whether distinguishing between classes of data or technology is a useful practice.  Garrett Cobarr, a user experience designer, researcher, and strategist, commented that: 

#PrivChat A2: Technology is neither good or bad, it is simply used by good or bad people to do good or bad things. #Privacy

— Garrett Cobarr (@GarrettCobarr) January 22, 2013

@garrettcobarr A2 We agree. Promoting responsible and secure collection is at the heart of the bill. #privchat

— AppRights (@AppRightsUS) January 22, 2013

Dr. Daniel Barth Jones, an infectious disease epidemiologist, recently published a paper on the re-identification of health data. He commented that although de-identified data was a useful category, the language for the bill could be stronger:

“@paulbernaluk: #Privchat A2: Apps Act 'de-identified' definition "cannot be identified" is unworkable - there is always some small risk...

— Daniel Barth-Jones (@dbarthjones) January 22, 2013

Congressman Johnson also dropped in on Tuesday's discussion to say hello:

Hey everyone, I gotta run to the Judiciary Committee, but I look forward to following #privchat on the APPS Act. twitter.com/RepHankJohnson…

— Rep. Hank Johnson (@RepHankJohnson) January 22, 2013

You can follow the rest of the conversation by clicking here (the beginning of the conversation is on the bottom of the page).

This is the second time that the AppRights team opened the legislation process to the privacy and tech community through #PrivChat.  In August, we asked several questions about mobile privacy.  These included questions regarding specific types of data collection, the importance of main principles, and whether legislation should distinguish between children and adults on mobile devices.  There, Congressman Johnson took a moment to reach out during his campaign for re-election and introduce himself to the discussion.

We'd like to thank Amie and Shaun for hosting AppRights on #PrivChat and promoting such a thoughtful discussion on mobile privacy.  We're also glad Congressman Johnson was able to join the discussion, and follow it throughout.   He launched AppRights to make the legislative process as transparent and open as possible, and we look forward to hearing more ideas about how we can tinker with the APPS Act to make it as strong of a bill as possible before introduction.

For more information on the APPS Act, here is a section-by-section and summary of its major provisions. Keep letting us know what you think through our secure form on AppRights.us, or interacting with us on Facebook or Twitter. 
 

The Application Privacy, Protection, and Security Act of 2013 or the APPS Act.

SEC. 2 TRANSPARENCY, USER CONTROL, AND SECURITY

The APPS Act would require that app developers maintain privacy policies, obtain consent from consumers before collecting data, and securely maintain the data that they collect.

Subsection (a) Consent

Before collecting personal data from a consumer, a developer must notify the consumer of its terms for collecting, using, sharing, storing personal data, and obtain the consumer’s consent. The Federal Trade Commission would also promulgate regulations to specify the format, manner, and timing of this notice.

These terms must also disclose certain types of data-collection practices. These include the categories of personal data and purposes of its use, as well as the categories of third parties that use the personal data after it is initially collected by the developer.

Additional, developers would maintain a data-retention policy that notifies the user how long data is stored, and how to delete or opt out of data collection.

Subsection (b) Withdrawal of Consent

For consumers that no longer want to use the app, the developer would provide a mechanism for consumers to signal this intent, and to empower consumers to decide the fate of the data that has already been collected. At the consumer’s election, the developer would either delete any personal data collected to the extent practicable, or cease collecting data altogether. The developer would comply with the consumer’s request within a reasonable period of time.

Subsection (c) Security of personal data and de-identified data

The APPS Act would require that developers prevent unauthorized access to a user’s data through reasonable and appropriate security measures. This provision would address sub-standard data storage practices by promoting responsible data storage.

Subsection (d) Exception

The APPS Act does not displace requirements for developers to disclose or preserve data under federal or state law.

SEC. 3. APPLICATION AND ENFORCEMENT

The APPS Act would be enforced through either the Federal Trade Commission under section 18(a)(1)(B) of the Federal Trade Commission Act prohibiting unfair or deceptive acts or practices, or by a state’s attorney general through a federal civil action. A state could not file a civil action if a federal action is already pending.

SEC. 4. REGULATIONS

The FTC would promulgate regulations required by the Act within one year of its enactment.

SEC. 5. SAFE HARBOR

The APPS Act contains a safe harbor for companies that comply with the enforceable code of conduct agreed upon through the NTIA’s multi-stakeholder process. This approach give developers flexibility in how they display their privacy policies and interact with consumers, and avoids a heavy-handed legislative approach.

SEC. 6. RELATIONSHIP TO STATE LAW

The APPS Act supersedes state law only to the extent that it provides a higher level of transparency, user control, or security of personal and de-identified data than the state.

SEC. 7. DEFINITIONS

Key definitions include “de-identified data,” “personal data,” “mobile application,” and “mobile device.”
The term “de-identified data” means data that cannot identify individuals.

The FTC will promulgate a rule to define the term “personal data,” but it will not include de-identified data.

A “mobile application” is a software program that the user directly interacts with that runs on a mobile device’s operating system

A “mobile device” is a smartphone, tablet computer, or similar portable computing device that transmits data over a wireless connection.

SEC. 8. EFFECTIVE DATE

The APPS Act is effective 30 days after the FTC promulgates regulations under section 4.

It's great hearing from so many of you. Please continue to make your voice heard through our secure form on AppRights.us, or interacting with us on Facebook or Twitter.

Notice and Consent

Under the APPS Act, the app’s privacy policy would have to disclose certain types of data-collection practices. These include the categories of personal data and purposes of its use, as well as the categories of third parties that use the personal data after it is initially collected by the developer. A developer would also maintain a data retention policy that notifies the user how long data is stored, and how to delete or opt out of data collection.

Promoting Responsible Self-Regulatory Practices

Importantly, the bill also has several provisions that encourage responsible data-collection practices by app developers while avoiding federal regulation. The bill does not apply to de-identified data, which is any data not associated with a person. Distinguishing between personal and de-identified data serves several important purposes. First, it promotes data minimization and other strong security practices that avoid or mitigate data breaches. Second, it avoids the unintended consequence of decreasing consumers’ privacy on mobile devices by requiring developer’s to maintain “backdoors” for re-identifying data. This avoids the difficulty of re-identifying data that is already hashed or otherwise de-identified. Moreover, if this bill did not exclude de-identified data, developers would theoretically have to figure out how to connect de-identified data with individual users so that the developer could delete a user’s data with the confidence that it’s is actually the user’s data.

The APPS Act also contains a safe harbor for companies that comply with the enforceable code of conduct agreed upon through the NTIA’s multi-stakeholder process. This approach give developers flexibility in how they display their privacy policies and interact with consumers, and avoids a heavy-handed legislative approach.

Opting Out of Data Collection and Deleting Data

For consumers that no longer want to use the app, the APPS Act would also require that developers provide a mechanism for consumers to signal this intent, and to empower consumers to decide the fate of the data that has already been collected. At the consumer’s election, the developer would either delete any personal data collected to the extent practicable, or cease collecting data altogether.

Security

The APPS Act would require that developers prevent unauthorized access to a user’s data through reasonable and appropriate security measures. This provision would address negligent data storage practices by promoting responsible data storage.

Enforcement

The APPS Act would be enforced through either the Federal Trade Commission under section 18(a)(1)(B) of the Federal Trade Commission Act prohibiting unfair or deceptive acts or practices, or by a state’s attorney general through a federal civil action. A state could not file a civil action if a federal action is already pending.

One of the first bills of its kind, the APPS Act is a careful response to the many perspectives that have reached out to Congressman Johnson through AppRights.  This bill addresses the public's growing concern with data collection on mobile devices.  It would require that app developers provide transparency through consented terms and conditions, reasonable data security of collected data, and users with control to cease data collection by opting out of the service or deleting the user's personal data to the greatest extent possible.  

Over the coming days, we will release helpful clarifications of the updated provisions of the APPS Act so that everyone is on the same page.  As always, you should continue to make your voice heard through our secure form on AppRights.us, or interacting with us on Facebook or Twitter. 

[DISCUSSION DRAFT]

H. R. __

To provide for greater transparency in and user control over the treatment of data collected by mobile applications and to enhance the security of such data.

IN THE HOUSE OF REPRESENTATIVES

Mr. Johnson of Georgia introduced the following bill; which was referred to the Committee on ______________

A BILL

To provide for greater transparency in and user control over the treatment of data collected by mobile applications and to enhance the security of such data.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Application Privacy, Protection, and Security Act of 2013” or the “APPS Act of 2013”.

SEC. 2. Transparency, user control, and security.

(a) Consent to terms and conditions.—

(1) IN GENERAL.—Before a mobile application collects personal data about a user of the application, the developer of the application shall—

(A) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data; and

(B) obtain the consent of the user to such terms and conditions.

(2) REQUIRED CONTENT.—The notice required by paragraph (1)(A) shall include the following:

(A) The categories of personal data that will be collected.

(B) The categories of purposes for which the personal data will be used.

(C) The categories of third parties with which the personal data will be shared.

(D) A data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user under subsection (b) and the process by which the user may exercise such rights.

(3) ADDITIONAL SPECIFICATIONS AND FLEXIBILITY.—The Commission shall by regulation specify the format, manner, and timing of the notice required by paragraph (1)(A). In promulgating the regulations, the Commission shall consider how to ensure the most effective and efficient communication to the user regarding the treatment of personal data.

(4) DIRECT ACCESS TO DATA BY THIRD PARTIES.—For purposes of this Act, if the developer of a mobile application allows a third party to access personal data collected by the application, such personal data shall be considered to be shared with the third party, whether or not such personal data are first transmitted to the developer.

(b) Withdrawal of consent.—The developer of a mobile application shall—

(1) provide a user of the application with a means of—

(A) notifying the developer that the user intends to stop using the application; and

(B) requesting the developer—

(i) to refrain from any further collection of personal data through the application; and

(ii) at the option of the user, either—

(I) to the extent practicable, to delete any personal data collected by the application that is stored by the developer; or

(II) to refrain from any further use or sharing of such data; and

(2) within a reasonable and appropriate time after receiving a request under paragraph (1)(B), comply with such request.

(c) Security of personal data and de-identified data.—The developer of a mobile application shall take reasonable and appropriate measures to prevent unauthorized access to personal data and de-identified data collected by the application.

(d) Exception.—Nothing in this Act prohibits the developer of a mobile application from disclosing or preserving personal data or de-identified data as required by—

(1) other Federal law (including a court order); or

(2) except as provided in section 6, the law of a State or a political subdivision of a State (including a court order).

SEC. 3. Application and enforcement.

(a) General application.—The requirements of this Act and the regulations promulgated under this Act apply, according to their terms, to those persons, partnerships, and corporations over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)).

(b) Enforcement by Federal Trade Commission.—

(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

(2) POWERS OF COMMISSION.—The Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

(c) Actions by States.—

(1) IN GENERAL.—In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of such State has been or is threatened or adversely affected by an act or practice in violation of this Act or a regulation promulgated under this Act, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to—

(A) enjoin such act or practice;

(B) enforce compliance with this Act or such regulation;

(C) obtain damages, restitution, or other compensation on behalf of residents of the State; or

(D) obtain such other legal and equitable relief as the court may consider to be appropriate.

(2) NOTICE.—Before filing an action under this subsection, the attorney general, official, or agency of the State involved shall provide to the Commission a written notice of such action and a copy of the complaint for such action. If the attorney general, official, or agency determines that it is not feasible to provide the notice described in this paragraph before the filing of the action, the attorney general, official, or agency shall provide written notice of the action and a copy of the complaint to the Commission immediately upon the filing of the action.

(3) AUTHORITY OF COMMISSION.—

(A) IN GENERAL.—On receiving notice under paragraph (2) of an action under this subsection, the Commission shall have the right—

(i) to intervene in the action;

(ii) upon so intervening, to be heard on all matters arising therein; and

(iii) to file petitions for appeal.

(B) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING.—If the Commission or the Attorney General of the United States has instituted a civil action for violation of this Act or a regulation promulgated under this Act (referred to in this subparagraph as the “Federal action”), no State attorney general, official, or agency may bring an action under this subsection during the pendency of the Federal action against any defendant named in the complaint in the Federal action for any violation of this Act or such regulation alleged in such complaint.

(4) RULE OF CONSTRUCTION.—For purposes of bringing a civil action under this subsection, nothing in this Act shall be construed to prevent an attorney general, official, or agency of a State from exercising the powers conferred on the attorney general, official, or agency by the laws of such State to conduct investigations, administer oaths and affirmations, or compel the attendance of witnesses or the production of documentary and other evidence.

SEC. 4. Regulations.

Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations in accordance with section 553 of title 5, United States Code, to implement and enforce this Act.

SEC. 5. Safe harbor.

The developer of a mobile application may satisfy the requirements of this Act and the regulations promulgated under this Act by adopting and following a code of conduct for consumer data privacy (insofar as such code relates to data collected by a mobile application) developed in a multistakeholder process convened by the National Telecommunications and Information Administration, as described in the document issued by the President on February 23, 2012, entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”.

SEC. 6. Relationship to State law.

This Act and the regulations promulgated under this Act supercede a provision of law of a State or a political subdivision of a State only to the extent that such provision—

(1) conflicts with this Act or such regulations, as determined without regard to section 2(d)(2);

(2) specifically relates to the treatment of personal data or de-identified data; and

(3) provides a level of transparency, user control, or security in the treatment of personal data or de-identified data that is less than the level provided by this Act and such regulations.

SEC. 7. Definitions.

In this Act:

(1) COMMISSION.—The term “Commission” means the Federal Trade Commission.

(2) DE-IDENTIFIED DATA.—The term “de-identified data” means data from which particular individuals cannot be identified.

(3) DEVELOPER.—The term “developer” shall have the meaning given such term by the Commission by regulation.

(4) MOBILE APPLICATION.—The term “mobile application” means a software program—

(A) that runs on the operating system of a mobile device; and

(B) with which the user of the device directly interacts.

(5) MOBILE DEVICE.—The term “mobile device” means a smartphone, tablet computer, or similar portable computing device that transmits data over a wireless connection.

(6) PERSONAL DATA.—The term “personal data” shall have the meaning given such term by the Commission by regulation, except that such term shall not include de-identified data.

(7) STATE.—The term “State” means each of the several States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian tribe.

SEC. 8. Effective date.

This Act shall apply with respect to any collection, use, storage, or sharing of personal data or de-identified data that occurs after the date that is 30 days after the promulgation of final regulations under section 4.

The majority of the feedback that we received on AppRights expressed strong support for user control. Many of you also told Congressman Johnson that simple controls are important to protecting your privacy on mobile devices. After listening to these concerns, we have written a user-control provision to address these concerns without threatening the functionality or integrity of the mobile apps that you love.

This provision requires developers to allow users to delete a mobile application at any time, along with users’ other personal data stored by the application. Developers must cease to collect or use data within a reasonable period of time after the user has deleted the application.

Bill Text: Withdrawal of consent.—The developer of a mobile application shall provide a user of the application with the ability at any time, by deleting the application from the mobile device, to— (1) delete any personal data stored on the device by the application; and (2) prohibit the developer, within a reasonable and appropriate time thereafter, from engaging in any further use or sharing of personal data collected by the application.

Definitions:

• The term “anonymous data” means data from which particular individuals cannot be identified.
• The term “developer” has the meaning given by the Federal Trade Commission by regulation.
• The term “mobile application” means a software program (A) that runs on the operating system of a mobile device; and (B) with which the user of the device directly interacts.
• The term “mobile device” means a smartphone, tablet computer, or similar portable computing device that transmits data over a wireless connection.
• The term “personal data” has the meaning given by the Federal Trade Commission by regulation, but does not include anonymous data.

The app economy has undoubtedly enriched lives, created jobs, and contributed much to education and culture. But if data is an asset like any other, developers should be responsible and accountable when collecting data.

We look forward to your input on this provision, and hope you will continue to express your views and concerns regarding mobile privacy. By sharing your thoughts with us through our secure form at AppRights.us, or interacting with us on Facebook or Twitter, we will work together to find the right solutions to each issue.
 

This feedback provided much insight, coalescing around widely-accepted principles that are backed by ample public support.  The FTC reported similar public concerns in 1998, while studies by the Pew Internet & American Life demonstrate that individuals demand accountability, security, control, and transparency. 

After hearing back from many of you, the Congressman has worked hard to galvanize these principles into thoughtful proposals for mobile privacy legislation.  These proposals address your primary concerns by creating a legislative framework for control, security, and transparency on mobile devices. 

We have also engaged the internet community on Facebook, Twitter, and Reddit. In a live chat on Twitter, we asked several questions about how Congress can protect users’ mobile privacy. Congressman Johnson even dropped by from the campaign trail to participate in the conversation.

Inspired by the efforts of Twitter and Google, we are also launching a Legislative Transparency Report to show the feedback we have received for AppRights. This report includes information on the principles that users are most concerned with, and whether people support legislative options to mobile privacy concerns.

The Legislative Transparency Report shows that people who are engaging AppRights are predominantly concerned with control over their privacy. Similarly, many people are also concerned about the security of their data on mobile devices. Most people support legislation in this area, while a minority of feedback has expressed strong opposition to regulating mobile devices.

We hope that these steps continue to shed light on how the internet community, industry stakeholders, and public-interest groups have interacted with Congressman Johnson on mobile privacy.

We continue to believe in the importance of working with the Internet and these groups before proposing solutions to users’ growing privacy concerns. Stay in touch with us via the secure form at AppRights.us, or interact with us on Facebook or Twitter.

(Special thanks to Ariel Shapiro, intern for Rep. Hank Johnson, for her help gathering data for the Legislative Transparency Report)

We recently heard from Jennifer Mercurio, the Vice President and General Counsel of the Entertainment Consumers Association (ECA), a non-profit organziation dedicated to representing consumers in the digital rights arena.  The ECA works on behalf of gamers, film, and music consumers and is dedicated to giving "gamers a collective voice with which to communicate their concerns, address their issues and focus their advocacy efforts."  The ECA has over one-million members that include families, carriers, and mobile devices makers who are concerned about issues like privacy, cybersecurity, and streaming.  

In her letter to the Congressman, Mercurio applauds AppRights for recognizing the "faults in previous legislative attempts and are working to correct them."  In contrast, she pointed out that Congress is "generally deaf to the concerns of consumers," as shown by legislation like SOPA and CISPA failing in the face of overwhelming disapproval. 

Congressman Johnson agrees: “We've all seen what happens when Congress tries to shove legislation down the public's throat without asking the internet what it thinks first,” which is why he opposed SOPA and compared CISPA to "1984".

We had a chance to catch up with Mercurio to learn more about the perspective of gamers and media-content consumers on mobile privacy.  She explained that this is a large community that is passionate about privacy and cybersecurity. 

Mercurio emphasized that control is an important principle to this community, adding that this is particularly true for parents worried about their children’s privacy.  “Each consumer should be able to control their own privacy,” Mercurio concluded.  

Here’s a copy of her letter on behalf of the ECA.  Let us know if you agree with her take on internet policy via our secure form at AppRights.us, via Twitter (@AppRightsUS), or on Facebook.       

Hanley, FOSI’s legal and policy manager, applauded Congressman Johnson for initiating AppRights, which she called a “fascinating project” that engages stakeholders and constituents.

Hanley also brought our office up to speed on FOSI’s work in children’s online safety. Last year, FOSI commissioned a study that explored parents’ views about online safety.

Although this study found that most parents feel secure about children’s safety online, it also demonstrated that parents become increasingly concerned when children engage other platforms like smartphones and handheld devices to access content online. Another study that Hanley provided points out that 93% of parents have discussed mobile safety with their children.

Morris, FOSI’s international policy counsel, also provided an overview of the European Union’s recent efforts in mobile privacy. She highlighted the complicated nature of creating uniform transatlantic laws because of the different countries’ norms and morals on privacy. She also discussed several emerging regulatory efforts abroad.

In a brief on Safety and Privacy in a Digital Europe she concluded that if European “companies share the principles of privacy and safety for all, the call for regulation will diminish.” Morris noted that policymakers should consider these efforts before enacting privacy legislation in the United States.

Congressman Johnson will address children’s safety online at the Congressional Award Foundation’s Youth and Technology Dinner in September, where he will co-chair the dinner and discuss the new technology challenges that face today’s youth.

Let us know what you think about these issues via the secure form at AppRights.us, via Twitter (@AppRightsUS), or on Facebook.

Hey y’all. It’s election day down here but I wanted to take a sec to drop in on #PrivChat. @apprightsus twitter.com/RepHankJohnson…

— Rep. Hank Johnson (@RepHankJohnson) July 31, 2012

Our first question: whether geolocation is the most important privacy issue for mobile users.

A study by the Pew Research Center found 77% of adults used a mobile device in 2008.  As more users flock to smartphones with GPS technology, there is a growing concern that mobile devices are becoming de facto tracking devices.  As Peter Maass and Megha Rajagopalan wrote recently in the New York Times:

“Thanks to the explosion of GPS technology and smartphone apps, these devices are also taking note of what we buy, where and when we buy it, how much money we have in the bank, whom we text and e-mail, what Web sites we visit, how and where we travel, what time we go to sleep and wake up — and more.”

A number of the experts and advocates responded to our question.  Wayne Chambliss of Geoloqi wrote:

@epicprivacy A1: Inasmuch as geolocation contextualizes (and even de-anonymizes) other mobile consumer data sets, I think so. #privchat

— Wayne Chambliss (@rwchambliss) July 31, 2012

Jim Adler, the chief privacy officer at Intelius, asked a philosophical question with serious privacy (and policy) implications:
 

@epicprivacy A1: Is WHERE you are WHO you are? #privchat

— Jim Adler (@jim_adler) July 31, 2012

 
But others disagreed, or pointed to other issues.  Patrick Gage Kelley, an assistant professor of computer science at the University of New Mexico, thought that users’ location is less important:
 

A1: Geolocation is NOT most important. Easy to trumpet as a protection, users will share location anyway. It's a false privacy. #privchat

— Patrick Gage Kelley (@patrickgage) July 31, 2012

Next, we asked whether transparency is the most important principle for mobile privacy or if other principles, like individual control, are more important.  The team at Hibe, a social media platform, weighed in:
 

A2: Disclosure, Transparency are really key. These allow users to act according, remove apps, change behaviour, etc. #privchat

— Hibe (@Hibecom) July 31, 2012

Geoloqi's Wayne Chambliss argued that user control is as or more important than transparency -- steering the car is just as important as seeing through the windshield:
 

@epicprivacy A2: Without user control, transparency is worthless except forensic scenarios. It's an entangled hierarchy. #privchat

— Wayne Chambliss (@rwchambliss) July 31, 2012

 
We still have serious questions about whether transparency alone is enough.  In fact, we have serious questions about whether transparency and user control are even enough together. 

Does the federal government need to step in and set some minimum standards for the handling of consumers' data?  Can we simply rely on consumers to make responsible decisions once information is available to them?  We asked the question:

@hibecom A2 This gets to heart of legislative dilemma. Informing vs. protecting consumers. #privchat

— AppRights (@AppRightsUS) July 31, 2012

We think this is one of the critical unanswered questions.  We raised it in our initial reaction to EFF's Mobile User Privacy Bill of rights, as well.  We want to hear from you!

Moving to children’s online safety, our third question was whether the Do Not Track Kids Act is constructive legislation to protect children’s mobile privacy.  We also asked whether legislation should distinguish between children and adults in the first place.

Jim Adler thought that children differ from adults and deserve stronger privacy protections:

@apprightsus A3: Kids have a higher privacy barrier even when in public, because they're more vulnerable. #privchat

— Jim Adler (@jim_adler) July 31, 2012

 
But Jasmine McNealy, an Assistant Professor at Syracuse University's Newhouse School of Public Communications, expressed concern that separating children and adults raises First Amendment speech issues like vagueness and overbreadth.  Referring to the Do Not Track Kids Act, she wrote:

@apprightsus A3: Which ever provisions are saved must have concrete defs & be targeted only on activities/speech that affect kids #privchat

— Jasmine McNealy (@JasmineMcNealy) July 31, 2012

We enjoyed and benefited from the #PrivChat discussion and we're glad Congressman Johnson was able to join us.  He launched AppRights to make the legislative process as transparent and open as possible, and we look forward to hearing more ideas about how we can empower and protect mobile-device users.

Get in touch via the secure form at AppRights.us, Twitter (@AppRightsUS), or Facebook.

Last week, Adi Kamdar at the Electronic Frontier Foundation wrote about Congressman Johnson's AppRights project for EFF's "Deeplinks" blog.

Introducing Congressman Johnson as "a friend of the Internet," Kamdar described AppRights as a "heartening" effort "to stand up for privacy rights."  Kamdar also wrote that EFF hopes Congressman Johnson and the AppRights team will take a close look at EFF's Mobile Privacy Bill of Rights:

Mobile privacy and consumer rights are important issues to EFF, and we hope that Rep. Johnson keeps our previous work on the topic in mind—most notably our Mobile User Privacy Bill of Rights. This document contains key points for developers to keep in mind when it comes to respecting their users' privacy—including transparently focusing data collection on solely what is needed, as well as giving users more control over their personal data.

EFF's Mobile User Privacy Bill of Rights proposes six mobile privacy principles:

1. Individual control: "Users have a right to exercise control over what personal data applications collect about them and how they use it.  ...  The right to individual control also includes the ability to remove consent and withdraw that data from application servers."

2. Focused data collection: "Address book information and photo collections have already been the subject of major privacy stories and user backlash.Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information."

3. Transparency: "Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation."

4. Respect for context: "Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided.  ...  When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user."

5. Security: "Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer."

6. Accountability: "Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them."

In the same document, EFF proposes developers' best practices consistent with these principles:

Electronic Frontier Foundation

EFF's baseline principles (and best development practices) for an effective mobile privacy regime are great food for thought.

Could EFF's Mobile User Privacy Bill of Rights be the starting point for legislation?  Several questions come to mind right away.

Which of these principles should be enforced by law?  Would self-regulation better realize any of them?  Should we rely on ourselves as consumers to make informed decisions that incentivize best practices by developers?  Might legal enforcement of these principles impede innovation?  And, of course, are there any rights or principles missing from this list?

We look forward to continuing the dialogue with EFF, and we want to hear from you. Get in touch via the secure form at AppRights.us, Twitter (AppRightsUS), or Facebook.