EFF's 'Mobile User Privacy Bill of Rights' - A Starting Point for Legislation?

Tuesday, July 31, 2012

By the AppRights team

Last week, Adi Kamdar at the Electronic Frontier Foundation wrote about Congressman Johnson's AppRights project for EFF's "Deeplinks" blog.

Introducing Congressman Johnson as "a friend of the Internet," Kamdar described AppRights as a "heartening" effort "to stand up for privacy rights."  Kamdar also wrote that EFF hopes Congressman Johnson and the AppRights team will take a close look at EFF's Mobile Privacy Bill of Rights:

Mobile privacy and consumer rights are important issues to EFF, and we hope that Rep. Johnson keeps our previous work on the topic in mind—most notably our Mobile User Privacy Bill of Rights. This document contains key points for developers to keep in mind when it comes to respecting their users' privacy—including transparently focusing data collection on solely what is needed, as well as giving users more control over their personal data.

EFF's Mobile User Privacy Bill of Rights proposes six mobile privacy principles:

  1. Individual control: "Users have a right to exercise control over what personal data applications collect about them and how they use it.  ...  The right to individual control also includes the ability to remove consent and withdraw that data from application servers."

  2. Focused data collection: "Address book information and photo collections have already been the subject of major privacy stories and user backlash.Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information."

  3. Transparency: "Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation."

  4. Respect for context: "Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided.  ...  When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user."

  5. Security: "Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer."

  6. Accountability: "Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them."

In the same document, EFF proposes developers' best practices consistent with these principles:

  • Anonymizing and obfuscation
  • Secure data transit
  • Secure data storage
  • Internal security
  • Penetration testing
  • Do Not Track
Electronic Frontier Foundation

EFF's baseline principles (and best development practices) for an effective mobile privacy regime are great food for thought.

Could EFF's Mobile User Privacy Bill of Rights be the starting point for legislation?  Several questions come to mind right away.

Which of these principles should be enforced by law?  Would self-regulation better realize any of them?  Should we rely on ourselves as consumers to make informed decisions that incentivize best practices by developers?  Might legal enforcement of these principles impede innovation?  And, of course, are there any rights or principles missing from this list?

We look forward to continuing the dialogue with EFF, and we want to hear from you. Get in touch via the secure form at AppRights.us, Twitter (AppRightsUS), or Facebook.