Mobile Data Privacy is Terra Incognita to Users and Developers
Pitfalls lurk for even savvy consumers
By Cameron Scott
February 24, 2012 — President Obama's move Thursday to establish a so-called Privacy Bill of Rights for the Internet can be seen as the consolidation of decadelong efforts by disparate groups to improve privacy protections via countless browser add-ons, settings and privacy policies. But while it's possible to guard privacy on the desktop, the rapidly growing mobile space is still the Wild West, with an almost endless landscape of privacy pitfalls that challenge even the most vigilant consumer.
Today's mobile phones collect an enormous amount of personal data -- from the user's email address to his or her location, contact list, calendar and even photos -- and tether it to a single unique device ID number. One location-based photo-sharing app reportedly activated users' microphones to narrow down their location beyond what GPS data could provide. There is as yet very little to protect the valuable data on these most personal of devices.
The news this week that California will require mobile apps to post privacy policies was widely praised, but also underscored just how much of a free-for-all the space is now. A developer survey conducted by the Future of Privacy Forum found that 60 percent of all mobile apps don't even have a privacy policy that would notify consumers which of their data the apps access. A study by TrustE and Harris Interactive found that 95 percent of all apps lack a privacy policy.
Given California's plan, and the major mobile platforms' participation in it, developers who market their apps in the App Store, Android Marketplace or any of the other major platforms will have to establish and disclose these policies, but there is still no requirement for them to limit the data they grab, store or share.
"The only piece of information that's restricted by the operating system is location information," said Ashkan Soltani, an independent researcher and consultant focused on privacy. The restrictions on what developers can share with third parties are minimal and not always clear.
As for protecting one's private data, "The industry tools don't even exist yet," said Jules Polonetsky, who runs the Future of Privacy Forum. For example, "It's nearly impossible" to opt out of tracking on a mobile device.
Data driving innovation
Ironically, unfettered access to hardware and data in smartphones has driven much of the innovation that has happened in the mobile arena. A flashlight app must have access to the phone's flash to work. Social networks need access to contact information to suggest friends for new users. And apps like Yelp use location data to ensure users get relevant information.
Is privacy an ally of security, next of kin, or something else? These articles dig into the hows and whys of data privacy and data protection, and its relationship to enterprise security efforts.
6 ways we gave up our privacy
The effect of social networks, web 2.0 technologies, and other privacy-shaking developments
7 Firefox plugins for data privacy
Plug data-leaking holes in your web browsing
4 signs of an easy victim on social networks
Scammers and hackers of all kinds scour social sites for personal data
Potential privacy 'gotchas' in cloud computing
How to respond to a data breach notification
5 things to know about the Chief Privacy Officer
- HIPAA Hiccup Solved
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Enterprise File Sharing: All You Need to Know
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Mandiant's APT1: Revisited
The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby - Attacks from China: A survival guide
- #FFSec: Infosec pros who bring value to Twitter
More Salted Hash with Bill Brenner
