The FTC's third recommendation for mobile app developers is that they "improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers and provide accurate disclosures to customers." Many banks do work with analytics companies to craft merchant-funded rewards and with account aggregators to create personal financial management tools.
"My interpretation of this requirement is that the FTC wants app developers to have a better understanding of what the third-party libraries they use in their apps are actually doing," Hong says. "As part of our research, we've been crawling a lot of free apps and a few paid apps, and nearly all of them use third-party libraries of reusable code. The tricky part is that some of the privacy issues come from these libraries rather than the apps themselves. For example, a lot of the apps we've seen use location data, but if you drill down, it turns out that it's a library used for advertising that is accessing location data. Same thing with analytics libraries we seen."
Most banks should be able to handle this part without problems, Hong believes. "For many libraries, it's not too hard to determine if it accesses sensitive information," he says. "The bigger challenge is what happens on the back-end of those third-party libraries. For example, many analytics libraries send data to a server owned by the creator of that library. What is the data retention policy there? How secure is that server? These issues are not as clear, and go beyond just basic disclosures."
The last thing the FTC recommends is that mobile app developers consider participating in self-regulatory programs, trade associations, and industry organizations that can provide guidance on how to make uniform, short-form privacy disclosures. One such group is the National Telecommunications and Information Administration.
The FTC means to enforce its guidelines. It recently settled charges against a company called Path that collected address book information from children under 13 without providing notice and obtaining parental consent. The commission is especially worried about applications targeted at children; it has found that most applications for kids fail to provide parents with information about data collected through the apps.
An earlier privacy report the FTC issued in March recommended that for unusual app features, companies provide consumers with choices at a relevant time and context.
Newer versions of Apple's mobile operating system, iOS, offer just-in-time notifications that an app is requesting location data. "Since Apple and Google account for a vast majority of mobile related activities, we are especially interested in continued evolution of platform-level features such as prompting users before an app gains access to sensitive information such as location or contacts," commented a banker who preferred not to be identified.
"For mobile banking, there probably aren't too many unexpected features," says Hong. "One that comes to mind might include using SMS or the phone's unique ID as some kind of extra verification. Another might be using one's current location data as an extra check when withdrawing funds from an ATM."
Another, related point the FTC made in March is that companies should not collect location information unless the app truly needs it.
"We are encouraged that the FTC is taking an interest in setting consistent standards and expectations for privacy related disclosures," said the banker who preferred to remain anonymous. "Focusing on providing guidance on the principle of transparency and simplicity is ultimately in the consumer's best interests."