These include flashlight apps that require Internet access and games that use location data. "We also saw apps where people were uncomfortable with a feature, but were ok with it after it was made clear what the data was being used for," he says. "For example, there is a dictionary app for Android that uses location data. Nearly all of our participants assumed that the app used location data for ads and so were uncomfortable sharing this data. But it turns out that the app uses location data to show what words people around you are looking up, and only does so when you explicitly select the feature (rather than sharing your location data all the time). After being told this, our participants were much more comfortable with the app using their location."
There can be danger in confusing customers with too many disclosures, Hong points out. "If we're not careful, end-users could be inundated with notifications and warnings, some of which will be useful, and many of which won't be."
The FTC's third recommendation for mobile app developers is that they "improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers and provide accurate disclosures to customers." Many banks do work with analytics companies to craft merchant-funded rewards and with account aggregators to create personal financial management tools.
"My interpretation of this requirement is that the FTC wants app developers to have a better understanding of what the third-party libraries they use in their apps are actually doing," Hong says. "As part of our research, we've been crawling a lot of free apps and a few paid apps, and nearly all of them use third-party libraries of reusable code. The tricky part is that some of the privacy issues come from these libraries rather than the apps themselves. For example, a lot of the apps we've seen use location data, but if you drill down, it turns out that it's a library used for advertising that is accessing location data. Same thing with analytics libraries we seen."
Most banks should be able to handle this part without problems, Hong believes. "For many libraries, it's not too hard to determine if it accesses sensitive information," he says. "The bigger challenge is what happens on the back-end of those third-party libraries. For example, many analytics libraries send data to a server owned by the creator of that library. What is the data retention policy there? How secure is that server? These issues are not as clear, and go beyond just basic disclosures."
The last thing the FTC recommends is that mobile app developers consider participating in self-regulatory programs, trade associations, and industry organizations that can provide guidance on how to make uniform, short-form privacy disclosures. One such group is the National Telecommunications and Information Administration.
The FTC means to enforce its guidelines. It recently settled charges against a company called Path that collected address book information from children under 13 without providing notice and obtaining parental consent. The commission is especially worried about applications targeted at children; it has found that most applications for kids fail to provide parents with information about data collected through the apps.
An earlier privacy report the FTC issued in March recommended that for unusual app features, companies provide consumers with choices at a relevant time and context.
Newer versions of Apple's mobile operating system, iOS, offer just-in-time notifications that an app is requesting location data. "Since Apple and Google account for a vast majority of mobile related activities, we are especially interested in continued evolution of platform-level features such as prompting users before an app gains access to sensitive information such as location or contacts," commented a banker who preferred not to be identified.