designing for privacy in mobile applications
DESCRIPTION
TRANSCRIPT
?
Designing for Privacy in Mobile Applications
Guidelines for Vodafone application developers
18 July 2011
Introduction
What is privacy?The guidelines here are intended to help you ensure that your applications don’t violate your users’ privacy. But what does that mean?
Privacy means different things to different people in different contexts, but, when we use it here, we mean making sure that, when your application collects and uses personal information, it does it in ways that meet users’ expectations and gives them proper control, and it doesn’t disturb them or behave intrusively.
Keep in mind that the guidelines here form part of our Developer Agreement, so you’re bound to comply with them when you participate in our programme.
What is personal information? There are lots of legal definitions we could throw in here, but we’ll try to keep it simple: if information relating to an individual could identify, locate or enable you to contact them, then it’s personal information.
But that individual doesn’t need to be identified by name, for example, or by phone number. A name or a phone number are each personal information, but not the only examples. A user is identified (and could be contacted or located) even when you’ve only associated them with an anonymised (or, really, pseudonymised) unique identifier if it persists over multiple sessions.
Personal information is personal information no matter how it’s collected. For example, you could:
1.Ask your user for it directly (for example, in a registration flow).
2.Collect it directly from your user’s handset (for example, a unique identifier like IMSI, MSISDN or EEID).
3.Infer it indirectly, like when you profile or segment users based on their observed behaviours or locations.
4.Collect it when it’s generated by the user (for example, tweets, status updates and other user-generated content, such as photos).
But there is not necessarily a privacy problem because your application collects and uses personal information – that’s what the guidelines below are intended to help you determine.
Some other important expressionsWhen we talk about applications needing active consent, we mean an affirmative indication of agreement by the user to a specific and notified use of their personal information. Active consent can typically be captured by ticking a consent box or clicking an ‘OK’/‘Allow’ button. Active consent must be captured in a way so that consent is not the default option (for example, if there’s an ‘I Accept’ tick box, it should not be pre-ticked so that consent is bundled in with agreeing to install).
When we refer to location information, we mean any information that identifies the geographical location of a user’s device, including Cell ID, GPS, Wi-Fi, or other, less granular, information, such as town or region.
What happens if your application does have a privacy problem? In a worst-case scenario, a regulator or consumer protection authority might investigate you for a legal or regulatory violation – which might cause you to have to pull your application, pay fines or even face criminal penalties. A privacy problem with your application will also likely lead to unhappy consumers and bad ratings, or you might find yourself being “named and shamed” by a privacy advocate – many of them are paying particular attention in this space and are actively engaged. Of course, if your application is identified by our testing or reported by your users as violating privacy, it goes without saying that we will not approve your application or we’ll pull it from our platforms.
Why should I care?
Index
1. Guidelines for all applications
2. Guidelines for applications that use location
3. Guidelines for applications with social networking elements
4. Guidelines for age-appropriate applications
5. Guidelines for applications that use mobile advertising or analytics
Guidelines for all applications
Guidelines for all applicationsDon’t sneak around. An application must not secretly access, collect or share personal information. Identify yourself. Users must know who is using their personal information and how they can contact you for more information or to exercise their rights.
BACK
ABOUT US
App Adventures is a company that develops apps. You can reach us on our email address [email protected]. Our address is on App street n5, App country.
i
Guidelines for all applicationsMake sure users are informed. Use contextual disclosures to make sure users understand how your application will collect and use their personal information. Sometimes, a “privacy policy” will be necessary to achieve this, but many times a “just-in-time” notice is the right way to set expectations about your application and its personal information uses.
BACK
My Great App Privacy Policy
Sections:- What we collect- How we use it- Your choices- How to contact us
A privacy policy isn’t always the best way to give notice. When a user clicks on “Find Photos near me” (and that’s all you’re using location for), he or she’s given her implied consent.
My Great App is requesting access to your address book to invite friends to join
the game.
My Great AppGuidelines for all applicationsGain the user’s consent, where necessary. Sometimes users will need to give their active consent to uses of their personal information. •Collection or use of personal information not necessary for the application’s primary purpose.
•Sharing personal information with third parties. •Storing personal information after immediate use of the application.
CANCEL
ALLOW DON’T ALLOW
Example 1 Example 2
Financial Times App
Name: Richard StaceyAge: 52Hobbies: Golf, Sailing, FoodReligion: Agnostic
SEND
SettingsGuidelines for all applicationsGive users control over prompting. Where possible, users should have choices about how – and how often – they are reminded about features and functionality that use their personal information.
Every dayOnce a week, Monday
Once a month
Never
Please let us know how often we should prompt you with this message
Save
Guidelines for all applicationsNo silent updates. Users must agree to any updates pushed to their device. And they need to be able to understand what the update contains.
If you make changes to your app, let the users know what changes have been made so they can make decisions about whether to continue to use it; don't cover those changes under a text like “only minor changes”.
Games
This new version includes the following features:
• Bug fixing• Ten extra missions• Scoreboard sharing to
Facebook and Twitter• In app advertisement
UPDATE
SUPER GAMEDevelopment: Game Inc.
Guidelines for all applicationsMinimise the information collected. Personal Information collected by an application must be reasonable, not excessive, and within the scope of the user’s expectations.
Keep data secure. Take appropriate steps to protect users’ personal information from unauthorised disclosure or access.
Note: The more sensitive the data, the more security you need.
On the server side, do not log locations that can be associated with
individual users. Instead log aggregates of what you´re interested in. For example, just keep a list of how often people
are using your app in London; there is no need to remember which user was in London and when.
Guidelines for all applicationsAuthenticate where security calls for it. Authenticate users where possible using risk-appropriate authentication methods.
Set retention and deletion periods. When you no longer need the data you’ve collected for the reasons you collected it, make sure it’s appropriately and completely deleted. If data must be kept (for example, for billing, tax or other good reasons), make sure you keep only the minimum that will meet those needs.
Reporting. Give users the tools to report privacy problems within or about your application.
Type text
Send
Send us feedback
RSS Feed App
Send Log report
Guidelines for all applicationsGive users control over remote storage. Tell the user if your application will send data to a remote server and use or store it there. Let them know how long you’ll keep the data and why you need it. You should also let them review and delete the information if possible.
Price100 Eur
MyDreamTrip
AMSTERDAM
Price125 Eur
Low CostBcn 3:00 pmAms 5:00 pm
IberiaBcn 5:00 pmAms 5:00 pmYour search info will be stored
on a remote server for three months so we can improve our search engine
Okay
Guidelines for applications that use location
Guidelines for applications that use locationInform the user that location will be used. Access, use and share location data only when users have a clear understanding that you will do so and of the consequences of participating.Don’t facilitate stalking or surveillance. Applications must not collect, use or share location data about someone other than the user, except where another user has chosen to publish such information.
This app would like to use your current location to be
able to pull the list of nearby book stores
Locate me Cancel
Book Recommender
Sometimes, it will be very clear in context why and how you’ll use location. In those cases, minimal notice is necessary.
Guidelines for applications that use locationCapture appropriate consents where necessary. For many location-enabled applications, the use of location is clear, and is in fact why your user chooses your application. But where location isn’t the primary purpose of the application, or where users might need a little more help in understanding how you use location, more active prompting and consent may be necessary.
This app would like to detect your current
location to be able to post your points in your
national rankingPost my score and location
Locate me No, Thanks
Tetris
If location is not the primary purpose of the application or enables a secondary feature, let the user choose to activate location at the time that they use the feature.
Guidelines for applications that use locationConsent and control are necessary if you collect or retain a location history. If you will retain a history of location, tell the user how long the data is retained and why. Let them review and delete their history.
This app would like to use your current location Yes No
HIKING ROUTES
Settings
Yes No
Yes No
Share location with the park ranger
Keep location history of my hiking routes
Edit historyView history
Guidelines for applications that use locationConsent and control are necessary if location use persists when the application is active or closed. If you will continue to collect, use or share location data during operation of the application or after a user has closed the application: • Get the user’s active consent.• Alert the user when the location feature continues to operate
with a persistent indicator. If technically possible, this indicator should appear even when the application is running in the background or does not otherwise appear to be active.
• Prompt the user that location will continue to be collected, used or shared after the application is turned off, or placed in the background, and allow them to turn this feature off.
• Provide easily accessible settings that allow the user to immediately turn location on or off, including a “location off” feature that overrides all other location settings in the application.
Even when closed, App Skywalker will keep
collecting your location data in order to trace your
walking route
Don´t Allow Allow
Walk with your friends
Guidelines for applications that use locationConsent and control are necessary if you share location. If you will share location data with other applications, sites or services: • Get the active consent of the user.• Identify and provide a link or other means to
access the recipients.• Give users a way to easily manage recipients (for
example, to withdraw their consent if they want).
Running Community
When you start your run, the app will shared your location automatically with:
Hyves
Foursquare
This app will make use of your GPS location
Allow
Strawberry finder
Bad practice
Yes
Yes
Yes
Yes
Guidelines for applications that use locationCarefully set defaults and give users control over social location features. When users can share their location with the public or with their contacts, the default setting must be private. That is, the user must give active consent to begin sharing location, and must affirmatively choose individual users or groups of users who will have access to their location. In addition: •Show a clear indicator when location-sharing is active. •Allow the user to set the level of granularity of the location (city, street, exact physical location etc.).•Allow the user to manually override the location presented, e.g. by typing in an alternate location•Allow users to turn off location-sharing at any time.
Give appropriate choices for location-based advertising. Label your application as ad-supported if it will include contextual location-based advertising or sponsored results. Make sure to get active consent before sending advertising or sponsored results based on a stored history of a user’s location.
Guidelines for applications that use location This application is offered for
free, and sponsored ads are included. You can download the ad-free, paid version here: LINK
Can we use your location to show you relevant advertising in your area?
Allow Enter location manually
Guidelines for applications that use locationProtect children from endangering themselves with social location features. Users who are identified or age-verified as children must be prevented from publishing their location (that is, sharing with the general public). If children are able to share location data with their contacts, granularity must by default be set at the city level or wider. (See more in Guidelines for age-appropriate applications below).
My Shops
@ Shop X
Road 360 number 5, City
@ Shop XRoad 360 number 5, City
Refresh Share location
More Settings
My Shops
@ Shop X
City
@ Shop XCity
Refresh Share location
More Settings
Your detailed address will not be shared –
only your city. More Info
Guidelines for applications with social networking elements
Guidelines for applications with social networking elements
Encourage responsible social sharing. Allow users to choose to share personal information, but make sure they know and understand the consequences. Give users control of their personal profiles and ensure that defaults protect privacy. Prompt users to register for social networks, but be careful about mapping registration information to profiles. Ensure that children are prevented from endangering themselves on social networks. Underage users require more restrictive defaults and other protective measures. (See more in Guidelines for age-appropriate applications).
KAMASUTRA
You are about to share adult content in a social network. Are you sure?
YES NO
Guidelines for age-appropriate applications
(children’s applications or adult applications)
Guidelines for age-appropriate apps
Tailor applications appropriate to age ranges. Applications that are intended for children and adolescents should ensure that they understand the consequences of using the application by describing features and functions in age-appropriate language. Children will, in some instances, require more restrictive default settings than adult users.Create age-appropriate defaults. The younger the user, the more conservative or restrictive your default settings should be. If you don’t have an actual age, then use the context as a proxy - e.g. applications that are aimed at or are likely to be used by younger children should assume a user age consistent with that type of application
Friends
SchoolBook
Name: RichardAGE: 8
Messages
To keep you safe, SchoolBook will not share your current location with your friends
OK
Map
Guidelines for age-appropriate apps
Where possible and appropriate. Under certain circumstances, you may need to verify a user’s age (for example, where applications contain social networking features or allow access to adult content). Where impossible to verify age using automated means, self-certification may be an acceptable alternative, but should not be done in such a way that children are encouraged to falsify their ages.
Ask for users' date or year of birth instead of are you older than X years, but let them know how you will use it. Let them know why and offer them an exit button. Give adults the same choice too. Let them know what type of adult content to expect and give them the option to opt out.
We are sorry, you may not use this application. Please check the section About Us to read more information about our products and services.
About Us EXIT
Please enter your date of birth:
18
OK EXIT
Do not ask this question again. We do not save or share your date of birth. It is checked locally on your device.
8 2000
Guidelines for applications that use mobile advertising or analytics
Guidelines for applications that use mobile advertising or analytics
Comply with direct marketing standards, laws and best practices. In most countries, before you can send direct marketing communications (e.g. email or SMS) to users who install your application, they must at least be given: 1) an opportunity to opt out of receiving those messages when and where you collect their contact details; and 2) unsubscribe directions in each communication. Inform users about embedded advertising features. Let users know when an application is ad-supported before they choose it.
Sports/Games
The free version of Cachuli is ad-supported. If you would like to remove the ads and support the continued development of Cachuli, you can do so. From the main screen, press your phone’s menu button, then tap the “remove ads” button. This will let you install the paid app, which removes the ads.
CONFIRM
CACHULIDevelopment: Julian Muñoz
Guidelines for applications that use mobile advertising or analytics
Use third-party analytics tools appropriately. Tools like Google Analytics can be important and useful. But users should be notified that you’re using them and given an opportunity to choose not to participate. Give them an opt out within your application or, where available, instructions on how to use the third-party tool’s opt out. If possible, prevent these tools from collecting full unique identifiers like IMSI, MSISDN, IP address or EEID.
My Great App i
To improve our app, we´d like to log some basic information about how you use it. This data will not be linked to you – we’ll combine it with other users’ information to create aggregate statistics.Under My Profile you will be able to change your choice at any time.
Continue
To improve your app, collect information on how users
interact with it. But let your users know, what and why
you're collecting. Do it without personal information, and let them opt
out if it makes them uncomfortable.
Guidelines for applications that use mobile advertising or analytics
Capture appropriate consent to advertise to a user. Users must agree to advertising targeted to them based on behavioural profiles about how they use your application collected over time, and give active consent to profiling across applications or by third parties. Before you embed code from third-party advertising companies, make sure they meet these requirements and don’t violate your users’ privacy.
Guidelines for applications that use mobile advertising or analytics
Respect privacy when viral marketing. Get the active consent of the user to access information about or send information to their contacts.
My Great App is requesting access to your address book to invite friends to join the game.
My Great App CANCEL
ALLOW DON’T ALLOW
Guidelines for applications that use mobile advertising or analytics
Target based only on legitimately collected personal information. The only personal information you may use to target advertising is the information you have legitimately collected as necessary for your application’s primary purpose. Please note that our rules require us to reject your application if it collects additional information solely for the purpose of targeting advertising.
Financial Times App i
Name: Richard StaceyAge: 52Hobbies: Golf, Sailing, FoodReligion: Agnostic
Submit
TAP HERE TO GET A CHEAP GOLF COURSE IN SPAIN
Bad practice
Thanks!