The smart-phone revolution in the mobile industry has created a booming marketplace for mobile app developers even as Iphone, OVI, android, blackberry marketplaces continue to be bombarded with innumerable apps, with quite a score bordering on the outer boundaries of relevancy. Nonetheless, utilities and entertainment for consumers in the future is believed to spring forth from these mobile apps, as the amount of internet usage on the mobile platform continually increases. However, an enhanced reliance on your mobile phone device for accessing data and information from the world-wide web can pose several privacy issues as mobile apps may collect information such as those relating to your device, age, gender, geo-location etc. Web applications that use flash cookies can also store the information collected in your mobile device, often in plain text, which poses significant privacy threats to you.!!
One can at times view the “permissions” which an app seeks to obtain from the user, before the user “downloads” that app from any app marketplace. On occasions I have seen strange permission levels requested by apps before allowing me to download, such as the one below:-
“Read phone status and ID. – Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.”
It is a fearful bewilderment that I battle with, everytime when I see that among the “permissions” sought by an harmless app as a condition for the download of the same. The “permission” as pointed above, acts almost likean effective permission to the app to determine numbers of persons to who I make calls to. Also, the part “….and the like” can be easily interpreted to include permissions for the app to read the messages received on my SMS inbox or whatsapp history!! And here I am only speaking of apps that actually display the type of information which they collect and seek permissions for the same. There are several other apps, often paid onesthat do not disclose any kind of privacy information at all!!
Investigations into Privacy Issues
Addressing Privacy Concerns
Google’s Developer Distribution Agreement for app developers to place apps on its market place contain conditions which obligate app developers to protect the privacy and legal right of the users. They also mandate that developers should provide a legally adequate privacy notice and protection to users(clause 4.2). The terms also bar the usage of customer information generated from the marketplace for the purpose of selling products or services outside of the market (clause 4.4). Further clause 4.9 also provides that Google may remove products that do not meet acceptable standards.
One way of understanding these conditions would be that Google may remove products that do not meet standards acceptable to Google, one of which requires adherence to privacy rules of US and other relevant jurisdictions, regarding data collection. However, to ensure each app’s compliance with privacy rules and requirements on data collection of different jurisdictions may be too granular and a costly activity for Google and thus users can expect Google to be not proactive in removing apps that flout its terms and conditions. As a result, we see apps that flout google’s terms and conditions, continue being placed on the android marketplace (now Google Play). It only follows that most of those apps are also not in compliance with the rules regarding privacy in different jurisdictions.
Also, users at an individual level may never be able to report privacy violations because data and information relating to them is often collected without their knowledge. Neither are the users sufficiently aware that data relating to them is being collected by an app, which the users utilize for otherwise very harmless purposes.
As per Section 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (henceforth, “Privacy Rules”), 2011 there is an obligation on a body corporate or any person acting on behalf of a body corporate to:-
- Clear and easily accessible statements of its practices and policies. (Such as the nature of app’s interactions with third party applications or other third parties, the information that is collected by the app and what the persons behind the app do with such information and apply them in what manner)
- Type of personal or sensitive personal data or information that is collected by the app.
- The exact purpose for which such personal data or information that is collected has to be outlined.
- And the policy shall also disclose information regarding sharing of any such collected information with other third parties.
However, upon a clarification by the Department of Information Technology over which Apar had written a post, the said privacy rules may apply only to those legal entities located within India and also only when a particular legal entity collects sensitive data or personal information under a contractual obligation with the user directly. Therefore, a large number of apps and body corporates may not be within the purview and ambit of Indian privacy rules at all. Also even if such body corporates may be liable under foreign jurisdictions, it can be said without much thinking that pursuing foreign based companies in foreign jurisdictions will be cost-restrictive for users affected in India. Therefore, this calls for considerable user discretion to protect information relating to him from being tossed around without consent or by non-transparent ways through the world (or marketplace?) of mobile apps.
Image from here.