On Friday, February 1, 2013, as many have reported, the FTC issued a staff report with recommendations for improving mobile privacy practices. The recommendations were issued for mobile app platforms (like Apple, Google, Microsoft and Amazon), app developers, advertising networks and other third party analytics companies, and app trade associations.
By its report and its recent enforcement actions, the FTC has made its message clear to mobile app developers: data security is critical. This should come as no surprise as the FTC has always been concerned with the security of private consumer information. But the fast-paced nature of the mobile industry, coupled with the rush to market and entrepreneurial management teams that often lack compliance officers and lawyers, make mobile app developers particularly vulnerable to crippling enforcement action for non-compliance. Putting aside FTC enforcement actions, if your mobile app is designed to appeal to a consumer's desire to protect his or her privacy, a non-compliant mobile app can be the death of your new product. Likewise, if your application is marketed to business and interfaces with a company's computer system to access personally identifiable information (PII) of customers, a non-compliant app will not get off the ground. This is particularly true in highly regulated industries like the automotive retail sale industry.
So, what should a mobile app developer know about privacy? Well, let's start with the FTC staff report's recommendations for mobile app developers. The FTC recommends:
- Privacy policies that are easily accessible through app stores and accurately reflect the app developers privacy practices;
- Providing real-time disclosures and a mechanism to obtain the consumer’s express consent to the collection of data;
- Reviewing relationships and contracts with ad networks and other third parties, such as data analytics companies, to make sure the app developer understands how the third party collects and uses the data – this will also help the app developer provide accurate privacy disclosures; and
- Participating in self-regulatory programs and working with trade associations and industry organizations.
Back to mobile app developers. As a practical matter, how does a mobile app developer implement these recommendations? Well, there is no one-size-fits-all approach to securing all apps. For example, an alarm clock app that collects no identifying information from the consumer will be viewed much differently than a more complex app that relies on remote servers for storing and manipulating users' data, which would require developers to be familiar with securing software and securing data at rest and data in transit. So the FTC will look at several factors to determine whether an app is compliant.
This is probably a good time to mention that the FTC staff report is just that; a staff report. It is not a rule or regulation. In fact, it was probably FTC Chairman Jon Leibowitz's swan song, as he announced the same day that he will be stepping down as FTC chair later this month. Nonetheless, as the administration remains the same in Washington, a like-minded replacement is likely to be found and the report contains sound advice and guidance for mobile app developers in divining how the FTC will interpret and apply its regulations to mobile app developers.
Before diving into the details of data security, look before you leap. The mobile ecosystem presents developers with both challenges and opportunities. Know what's out there and conduct proper due diligence before adopting it. For example, app developers can code quickly with the support of powerful software development kits (SDKs). However, a rush to release may result in dangerous security oversights. And once you release, is your product ready for potential overnight popularity? The bigger the user base, the greater the need for strong security. Also, ready-made software libraries and cross-platform toolkits can provide a head start in the development process, but these should be vetted for security loopholes. Finally, GPS receivers, cameras, and sensors let you create a unique experience for users. But mobile users often rely on insecure Wi-Fi networks. Low-tech threats—like loss and theft—raise security stakes. Balance these features and risks to protect users' personal information and your own business reputation.
The FTC's Bureau of Consumer Protection Business Center recently put out these tips for mobile app developers:
Make someone responsible for security. Your team should include at least one person responsible for considering security at every stage of your app's development. If you're running a solo operation, that person is you. It's easy to assume someone else is handling security—whether that someone is a mobile operating system provider, a device manufacturer, or another member of the development team. It's true that everyone has a role to play, but as a developer, you're the final line of defense.
Take stock of the data you collect and retain. Practice data minimization: don't collect or keep data you don't need, and avoid keeping it longer than you need to.
Understand differences between mobile platforms. If your app is going to be made available on multiple platforms, understand the security features of their application programming interfaces (APIs). Research and code accordingly.
Don't rely on a platform alone to protect your users. It's your reputation on the line, not the mobile platform's. Know the limitations of the platform's security features and plan accordingly.
Generate credentials securely. If your app creates credentials for your users (like usernames and passwords), create them securely and with reference to the nature of their use.
Use transit encryption for usernames, passwords, and other important data. The security of data in transit is critical. Anytime your app transmits usernames, passwords, API keys, or other types of important data, use transit encryption. Consider using HTTPS or another industry-standard method. If you use HTTPS, use a digital certificate and ensure your app checks it properly. A no-frills digital certificate from a reputable vendor is inexpensive and helps your customers ensure they're communicating with your servers, and not someone else's. But standards change, so keep an eye on current technologies, and make sure you're using the latest and best security features.
Use due diligence on libraries and other third-party code. This is what I was referring to earlier about looking before you leap. While great SDKs exist, know their security vulnerabilities. Research, vet and test them. After-all, it's your reputation on the line.
Consider protecting data you store on a user's device. If your app handles personal information, consider protecting or obscuring the data—for example, by using encryption. Some platforms have special storage schemes for sensitive data like passwords and keys. Use them if they're available. This helps protect your users in the event of viruses, malware, or a lost device.
Protect your servers, too. This a no-brainer, but one consideration that is often overlooked is the limits of security responsibility for a commercial cloud provider. Know where its responsibilities end and yours begin.
Don't store passwords in plaintext. Consider using an iterated cryptographic hash function to hash users' passwords and then verify against these hash values. (Your users can simply reset their passwords if they forget.) That way, if your server suffers a data breach, passwords aren't left completely exposed.
Continually monitor threats after release. You're not done once you release your app. Stay aware and communicate with your users. Security threats are always changing. For example, if you make a claim that your app protects the privacy of its users, you better bet that someone is out there challenging that claim, whether it be a competitor, a curious programmer, or a nefarious thief. Continually monitoring the effectiveness of your security measures can help maintain your reputation with your users and the community.
Obtain legal advice on federal and state privacy statutes that may apply to your app. If you're dealing with financial data, health data, or kids' data, make sure you understand applicable standards and regulations. Numerous state and federal laws govern these types of information, including, among other things, the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLB), the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the Health Breach Notification Rule and the various states' data breach notification rules. These laws are complicated and require knowledgeable legal counsel to assist you in creating a national compliance solution.
In this vein, as with most things mobile, the law is constantly changing. Last week, Rep. Hank Johnson, D-Ga., unveiled a discussion draft of a new bill he’s calling the Application Privacy, Protection and Security (APPS) Act of 2013. APPS would regulate how the developers of mobile applications collect and disclose collection of personal data and how they share it. It would allow consumers to prevent developers from sharing or collecting their data. So hiring or retaining counsel to stay abreast of changes in the law that affect your business is important, not just for compliance purposes, but to help you to establish due diligence for potential investors.