MOBILE apps are the Trojan horses of our smartphones.
We think they're free, or nearly free, and invite them in -- without always knowing exactly what's inside.
Apps often collect all kinds of information from our smartphones, like our contact lists and data on our precise locations. Both Android and iPhone apps are supposed to ask users' permission first. But many people probably don't know that third parties, like ad networks, analytics companies and data brokers, may also gain access to that information, security experts say.
An Android photo-sharing app, for instance, might request access to a user's contacts, making it easy for that user to share photos, says Harry Sverdlove, the chief technology officer at Bit9, a cybersecurity firm. But a banner ad running on that same app, he says, might also be able to get access to that list, too, and use it to profile the user's activities.
"It's like the app is asking, 'May I have permission to enter your home?' " Mr. Sverdlove says. "Maybe I am coming over to visit and have dinner. Maybe I am coming over to steal."
Now, a new joint effort of the app industry and advocacy groups is working to give consumers more clarity on this issue. Last month, the coalition -- it includes the Application Developers Alliance, the American Civil Liberties Union, Consumer Action and the World Privacy Forum -- proposed that mobile apps voluntarily display standardized, short-form notices that would list the main types of data they collect and the entities with which that information is shared.
The idea came in response to a federal effort to update consumer privacy rights for the digital era.
"App developers want to do something that advances consumers' trust in their industry," says Tim Sparapani, senior adviser for policy and law at the Application Developers Alliance, an industry group. "To make it work, they want it to be implementable and easy."
The White House earlier this year asked the National Telecommunications and Information Administration, a division of the Commerce Department, to gather industry and advocacy groups together in an effort to develop a "Consumer Privacy Bill of Rights." After reviewing public commentary on the process, the telecommunications agency announced its first step would be to convene interested parties to work out a code of conduct for transparency in how mobile apps handle consumer data.
The process has been bumpy. The mobile app meetings have been beset by animosity and incivility. And some of the parties are operating on different channels. Some advocacy groups have been publicly pushing for comprehensive, detailed disclosures on data use by apps and third parties. Meanwhile, an advertising industry alliance has been working outside of the process to privately develop its own self-regulatory code of conduct.
A recent report about the collection of mobile device location data issued by the Government Accountability Office faulted the telecommunications agency for its unstructured approach. Although the collection and sharing of location data could put consumers at serious risk of surveillance, stalking and identity theft, the report said, the telecommunications agency "has not set specific goals, milestones and performance measures for this effort."
"Consequently, it is unclear if or when the process would address mobile location privacy," the G.A.O. said.
The telecommunications agency sees its role as a facilitator or convener of the process, not as a director or active member.
"I am pretty pleased with the progress the stakeholders have made so far," John Morris, the agency's director of the Office of Policy, Analysis and Development, said in a phone interview last Thursday. "I am looking forward to seeing them reach a conclusion."
But some stakeholders say they have been frustrated with the lack of progress. That is why the app developer and advocacy groups worked on their own to develop a more practical approach, designing what they call "voluntary transparency screens."
"There's a whole lot of shouting going on about process. There's a whole lot of shouting going on about substance," Jon Potter, the president of the Application Developers Alliance, said at a meeting of the stakeholders on Nov. 30. "What if we close the door, lower the temperature and try to get something done?"
THE level of strife so far over the narrow issue of mobile app transparency, some advocates say, doesn't bode well for the larger federal effort to work out a comprehensive consumer bill of privacy rights.
App industry representatives and advocates wrangled for months to hammer out prototypes for their short-form notices, negotiating over the data disclosures they felt consumers should see and different ways to present them. They came up with an idea that users could click on a disclosure screen or two before they downloaded an app.
A first screen, the coalition proposed, might list the types of data an app collected, like a device's location, personal contacts, Web browsing history, photos, financial or health information. A second screen could list the kinds of entities -- ad networks, data brokers, data analytics companies, government agencies, social networks and so on -- that could also gain access to that data. Or it could all be on one screen.
The idea, Mr. Potter says, is to give consumers a quick way to compare apps not just on utility but also on the extent of data collection. In an industry where long-winded, opaque privacy policies have become the norm, the proposed short notices seem radical in their clarity and brevity.
"The process is about effectively communicating to consumers what data is being collected and who it is being shared with," Mr. Potter says.
Ad industry representatives applauded the simplicity of the notices. But they vociferously objected to the idea that app users would have to click through a screen before they could use an app.
"That you'd have to scroll through all this privacy stuff before you get to the app, there's no public call for that," said Stuart P. Ingis, a lawyer representing the Direct Marketing Association, an industry group, in the negotiations on mobile app transparency. "Consumers don't want that."
Mr. Ingis also represents the Digital Advertising Alliance, an ad industry self-regulatory initiative that offers an ad-choices program for Internet users. The alliance, he says, has been working outside of the telecommunications agency process to privately develop its own guidelines for third parties that collect consumer data across apps.
But advocates and app developers argue that consumers should receive clear notices of mobile app and third-party data collection practices before they download apps. It would be good for consumers and for commerce, they say.
"I think app developers see the market advantage to this," says Michelle De Mooy, a senior associate at Consumer Action, a consumer group based in San Francisco. "The goal is to provide transparency that consumers, who after all are the customer of the apps, have asked for."
This article originally appeared in The New York Times.