Tech firms agree new app privacy disclosureInfo must be available 'prior to download'

23 February 2012

Twitter Find Friends

Twitter admitted to storing address book information on its servers.

Last week Which? reported on how some popular social mobile apps were copying data from users' address books. This week, in response to growing concern over the issue, Apple, Google, Microsoft and other major tech firms have agreed new rules to help inform users of such problems.

In an announcement made by Kamala Harris, the attorney general of California, Amazon, Apple, Google, Microsoft, Research in Motion, and Hewlett-Packard have agreed to enforce rules on themselves and developers on their platforms that require them to disclose how they use private data before apps are downloaded.

Harris said: 'Your personal privacy should not be the cost of using mobile apps, but all too often it is.' Harris admitted that there was no fixed timeline for enforcing the rules, but that the companies that have committed to the agreement will meet in six months to discuss progress in enforcing it.

Andy Vandervell, deputy technology editor at Which?, said: 'While we applaud the sentiment in this announcement, the lack of details as to how privacy information will be conveyed leaves much to be answered. If consumers are to make informed decisions it's vital that the information available prior to downloading a mobile app is clear, easy to understand and consistent.'

What do companies know about you? Read our online privacy guide and understand your rights.

The catalyst for change

This move follows a number of recent exposures of questionable privacy practices. Google was recently revealed to be circumventing privacy settings in Apple's Safari and Mobile Safari web browsers to allow it to track people using its services, such as Gmail and Google+. Twitter, meanwhile, admitted to storing the address books of users who used the 'Find Friends' feature of its Twitter app shortly after Path - another new social network - was exposed for a similar practice.

In response to these incidents, Apple said: 'Apps that collect or transmit a users' contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.'

What can I do to protect my data?

App developers only have access to users' personal data when an application is open. An unopened application can't access personal details. In accordance with Apple's policies, app developers need to inform users when they are accessing data. In the case of Twitter the wording isn't very explicit, so users should be extra vigilant and when accessing certain features within applications - especially those with a social, or 'friend-finding' aspect.

Which? spoke to the Information Commissioner's Office (ICO) who offers independent advice on data protect. The ICO said: 'Any company that develops a third party app that involves the processing of personal information must ensure that they comply with relevant data protection legislation. For UK companies this means that they should meet their requirements under the UK Data Protection Act, for example by making sure they are open and up front with the user about how their personal data will be used and for what purpose. If an individual feels that an organisation has failed to comply with the DPA they can complain to the ICO.'

More on this...