Recently, CDT hosted PrivacyAppCamp at Google’s Mountain View, CA campus. PrivacyCamp is an open format event designed to encourage conversation about tough challenges facing consumer privacy. This one focused on privacy issues associated with applications for both mobile and Web platforms. We invited developers and technologists to join our usual crowd of lawyers and policy wonks to discuss the how to bake privacy into apps. The message was clear: app developers often don’t have time to think about privacy in early stages of code writing. So how can the privacy community help make it easy?
The challenge of actually following the principles of “Privacy by Design” was made crystal clear by one of my favorite examples from the day:
Let’s say you’re building a new “Sheep Throwing” app. It’s you and your buddy working alone on this thing and after weeks of coding to get the sheeps’ trajectory to match up with the swipe of a finger across a touch screen, you realize you should probably figure out a way to get some money for your time. You can now either charge for your app, or offer it for free with ads. Often, users are not willing to buy an app unless they understand the intrinsic value or need, so it’s good to offer a taste of your sheep throwing app. So you put out a demo, it’s free and lets you throw white and black sheep (a full expansion, offering Technicolor sheep, will be available for $1.99). But in order to make a little cash, you place an ad service at the bottom of the app.
Here’s the problem – most ad networks and services offer prepackaged developer kits (like iApp) which allow otherwise occupied developers to just plug in a few lines of code to start making dough. The danger, however, lies in the configuration of these advertising kits. By default, these pre-packaged ad kits collect all sorts of information from the user’s device not related to mere sheep throwing. Location and other types of data are fed from these apps to the advertising networks. While many users may know that few apps are truly “free,” most would not expect that such a significant amount of their data is being drawn through app ads.
So how can we change this? Developers clearly would prefer to spend time tweaking their cool apps rather than digging through code for potential privacy risks. One idea that was proposed has some serious potential: a privacy menu SDK or Library. Ideally, one could create a chunk of code that would allow app developers to easily plug in a privacy sub-menu into their app settings, letting users toggle different data sharing capabilities.
There are many advertisers who offer the ad kits I’ve described, so such a project would ideally be an open source and continually updated package that would work with a growing variety of ad networks and services. CDT has spoken with a few developers interested in such a project and we’re looking for a few other technologists who’d like to get involved.
Developers: Make Privacy Easy