Several companies might face sanctions after Harris sent warning letters in late October to 100 app makers that had not posted a written policy. The vast majority agreed to comply, said Travis LeBlanc, who oversees the attorney general’s new Privacy Enforcement and Protection Unit.
The companies that rejected her order maintain they aren’t required to have a policy because the personal data they collect is not subject to the California Online Privacy Protection Act, LeBlanc said. He declined to name the companies or say how many were violating the law.
The prevalence of mobile app downloads has exploded in recent years, while enforcement of privacy protections has struggled to keep up. Privacy advocates say having a policy in place is the minimum requirement for app makers and a necessary first step in educating consumers who increasingly rely on mobile devices to share and store sensitive information.
“We’ve reached out to industry associations and let everyone know that they have an obligation to do this,” LeBlanc said.
The enforcement actions follow a February agreement between the attorney general’s office and mobile app platform companies such as Apple and Google that required app developers to make privacy policies available for review before an app is downloaded, rather than after.
Critics of mobile privacy protections say simply having a policy in place – whether on the app platform or directly through the maker of the app – is not sufficient to address the growing volume of personal information being collected by mobile applications.
Those concerns are heightened with free applications, which appear to pose the greatest risk to mobile device users. An analysis of more than 1.7 million apps by the digital security firm Juniper Networks found that free apps were three times more likely to access an individual’s address book than paid apps.
“We assume that app developers are interested in delivering the best experience,” said Parker Higgins, an activist with the Electronic Frontier Foundation who has followed mobile app development and security closely. “But if they are malicious, it’s a little bit more difficult.”
“As it stands now, you don’t need to include very much, and companies can change their policies at any time,” Higgins said. “It’s not much of a guarantee.”
Some Silicon Valley mobile app developers have resisted scrutiny over how personal information is collected and sold to advertisers, arguing that regulation will slow the pace of development. A September study by the technology research company Gartner Inc. predicts that the number of mobile applications downloaded will total more than 45 billion this year, nearly double last year’s number.
Concerns over mobile apps’ access to personal data landed in court this year when a Texas man filed a lawsuit alleging the social networking app Path Inc. violated his privacy by storing his address book information on its servers without his permission.
The suit, filed by Oscar Hernandez in San Francisco federal court in March, claims that Path violated five state laws when it stored its users’ information.
The San Francisco-based company had issued an apology in February after a developer published a blog post about its practices, and Path said it deleted the database of contacts from its servers. But that wasn’t enough to deter Hernandez.
The suit is being closely watched by the industry, Higgins said, because it places a dollar amount on how much it will cost the alleged victim to restore his personal data and remove the company’s “tracking mechanisms:” $12,250.
“Once you’ve downloaded the app, to really wipe the slate clean is tremendously expensive,” said Brian Strange, Hernandez’s attorney. “It’s not as simple as just pushing a button.”
The case highlights a core issue that privacy policies are meant to address: minimizing surprise on behalf of the user.
“It isn’t that they didn’t have a policy; it’s that users were surprised that they were accessing their private information,” said Derek Halliday, senior product manager for San Francisco-based mobile security company Lookout.
Halliday said the policies are designed to protect app makers, not users. Rather than the typical pages-long policy appended to most apps today, Halliday said app makers should make the policies shorter and clearer, factors that become even more important on the small screens of mobile devices.
Halliday has advised dozens of app developers on how to minimize data collection. In many cases, he said, they were unaware what information – such as locations, email addresses and phone numbers – advertising networks were requesting.
Lauren Gelman, former executive director of Stanford Law School’s Center for Internet and Society, said she hopes Harris will take the next step in enforcing mobile privacy protections and fine app makers that are not in compliance.
“The attorney general has enforcement power, not just to issue rules or send letters, but through prosecution,” Gelman said. “So this is a welcome sign for people who take privacy seriously.”
View this story on Bay Citizen
This story was produced by The Bay Citizen, a nonprofit, investigative news sources in the Bay Area and a part of the Center for Investigative Reporting. Learn more at www.baycitizen.org.