This is a great story and one that should receive much attention in light of the recent subpoena served on Pandora for privacy violations. The question becomes whether developers of web and mobile apps are intentionally violating US computer fraud laws in efforts to become more profitable.
Developers are cognizant that the average user is not going read the Terms of Service and Privacy Agreements of most apps. What’s worse, there doesn’t seem to be any real simplistic way of knowing whether the information and/or data collected from the user can be used for malicious purposes. For example, if an app says it can collect my phones Unique ID – what does that mean? Do they collect the data to make better advertising and/or business decisions? Do they sell my UID information to 3rd parties? What about address book, GPS information? How about Apple’s FaceTime allegedly taking photos by itself?
If you hop over to the Wall Street Journal’s site, you’ll note they launched an investigation in December 2010 of 101 iPhone and Android apps and looked at what exactly they’re sending out themselves and 3rd parties. Candidly, it’s frightening. Click here to access the interactive report. It’s amazing. Let’s take Groupon for an example. It not only collects Username/Password, but your Phone Number and your Age/Gender. It then takes that information back to its own company as well as Fluent Mobile, Flurry and Google Analytics. It really does make you re-think many of your app choices.
According to the WSJ, Pandora doesn’t believe it has much to worry about, as this is more of an industry-wide probe and the SEC is looking to explore what’s really happening here.
So the question ultimately becomes this: similar to the FDA’s requirement that food have Nutritional Facts and health risks on cigarettes in plain English, can we require the same of developers of web and mobile apps? Should developers create plain English warnings of not just that data is being collected but importantly how it is being collected. This would accomplish 2 objectives in my mind: 1) whether the developer is using the data it takes from our computers and phones in a proper, non-malicious fashion; and 2) allows the user to make a more informed decision as to whether s/he wants the data collected, even in a non-malicious way.
What do you think?