Designing for privacy in mobile applications

Designing for Privacy in Mobile ApplicationsGuidelines for Vodafone application developers18 July 2011

What is privacy?Keep in mind that the guidelines here form part of our Developer Agreement, so you’re bound to comply with them when you participate in our programme. The guidelines here are intended to help you ensure that your applications don’t violate your users’ privacy. But what does that mean?Privacy means different things to different people in different contexts, but, when we use it here, we mean making sure that, when your application collects and uses personal information, it does it in ways that meet users’ expectations and gives them proper control, and it doesn’t disturb them or behave intrusively.

What is personal information? Personal information is personal information no matter how it’s collected. For example, you could: Ask your user for it directly (for example, in a registration flow).Collect it directly from your user’s handset (for example, a unique identifier like IMSI, MSISDN or EEID). Infer it indirectly, like when you profile or segment users based on their observed behaviours or locations. Collect it when it’s generated by the user (for example, tweets, status updates and other user-generated content, such as photos). But there is not necessarily a privacy problem because your application collects and uses personal information – that’s what the guidelines below are intended to help you determine. There are lots of legal definitions we could throw in here, but we’ll try to keep it simple: if information relating to an individual could identify, locate or enable you to contact them, then it’s personal information. But that individual doesn’t need to be identified by name, for example, or by phone number. A name or a phone number are each personal information, but not the only examples. A user is identified (and could be contacted or located) even when you’ve only associated them with an anonymised (or, really, pseudonymised) unique identifier if it persists over multiple sessions.

Why should I care? Some other important expressionsWhat happens if your application does have a privacy problem? In a worst-case scenario, a regulator or consumer protection authority might investigate you for a legal or regulatory violation – which might cause you to have to pull your application, pay fines or even face criminal penalties. A privacy problem with your application will also likely lead to unhappy consumers and bad ratings, or you might find yourself being “named and shamed” by a privacy advocate – many of them are paying particular attention in this space and are actively engaged. Of course, if your application is identified by our testing or reported by your users as violating privacy, it goes without saying that we will not approve your application or we’ll pull it from our platforms. When we talk about applications needing active consent, we mean an affirmative indication of agreement by the user to a specific and notified use of their personal information. Active consent can typically be captured by ticking a consent box or clicking an ‘OK’/‘Allow’ button. Active consent must be captured in a way so that consent is not the default option (for example, if there’s an ‘I Accept’ tick box, it should not be pre-ticked so that consent is bundled in with agreeing to install). When we refer to location information, we mean any information that identifies the geographical location of a user’s device, including Cell ID, GPS, Wi-Fi, or other, less granular, information, such as town or region.

IndexGuidelines for all applicationsGuidelines for applications that use locationGuidelines for applications with social networking elementsGuidelines for age-appropriate applicationsGuidelines for applications that use mobile advertising or analytics

Guidelines for all applications

Guidelines for all applicationsBACKDon’t sneak around. An application must not secretly access, collect or share personal information. Identify yourself. Users must know who is using their personal information and how they can contact you for more information or to exercise their rights.ABOUT USApp Adventures is a company that develops apps. You can reach us on our email address superappsapps@appsarethebest.com. Our address is on App street n5, App country. i

Guidelines for all applicationsBACKMake sure users are informed. Use contextual disclosures to make sure users understand how your application will collect and use their personal information. Sometimes, a “privacy policy” will be necessary to achieve this, but many times a “just-in-time” notice is the right way to set expectations about your application and its personal information uses. My Great App Privacy PolicySections:- What we collect- How we use it- Your choices- How to contact usA privacy policy isn’t always the best way to give notice. When a user clicks on “Find Photos near me” (and that’s all you’re using location for), he or she’s given her implied consent.

Guidelines for all applicationsFinancial Times AppMy Great AppCANCELGain the user’s consent, where necessary. Sometimes users will need to give their active consent to uses of their personal information.Collection or use of personal information not necessary for the application’s primary purpose.

Sharing personal information with third parties.

Storing personal information after immediate use of the application. Name: Richard StaceyAge: 52Hobbies: Golf, Sailing, FoodReligion: AgnosticMy Great App is requesting access to your address book to invite friends to join the game. SENDALLOWDON’T ALLOWExample 1Example 2

Guidelines for all applicationsSettingsGive users control over prompting. Where possible, users should have choices about how – and how often – they are reminded about features and functionality that use their personal information. Please let us know how often we should prompt you with this messageEvery dayOnce a week, MondayOnce a monthNeverSave

Guidelines for all applicationsGamesNo silent updates. Users must agree to any updates pushed to their device. And they need to be able to understand what the update contains. UPDATESUPER GAMEDevelopment: Game Inc.This new version includes the following features:Bug fixing

Scoreboard sharing to Facebook and Twitter

In app advertisementIf you make changes to your app, let the users know what changes have been made so they can make decisions about whether to continue to use it; don't cover those changes under a text like “only minor changes”.

Guidelines for all applicationsOn the server side, do not log locations that can be associated with individual users. Instead log aggregates of what you´re interested in. For example, just keep a list of how often people are using your app in London; there is no need to remember which user was in London and when.Minimise the information collected. Personal Information collected by an application must be reasonable, not excessive, and within the scope of the user’s expectations.Keep data secure. Take appropriate steps to protect users’ personal information from unauthorised disclosure or access. Note: The more sensitive the data, the more security you need.

Guidelines for all applicationsRSS Feed AppAuthenticate where security calls for it. Authenticate users where possible using risk-appropriate authentication methods.Set retention and deletion periods. When you no longer need the data you’ve collected for the reasons you collected it, make sure it’s appropriately and completely deleted. If data must be kept (for example, for billing, tax or other good reasons), make sure you keep only the minimum that will meet those needs. Reporting. Give users the tools to report privacy problems within or about your application. Send us feedbackType text Send Log reportSend

Guidelines for all applicationsMyDreamTripGive users control over remote storage. Tell the user if your application will send data to a remote server and use or store it there. Let them know how long you’ll keep the data and why you need it. You should also let them review and delete the information if possible.  AMSTERDAMPrice100 EurLow CostBcn 3:00 pmAms 5:00 pmPrice125 EurIberiaBcn 5:00 pmAms 5:00 pmYour search info will be stored on a remote server for three months so we can improve our search engineOkay

Guidelines for applications that use location

Guidelines for applications that use locationBook RecommenderInform the user that location will be used. Access, use and share location data only when users have a clear understanding that you will do so and of the consequences of participating.Don’t facilitate stalking or surveillance. Applications must not collect, use or share location data about someone other than the user, except where another user has chosen to publish such information. This app would like to use your current location to be able to pull the list of nearby book storesLocate me CancelSometimes, it will be very clear in context why and how you’ll use location. In those cases, minimal notice is necessary.

Guidelines for applications that use locationTetrisCapture appropriate consents where necessary. For many location-enabled applications, the use of location is clear, and is in fact why your user chooses your application. But where location isn’t the primary purpose of the application, or where users might need a little more help in understanding how you use location, more active prompting and consent may be necessary. This app would like to detect your current location to be able to post your points in your national rankingPost my score and locationLocate meNo, ThanksIf location is not the primary purpose of the application or enables a secondary feature, let the user choose to activate location at the time that they use the feature.

Guidelines for applications that use locationHIKING ROUTESThis app would like to use your current locationConsent and control are necessary if you collect or retain a location history. If you will retain a history of location, tell the user how long the data is retained and why. Let them review and delete their history.YesNoShare location with the park rangerYesNoKeep location history of my hiking routesYesNoEdit historyView historySettings

Guidelines for applications that use locationWalk with your friendsConsent and control are necessary if location use persists when the application is active or closed. If you will continue to collect, use or share location data during operation of the application or after a user has closed the application: Get the user’s active consent.

Alert the user when the location feature continues to operate with a persistent indicator. If technically possible, this indicator should appear even when the application is running in the background or does not otherwise appear to be active.

Prompt the user that location will continue to be collected, used or shared after the application is turned off, or placed in the background, and allow them to turn this feature off.

Provide easily accessible settings that allow the user to immediately turn location on or off, including a “location off” feature that overrides all other location settings in the application. Even when closed, App Skywalker will keep collecting your location data in order to trace your walking routeDon´t AllowAllow

Guidelines for applications that use locationRunning CommunityStrawberry finderWhen you start your run, the app will shared your location automatically with:Consent and control are necessary if you share location. If you will share location data with other applications, sites or services: Get the active consent of the user.

Identify and provide a link or other means to access the recipients.

Give users a way to easily manage recipients (for example, to withdraw their consent if they want).This app will make use of your GPS locationFacebookTwitterHyvesFoursquareYesYesAllowYesYesBad practice

Guidelines for applications that use locationCarefully set defaults and give users control over social location features. When users can share their location with the public or with their contacts, the default setting must be private. That is, the user must give active consent to begin sharing location, and must affirmatively choose individual users or groups of users who will have access to their location. In addition: Show a clear indicator when location-sharing is active.

Allow the user to set the level of granularity of the location (city, street, exact physical location etc.).

Allow the user to manually override the location presented, e.g. by typing in an alternate location

Allow users to turn off location-sharing at any time. Guidelines for applications that use locationThis application is offered for free, and sponsored ads are included. You can download the ad-free, paid version here: LINKGive appropriate choices for location-based advertising. Label your application as ad-supported if it will include contextual location-based advertising or sponsored results. Make sure to get active consent before sending advertising or sponsored results based on a stored history of a user’s location. Can we use your location to show you relevant advertising in your area? AllowEnter location manually

Guidelines for applications that use locationMy ShopsMy ShopsProtect children from endangering themselves with social location features. Users who are identified or age-verified as children must be prevented from publishing their location (that is, sharing with the general public). If children are able to share location data with their contacts, granularity must by default be set at the city level or wider. (See more in Guidelines for age-appropriate applicationsbelow). @ Shop X@ Shop XRoad 360 number 5, CityCityYour detailed address will not be shared – only your city. More Info@ Shop X@ Shop XRoad 360 number 5, CityCityRefreshShare locationRefreshShare locationSettingsMoreMoreSettings

Designing for privacy in mobile applications

More Related Content

What's hot (7)

Viewers also liked (20)

Similar to Designing for privacy in mobile applications (20)

More from Vodafone developer (20)

Recently uploaded (20)

Designing for privacy in mobile applications

Editor's Notes