The Application Privacy, Protection and Security (APPS) Act of 2013, proposed last month by Rep. Hank Johnson, D-Ga., but not yet introduced as a bill, would require developers to disclose how they collect personal data and which other parties would have access to that data. In addition, the legislation would inform consumers what information is collected and how long it could be stored, and it would allow them to prevent developers from sharing or collecting their own data.
However, if enacted, APPS restrictions on how mobile app developers use personal data would do more harm than good, according to one mobile device security expert.
Such a law "would stand the industry on its ear," said Joe Santilli, CEO of SafeApp, a Coconut Grove, Fla.-based company that is developing its own authentication system for mobile app developers. "I have some real issues with it."
According to a website launched by Johnson to promote the proposal, under the APPS Act, a developer would have to identify the consumer before collecting any personal data and obtain that user's consent. Developers would then be required to "prevent unauthorized access to a user’s data through reasonable and appropriate security measures. This provision would address sub-standard data storage practices by promoting responsible data storage."
"The APPS Act contains a safe harbor for companies that comply with the enforceable code of conduct agreed upon through the NTIA’s [National Telecommunications and Information Administration] multi-stakeholder process," the proposed legislation further states. "This approach give(s) developers flexibility in how they display their privacy policies and interact with consumers, and avoids a heavy-handed legislative approach."
According to Santilli, Johnson "has done a remarkable job of learning and understanding the complexities of the app ecosystem," but his proposed legislation places too much of a hardship on app developers. Such a law, he said, would require developers to include technology that would ferret out all third parties, as well as set up a system that would scrub out all personal data at a later date.
"It's a specious strategy," Santilli said. "By the time the developer would get this, he would already have shared [the data] with other parties…Once the genie is out of the bottle, you can't put him back in."
By comparison, Santilli said his company took apart one popular video game and uncovered more than 50 third parties – including entities in Russia and China – that could extract personal information from the game. That was one of 1,000 apps the company analyzed on Google, he said.
"It's amazing the data contained in there," he commented.
Santilli also wonders if consumers would pay attention to the fine print. Many "want the app more than they care" about privacy protections, he said, and don't understand what they're opening themselves up to when they open an app.
"It's not just healthcare – it's any app that accesses your phone," he said. "An app is like giving somebody the keys to the house."
Santilli's solution: Hold developers of mobile healthcare apps to a higher standard, but understand there are inherent risks to an app that can't be mandated away without crippling the industry. App developers, he said, should be required to post their privacy and authentication efforts, so that consumers know up front what they're getting into and can shy away from those who don't meet healthcare standards.
Santilli, whose company is designing a platform that would enable app developers to meet standards through SSL certificates, said the emphasis should be on developers to establish a level of trust with consumers, rather than creating mandates that would be too onerous or difficult to enforce.
In a similar vein, Congress is taking a look at how mobile devices and apps track users' locations. Sen. Al Franken, D-Minn., who last year submitted a bill that calls for encryption of mobile devices to protect personal health information, is also working on a bill that would require app developers and other entities to obtain one-time consent from users to record their locations via mobile devices. That bill, which passed muster with the Senate Judiciary Committee, would also require mobile services to indicate which third parties – including advertisers – would have access to that location.
That bill has touched off a debate over whether such restrictions would severely hinder the mobile app industry, which is backed by marketers who need to know relevant information about users to push targeted advertising to them. In a New York Times story, Sen. Charles Grassley, R-Iowa, argued against Franken's bill, saying it would hinder local marketing efforts and require a new consent notice every time someone opened an app.
"Consumers would revolt if this [were] the case, and applications would be rendered useless," he said in the Times article. "Worse yet, free applications that rely on advertising could be pushed by the consent requirement to become fee-based."
Others disagree, saying efforts by Franken and Johnson are the first step in a battle to give users control of their own digital footprints.
"People don't think about how they broadcast their locations all the time when they carry their phones. The law is just starting to catch up and think about how to treat this," said Marcia Hofmann, a senior staff lawyer at the Electronic Frontier Foundation, a San Francisco-based digital rights group, in the Times article. "In an ideal world, users would be able to share the information they want and not share the information that don't want and have more control over how it is used."