Mobile App Privacy: The Hidden Risks

Christopher Cwalina is a Partner in our Washington D.C. office Richard Raysman and Steven Roosa are Partners in our New York office

A Practice Note discussing privacy considerations in the context of mobile applications (apps), including liability risks associated with mobile app information collection and practices for addressing those risks. This Note provides an overview of how mobile apps use technology to collect information about and track end users, identifying key differences between mobile apps and websites in terms of how they collect and store end-user information and end users' ability to control that collection and storage. It also discusses the legal framework governing mobile app privacy, including FTC rulemaking, guidance and enforcement actions.

Privacy is among the key legal risks associated with mobile application (app) development and deployment. These risks arise, in particular, because:

Mobile apps collect user information in new ways that often are not understood or capable of being controlled by the average end user. The smaller screen size of many mobile devices can make it harder for an app to communicate user information practices to end users. Apps are increasingly under the scrutiny of regulators and advocacy groups, who use independent researchers to identify undisclosed user information collection and sharing. To properly manage these risks, legal counsel must be involved throughout the process from the early stages of development and continuing after the app has been launched. This includes actively monitoring:

Cutting edge forms of marketing and advertising. The background collection and sharing of end user information. The content and mode of presenting consumer disclosures. This Note focuses on the privacy issues associated with mobile apps. In contrast, a number of mobile browsers and related privacy controls have evolved to operate similarly to their PC-based counterparts. Specifically, this Note examines issues regarding:

Mobile app information collection and retention. The legal exposure and risks associated with mobile app privacy concerns. Children's online privacy and apps. Achieving compliance and reducing risk. MOBILE APP INFORMATION COLLECTION

Understanding the technical ways mobile apps collect and share information is key to identifying and managing the regulatory and litigation risks associated with mobile app privacy. Counseling in this area requires familiarity with the:

Types of information apps must collect and share (see Necessary Information Collection and Storage). Ways mobile app technology collects and shares information (see Mobile App Tracking Technology). Website Privacy Legacy

A major challenge for managing mobile app privacy risk is that ideas about online privacy and security gained prominence as the internet evolved as a mainstream communication platform, and common understandings about online privacy remain grounded in the website model. However, mobile apps differ from websites in certain critical ways:

How they collect, store and use user information. The types of user information they can collect and use. In particular, key privacy-related differences between websites and mobile apps include that:

Apps collect, store, use and share end user information in ways different from browser software and, therefore, can often surprise even web-savvy end users. This occurs at a technical level of mobile device's operations that is invisible to the average end user. .While end users have ways to avoid most browser-based tracking with a small amount of effort, mobile apps frequently use hardware device identifiers (hardware IDs) that cannot be deleted or reset. For more on browser-based information collection and storage, see Box, Website Information Collection. Necessary Information Collection and Storage

Recognizing and educating end users that certain information collection and retention is necessary for an app, like websites, to provide a satisfactory user experience is critical to managing privacy risks. Many mobile app functions either require or are enhanced if the servers remember certain facts about an end user. This information may include, for example, the user's:

Identity. Usage history. Past log-ins. Navigation. This remembering is critical for both app providers and third parties who provide services to them, for example, to:

Enable certain functionality, for example, shopping carts. Customize content based on the user's preferences. Provide a secure environment. Serve targeted advertising. Analyze usage (analytics), which can be used to improve the app or its features. However, it also presents a privacy trade-off. The more an app or service provider knows about a particular end user and his usage, the better it can tailor certain features for a better user experience. However, it also increases the risks that the information will be leaked or misused.

Decentralized Information Collection

Many mobile apps, like websites, use third parties to:

Serve ads. Perform analytics. Deliver content. As with websites, when an end user downloads or uses an app, parties in addition to the app publisher are likely collecting information about that user.

However, because apps are not browser-based (see Box, Website Information Collection: Browser-based Privacy Framework), there are no browser cookies available to allow third parties to remember end users across mobile apps in the way that third parties remember website users across large portions of the web. Therefore, in contrast with the website model, mobile app information collection is decentralized and controlled by the app itself in an isolated environment. In instances where apps use browser functionality, the browser and the app functions generally operate separately at the technical level.

Mobile App Tracking Technology

To track end users, apps generally use one or more of the following:

Hardware IDs (see Hardware IDs). Geolocation (see Geolocation). Metadata and information associated with other stored files, including photos, audio files, video and contacts (see Stored Files and Metadata). Information collected and stored in the app itself (see App-specific Storage). As these practices have become more pervasive and provoked public backlash over data collection practices, some mobile software developers have begun to provide settings to enhance privacy. Therefore, some users, particularly those with new operating systems, may now have the means to control whether some apps may access location information or certain files on the device. However:

Disallowing certain data collection may impair an app's usefulness (see Necessary Information Collection and Storage). Even with these privacy enhancements, most mobile app data collection remains beyond the end user's control. Hardware IDs

Mobile app developers rely on hardware IDs to track end users and, in many cases, enable their apps' functionality. Hardware IDs also enable content and advertising providers to track end users across many mobile apps. Hardware IDs are unique permanent identification numbers or character strings associated with a device. Types of hardware IDs include:

Cellphone radio (Mobile Equipment Identifier (MEID). International Mobile Station Equipment Identity (IMEI)). WiFi radio (Media Access Control (MAC)) address. Bluetooth radio identifier. Platform-specific identifiers, for example, Apple's Unique Device Identifier (UDID). The key difference between hardware IDs and identifiers associated with website browser cookies is that hardware IDs are permanently associated with the device. By deleting cookies and local shared objects, an end user can typically prevent a certain amount of tracking and retain some degree of anonymity from third parties. Each time the third party's servers connect with the end user, the third party must set new, different, unique identifiers.

However, in the mobile app context, even if a user deletes the app, clears all web content, wipes all storage and restores factory defaults, the hardware ID remains unchanged. Third parties that have tracked the end user's network traffic and stored that information can still associate it with the end user's device. Therefore, a hardware ID can identify the mobile device for the life of the device. This has prompted objections from privacy advocates regarding the use of hardware IDs for tracking purposes.

Apple has taken some steps to address concerns that privacy advocates and others have raised about hardware IDs, including that it:

Has created a software-generated identifier known as the Identifier for Advertising (IFA). Is expected to include in future versions of its mobile operating system a sliding toggle that will allow users to easily clear and reset the IFA. Together, these would have a similar effect to deleting cookies in a browser.

However, UDIDs still exist on iOS devices, and many third parties continue to collect and use them to track users. The collection of end user MAC addresses also remains pervasive, as observed on both the iOS and Android platforms. Therefore, it is unclear whether:

The IFA and similar measures will be widely embraced in the mobile app community. Even if they are...