Let'ss Give Them Something to Talk About: Mobile Devices and the Privacy Policy Distraction

Introduction

"The Tale of the Vacant Lot? " is a story about a young girl, driven by capitalist signifiers of success and self-worth, who buys every product she desires and imagines will improve her life. Unwilling to part with money or any of her other physical possessions, the girl agrees to a trade. The shopkeeper offers to take only "something that has no value to her." When the girl questions what that might be, the shopkeeper replies: "Should it matter?" The twist of course is that the shopkeeper slowly steals pieces of her life. We trade pieces of our lives (in a less metaphysical sense) for free browsing, free email, and a multitude of other online services, but many if not most of us have no idea exactly what it is that we are giving up and to what end. Privacy policies are designed to itemize that bill.

Such transparency has become imperative in a world where transactions, both personal and professional, are conducted increasingly on mobile phones, but as it stands, less than one third of Americans feel they are in control of their personal information on their mobile devices. Many apps routinely gather information from the personal address books of unwitting users and store such information on their servers, with one leading app executive calling it "industry best practice." By June of 2012, California Attorney General Kamala Harris had reached an agreement with Apple, Google, Facebook, Amazon, Microsoft, Hewlett Packard, and Research in Motion that they would require mobile applications ("apps") on their platforms to conspicuously post a privacy policy detailing the information they collect, how they use it, and with whom it is shared. Users would be able to review these policies before they download a given app, and platforms must offer a mechanism to report non-compliant apps. While in some sense this seems to indicate positive momentum with respect to users' privacy, the agreement also serves to further obfuscate the boundaries of privacy rights.

Who's in Charge Here Anyway?

The Harris Agreement is little more than a commitment of these seven platforms to comply with current California law. Section 22575(a) of the 2004 California Online Privacy Protection Act provides that:

An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577.

Paragraph (5) states that "any reasonably accessible means of making the privacy policy available for consumers of an online service" is acceptable.

By engaging these platforms in discussion, the Harris Agreement seems to imply that these platforms have a choice as to whether they obey the law. This unsettling power dynamic has philosophical underpinnings. "Cyber-sovereignty," a philosophy emerging from the smaller, community-based internet of the early 90s, is characterized by the fundamental conviction that traditional legal regimes and institutions should not impose their rules on the digital world and suggests instead that a cyber-regime should be created, designed, and enforced exclusively by members of the online community. The U.S. has, however inadvertently, acquiesced, and in doing so has set some very dangerous precedent. Google was recently embroiled in legal conflict after the site refused to remove the anti Islamic film "Innocence of Muslims" from its site despite the requests of the U.S. government to reconsider. Though in this case it was a victory for free speech, it sets a dangerous precedent. We as a nation have implicitly agreed to entrust our digital rights to entities that have corporate values and shareholders rather than those that are accountable to a constitution and an electorate.

The Harris Agreement continues this pattern of empowering platforms to enforce the law on their terms. This is illustrated most clearly by what it fails to say: There is no mention of a requirement to remove any non-compliant apps. All that this agreement secures is a promise, but we actually had that before. Prior to the Harris Agreement, Google required developers to ask users for permission to obtain their online data and Apple prohibited any app that collected or transmitted data without permission, but a June 2012 study found that only 22.7% of free apps and 13.3% of paid apps across all platforms posted their privacy policies on the app listing page. To continue to legitimize these entities as policymakers is worse than useless; it is entirely the problem.

If a Privacy Policy Falls in the Forest, and Nobody Can Understand It, Does it Make a Sound?

Privacy policies, when written with clarity and transparency in mind, are an effective tool for consumers to make choices about which online services they use. Disclosure is an important first step, but unfortunately, it does not necessarily create accountability. What apps do with personal information, and just how much personal information they access, is still largely invisible. Even if app manufacturers are honest in their privacy policies, they will likely still tend to lack for comprehensiveness. These policies are not so much intended to afford consumers protection as they are to serve manufacturers legal liability. They are vague by design, and as Harris herself has said, most privacy policies are "absolutely beyond the understanding of the average person." A recent survey even found that Google and Facebook privacy policies are more confusing than the small print coming from credit card companies. It is no wonder that most consumers do not read privacy policies.

Conclusion

Though one might wonder why on earth the government would expend the regulatory energy attempting to improve a tool that most people entirely disregard, it is easy to see why these platforms are so accommodating. The agreement changes nothing of substance. Companies that trade on data collection will still be free to do whatever they choose with users' data and they will be able to hide behind the shield of legal compliance. If the government truly wanted to make meaningful changes, they would have put actual penalties in place for companies that take users' data without their express permission. Instead, they have seemingly strengthened the privacy policy shield. Pity that it is protecting the wrong side.

-- StacyAdelman - 27 Apr 2013