{"id":322894,"date":"2021-08-12T15:40:16","date_gmt":"2021-08-12T12:40:16","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/why-the-privacy-by-design-approach-to-mobile-apps-isnt-enough\/"},"modified":"2021-08-12T15:40:16","modified_gmt":"2021-08-12T12:40:16","slug":"why-the-privacy-by-design-approach-to-mobile-apps-isnt-enough","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/why-the-privacy-by-design-approach-to-mobile-apps-isnt-enough\/","title":{"rendered":"#Why the \u2018privacy by design\u2019 approach to mobile apps isn\u2019t enough"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2622b04e2fd\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2622b04e2fd\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/why-the-privacy-by-design-approach-to-mobile-apps-isnt-enough\/#Change_of_mindset\" >Change of mindset<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/why-the-privacy-by-design-approach-to-mobile-apps-isnt-enough\/#Take_aways\" >Take aways<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong>#Why the \u2018privacy by design\u2019 <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>roach to mobile apps isn\u2019t enough<\/strong>&#8221;<\/p>\n<div>The mobile apps installed on our smartphones are one of the biggest threats to our <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/ec.europa.eu\/justice\/article-29\/documentation\/opinion-recommendation\/files\/2013\/wp202_en.pdf\">digital privacy<\/a>. They are capable of collecting vast amounts of personal data, often highly sensitive.<\/p>\n<p>The consent model on which privacy laws are based doesn\u2019t work. App users remain concerned about privacy, as a recent <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.yellowbrick.com\/press-releases\/yellowbrick-survey-pandemic-era-consumers-love-apps-but-have-security-concerns\/\">survey<\/a> shows, but they still aren\u2019t very good at protecting it. They may lack the technical know-how or the time to review privacy terms, or they may lack the willpower to resist the lure of trending apps and personalized in-app offers.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/fast.wistia.net\/embed\/iframe\/xo23fcyip6?videoFoam=true&amp;autoPlay=true\" title=\"Whats it like to be a startup founder in Barcelona? Video\" allowtransparency=\"true\" frameborder=\"0\" scrolling=\"no\" class=\"wistia_embed\" name=\"wistia_embed\" allowfullscreen=\"\" msallowfullscreen=\"\" width=\"100%\" height=\"100%\"><\/iframe><\/p>\n<p>As a result, privacy laws have become more detailed, imposing additional requirements about notice, data minimization, and user rights. Penalties have become harsher. And the laws are often global in reach, such as the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/enforcement\/rules\/rulemaking-regulatory-reform-proceedings\/childrens-online-privacy-protection-rule\">US Children\u2019s Online Privacy Protection Rule<\/a> and the EU\u2019s <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679\">General Data Protection Regulation<\/a>. For instance, a South African developer of an app downloaded by children in the US and the EU must comply with both and with <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.gov.za\/documents\/protection-personal-information-act#:%7E:text=The%20Protection%20of%20Personal%20Information,by%20public%20and%20private%20bodies%3B&amp;text=to%20regulate%20the%20flow%20of,provide%20for%20matters%20connected%20therewith.\">South Africa\u2019s Protection of Personal Information Act<\/a>. This complexity can create a significant compliance burden.<\/p>\n<p>But the real problem, according to a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.enisa.europa.eu\/publications\/privacy-and-data-protection-in-mobile-applications\">report<\/a> by the EU Agency for Cybersecurity, is that lawyers and app developers don\u2019t speak the same language. An app developer may have no idea how to translate abstract legal principles into concrete engineering steps.<\/p>\n<p>As a result, regulators have looked to the concept of <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/iapp.org\/media\/pdf\/resource_center\/pbd_implement_7found_principles.pdf\">\u201cprivacy by design\u201d<\/a> as a way to bridge this divide. The concept was coined in the late 1990s by Ann Cavoukian when she was the Information and Privacy Commissioner for Ontario, Canada. Privacy by design goes beyond privacy policies and in-app permission settings. It requires developers to think about privacy from the first moment of the design process.<\/p>\n<p>Cavoukian set out seven foundational principles for a privacy by design approach. But it is the second principle, \u201cprivacy as a default setting\u201d, that really sets the bar for a privacy-friendly app.<\/p>\n<blockquote><p>Build in the maximum degree of privacy into the default settings for any system or business practice. Doing so will keep a user\u2019s privacy intact, even if they choose to do nothing.<\/p>\n<\/blockquote>\n<p>This places the responsibility on the app developer to think about the user\u2019s privacy up front and design the app in such a way that privacy is protected automatically, while still offering a fully functional app experience.<\/p>\n<p>But <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/researchspace.ukzn.ac.za\/xmlui\/handle\/10413\/19431\">my research<\/a> showed that design decisions made by app developers are constrained by existing technologies and platform rules designed by others. These include the device hardware and operating system, the software development kit, ad libraries, and app store review policies.<\/p>\n<p>The answer is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/iapp.org\/resources\/article\/06-22-2012-privacy-by-redesign-a-practical-framework-for-implementation\/\">privacy by (re)design<\/a>, where all roleplayers in the ecosystem take privacy seriously and redesign existing platforms and technologies. But enforcing that approach will require tighter legal regulation of third party data sharing.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Change_of_mindset\"><\/span>Change of mindset<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Applying a privacy by design approach requires a change of mindset by developers. They must be proactive, rather than responding after the fact to a data breach that could have been prevented. The days of collecting as much personal data as possible in the hope that it might prove valuable later are gone. Developers must align data collection to a specific purpose for which the data is needed and communicate that to app users. They should also anonymize or delete the data as soon as possible.<\/p>\n<p>Privacy should become a key component of design methodology, selection of technical tools, and organizational value statements.<\/p>\n<p>These are important changes, endorsed in guidelines for mobile app developers published by the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/iapp.org\/media\/pdf\/resource_center\/gsmaprivacydesignguidelinesformobileapplicationdevelopmentv1%20%281%29.pdf\">Global System for Mobile Communications<\/a> and by regulators in the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/sites\/default\/files\/documents\/public_statements\/privacy-design-and-new-privacy-framework-u.s.federal-trade-commission\/120613privacydesign.pdf\">US<\/a>, the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1596\/privacy-in-mobile-apps-dp-guidance.pdf\">UK<\/a>, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.oaic.gov.au\/privacy\/guidance-and-advice\/mobile-privacy-a-better-practice-guide-for-mobile-app-developers\/\">Australia<\/a>, and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ipc.on.ca\/wp-content\/uploads\/Resources\/pbd-asu-mobile.pdf\">Canada<\/a>, among others. In the EU \u201cdata protection by design and by default\u201d is now <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679\">a legal obligation<\/a> of the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">General<\/a> Data Protection Regulation.<\/p>\n<p>But, as my research shows, this might not be enough without the redesign of the app ecosystem to address data sharing, a view supported by other research. According to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/dl.acm.org\/doi\/10.1145\/3201064.3201089\">one study<\/a>, most apps transmit data directly to third parties, like Google, <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>, and ad exchanges, via trackers embedded in the app code. But I found that privacy laws do not comprehensively or consistently address this third party sharing.<\/p>\n<p>The term \u201cthird party\u201d is not defined in the Protection of Personal Information Act, but would include ad networks, content-sharing sites and social networking platforms. Third parties are thus distinguished from downstream processors who may perform specified data processing on your behalf under a contract.<\/p>\n<p>It is difficult to enforce legal liability against these third parties, who are often outside the country where the app was developed. Their terms and conditions typically place full responsibility for privacy compliance by the app on the app developer. This may leave app users unprotected. But it could also expose the app developer to unforeseen legal liability.<\/p>\n<p>Liability for the app developer arises because under both the Protection of Personal Information Act and General Data Protection Regulation if you played a role in determining \u201cthe purpose or means\u201d of data processing you are a \u201cjoint\u201d responsible party (data controller) for the data processed by the third party.<\/p>\n<p>The European Court of Justice has twice held small businesses liable as \u201cjoint controllers\u201d for Facebook\u2019s collection of data, via a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/curia.europa.eu\/juris\/liste.jsf?num=C-210\/16\">fan page<\/a> and a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/curia.europa.eu\/juris\/liste.jsf?num=C-40\/17\">like<\/a> button. Although the judgments stress that joint control is not necessarily \u201cequal liability\u201d, this should still be a concern for app developers.<\/p>\n<p>For example, app developers using the Facebook Software Development Kit are sharing personal data with Facebook. Event logs such as \u201capp installed\u201d, \u201cSDK initialized\u201d and \u201capp deactivated\u201d give detailed demographic and behavioral insights about an app user. In 2018 Privacy International <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/privacyinternational.org\/report\/2647\/how-apps-android-share-data-facebook-report\">reported<\/a> that the setting to delay transmission of logged events until after the user has consented was only added by Facebook 35 days after General Data Protection Regulation came into force, and then only if enabled by the developer for SDK version 4.34 or higher. This change appears to have followed repeated bug reports filed on the developer\u2019s platform.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Take_aways\"><\/span>Take aways<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The takeaway here for developers following a privacy by design approach is to \u201c<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/iapp.org\/media\/pdf\/resource_center\/pbd_implement_7found_principles.pdf\">trust but verify<\/a>\u201d:<\/p>\n<ul>\n<li>Check contract terms and third party code carefully;<\/li>\n<li>Monitor developer platforms for security and privacy updates;<\/li>\n<li>Only work with organizations that offer adequate privacy guarantees;<\/li>\n<li>Notify your users about data transfers to third parties and provide easy-to-use privacy controls.<\/li>\n<li>Keep logs so that you can respond promptly if an app user requests details of the personal data you hold and the recipients (or categories of recipients) of that data.<\/li>\n<\/ul>\n<p>Prosecuting app developers who breach data laws is important but not enough. Ultimately the parties who design the technologies and platforms on which mobile apps are built and marketed must be brought within the legal accountability framework to close the privacy loop.<!-- Below is The Conversation's page counter tag. Please DO NOT REMOVE. --><img loading=\"lazy\" decoding=\"async\" style=\"border: none !important;margin: 0 !important;max-height: 1px !important;max-width: 1px !important;min-height: 1px !important;min-width: 1px !important;padding: 0 !important\" alt=\"The Conversation\" width=\"1\" height=\"1\" class=\"js-lazy\" src=\"https:\/\/counter.theconversation.com\/content\/164090\/count.gif?distributor=republish-lightbox-basic\"\/><!-- End of code. If you don't see any code above, please get new code from the Advanced tab after you click the republish button. The page counter does not collect any personal data. More info: https:\/\/theconversation.com\/republishing-guidelines --><\/p>\n<p><noscript><img loading=\"lazy\" decoding=\"async\" style=\"border: none !important;margin: 0 !important;max-height: 1px !important;max-width: 1px !important;min-height: 1px !important;min-width: 1px !important;padding: 0 !important\" src=\"https:\/\/counter.theconversation.com\/content\/164090\/count.gif?distributor=republish-lightbox-basic\" alt=\"The Conversation\" width=\"1\" height=\"1\" class=\"\" srcset=\"\"\/><\/noscript><\/p>\n<p><em>Article by <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/profiles\/dusty-lee-donnelly-1231320\">Dusty-Lee Donnelly<\/a>, Lecturer in Law &amp; Advocate, High Court of South Africa, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/institutions\/university-of-kwazulu-natal-1941\">University of KwaZulu-Natal<\/a><\/em><\/p>\n<p><em>This article is republished from <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\">The Conversation<\/a> under a Creative Commons license. Read the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/the-privacy-by-design-approach-for-mobile-apps-why-its-not-enough-164090\">original article<\/a>.<\/em><\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/privacy-by-design-isnt-enough-syndication\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Why the \u2018privacy by design\u2019 approach to mobile apps isn\u2019t enough&#8221; The mobile apps installed on our smartphones are one of the biggest threats to our digital privacy. They are capable of collecting vast amounts of personal data, often highly sensitive. The consent model on which privacy laws are based doesn\u2019t work. App users remain&#8230;<\/p>\n","protected":false},"author":1,"featured_media":322895,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img-cdn.tnwcdn.com\/image\/tnw?filter_last=1&fit=1280,640&url=https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/08\/franck-DoWZMPZ-M9s-unsplash-1.jpg&signature=6899ebc4614bb1849152f7b62d85f834","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-322894","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/322894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=322894"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/322894\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/322895"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=322894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=322894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=322894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}