The familiar perils of the mobile ecosystem
This article was first published in Data Protection Law & Policy in March 2013
I had not heard the word 'ecosystem' since school biology lessons. But all of a sudden, someone at a networking event dropped the 'e' word and these days, no discussion about mobile communications takes place without the word 'ecosystem' being uttered in almost every sentence. An ecosystem is normally defined as a community of living things helping each other out (some more willingly than others) in a relatively contained environment. The point of an ecosystem is that completely different organisms – each with different purposes and priorities – are able to co-exist in a more or less harmonious but eclectic way. The parallel between that description and what is happening in the mobile space is evident. Mobile communications have evolved around us to adopt a life of their own and separate from traditional desktop based computing and web browsing. Through the interaction of very different players, our experience of communications on the go via smart devices has become an intrinsic part of our everyday lives.
Mobile apps in particular have penetrated our devices and lifestyles in the most natural of ways. Studies show that apparently an average smartphone user downloads 37 apps. The fact that the term 'app' was listed as Word of the Year in 2010 by the American Dialect Society is quite telling. Originally conceived to provide practical functions like calendars, calculators and ring tones, mobile apps bring us anything that can be digitised and has a role to play in our lives. In other words, our use of technology has never been as close and personal. Our mobile devices are an extension of ourselves and mobile apps are an accurate tool to record our every move (in some cases, literally!). As a result, the way in which we use mobile devices tells a very accurate story of who we are, what we do and what we are about. Conspiracy theories aside, it is a fact that smartphones are the perfect surveillance device and most of us don't even know it!
Policy makers and regulators throughout the world are quickly becoming very sensitive to the privacy risks of mobile apps. Enforcement is the loudest mechanism to show that nervousness but the proliferation of guidance around compliance with the law in relation to the development, provision and operation of apps has been a clear sign of the level of concern. Regulators in Canada, the USA and more recently in Europe have voiced sombre concerns about such risks. The close and intimate relationship between the (almost always on) devices and their users is widely seen as an aggravating factor of the potential for snooping, data collection and profiling. Canadian regulators are particularly concerned about the seeming lightning speed of the app development cycle and the ability to reach hundreds of thousands of users within a very short period of time. Another generally shared concern is the fragmentation between the many players in the mobile ecosystem – telcos, handset manufacturers, operating system providers, app stores, app developers, app operators and of course anybody else who wants a piece of the rich mobile cake – and the complexity that this adds to it.
All of that appears to compromise undisputed traditional principles of privacy and data protection: transparency, individuals' control over their data and purpose limitation. It is easy to see why that is the case. How can we even attempt to understand – let alone control – all of the ways in which the information generated by our non-stop use of apps may potentially be used when all such uses are not yet known, the communication device is undersized and our eagerness to start using the app acts as a blindfold? No matter how well intended the regulators' guidance may be, it is always going to be a tall order to follow, particularly when the expectations of those regulators in terms of the quality of the notice and consent are understandably high. In addition, the bulk of the guidance has been targeted at app developers, a key but in many cases insignificant player in the whole ecosystem. Why is the enthusiastic but humble app developer the focus of the compliance guidelines when some of the other parties – led by the operator of the app, which is probably the most visible party to the user – play a much greater role in determining which data will be used and by whom?
Thanks to their ubiquity, physical proximity to the user and personal nature, mobile communications and apps pose a massive regulatory challenge to those who make and interpret privacy rules, and an even harder compliance conundrum to those who have to observe them. That is obviously not a reason to give up and efforts must be made by anyone who plays a part to contribute to the solution. People are entitled to use mobile technology in a private, productive and safe way. But we must acknowledge that this new ecosystem is so complex that granting people full control of the data generated by such use is unlikely to be viable. As with any other rapidly evolving technology, the privacy perils are genuine but attention must be given to all players and, more importantly, to any mechanisms that allow us to distinguish between legitimate and inappropriate uses of data. Compliance with data protection in relation to apps should be about giving people what they want whilst avoiding what they would not want.