In a blogpost on 11 March 2016, the ICO's Group Manager for Technology, Simon Rice, considers how apps are used and provides a reminder to app developers that privacy should be appropriately considered. As Rice points out, apps are big business. Users expect to be able to interact with organisations on smartphones and tablets through an app. However, just because apps are intended to be convenient, quick ways to access a service, does not mean that legal requirements can be dispensed with.
In 2015, the ICO carried out a review of 21 popular apps and found some areas of concern. In particular, encryption of connections to transmit personal data. Three apps were found to use unencrypted connections in the transmission of personal data. Three apps which were using encryption methods (https connections) were not appropriately checking digital certificates, risking an attacker impersonating a server and therefore personal data being transmitted to the wrong server.
Other areas of concern include:
- weak password requirements;
- transmission of passwords in the URL;
- unexplained usage of tracking ID numbers; and
- misleading interface design.
ICO guidance for app developers – a reminder
In 2013 the ICO produced guidance for app developers. The guidance has not been updated since its first publication. Whether this 'sweep' will prompt an update to the guidance remains to be seen. However, Rice does recommend that app developers take the opportunity to read the guidance.
In light of this recommendation, we have set out the seven key questions from the guidance to ask yourself when developing an app. Much of this should not be new. The rules are the same regardless of the medium for processing data. Remember also that organisations should be considering these questions before an app is developed and take a 'privacy by design' approach.
- Will your app deal with personal data?
Make sure you properly consider whether personal data will be processed using your app. Remember that personal data may not be as obvious as a name. Device identifiers such as IMEI numbers will constitute personal data.
- Who is the data controller?
Once you have established that your app will be processing personal data you need to consider who is the data controller of that personal data. Who determines the manner and the purpose for processing?
- What data will you collect?
Make sure only the minimum data necessary is collected and it is only kept for as long as it is required for the specified purposes. Consider whether less privacy intrusive data might be collected. For example, if photos are collected strip out unnecessary metadata such as the date of creation of the image or the location.
- How will you inform users?
- How will you give your users feedback and control?
Avoid taking an 'all or nothing' approach. Allow users to take control of their settings including by allowing users to change the choices once the app is in use. If your app uses data in an unexpected way clearly alert the user to this processing and provide an easy way to stop the processing.
- How will you keep the data secure?
Ensure data is encrypted where appropriate. This is especially important given the ICO's findings followings its review of mobile apps. Usernames, passwords and other particularly sensitive information should always be transmitted using encrypted connections. Consider vulnerabilities that are more relevant in respect to apps such as inter-app injection flaws. The guidance also specifically mentions that SSL and TLS connections should be checked to ensure that a connection is secure.
- How will you test and maintain your app?
Review your app privacy policies to ensure they comply with the guidance. Rice also mentioned that the ICO has started a second investigation into finance and wellbeing apps. If you work in this field make sure your house is in order so if the ICO comes knocking you will be well armed to respond to criticisms.