A disposable society
Internet is the mirror of the consumer society, a disposable society. With the multiplication of offers and a tough competition, operators tend to deliver products that have high technical performance but low durability. When it comes to Internet for mobiles, the situation is obviously similar. Ever since the launch of the first generation of iPhones, developers have created a vast set of software products designed to be ergonomic and user-friendly, most of them for convenience or entertainment: the mobile applications.
Just like other products, mobile applications are often disposable products. They have a very short lifetime and a lot of them are downloadable for free. Many software or video game publishers tend to develop mobile applications just to be represented in application stores for communication purposes. Last September, while releasing its App Store Review Guidelines on an attempt to try and have developers create more useful and durable applications, Apple made a not very elegant but meaningful statement: “We have over 250.000 apps in the App store. We don’t need anymore Fart apps.”
Mobile applications are really easy to download, install and use. For that reason, many persons accumulate apps in their smartphones, only to boast having downloaded the latest useless app. What they may not be fully aware of is that mobile applications may help gathering a great deal of information relating to individuals without them noticing (either because companies operating mobile apps do not provide adequate terms and conditions, or simply because end users almost never read the terms and conditions). Apps often require the creation of a user account and may have access to many personal items, such as a mobile device’s contacts list, username and password, geolocation data, consuming habits of the user etc. Mobile applications involve prior acceptance of terms and conditions of use and giving one’s consent each time geolocation data is requested.
However short the lifetime of a mobile application, the traces left on the web by mobile app users are much more longlasting. Indeed, many mobile applications involve personal data processing for different purposes: creation of a user account, building client/user databases, improving the services provided etc. Apart from pure processing requirements, the data may be used for many other purposes, including commercial purposes (sending commercial offers, newsletters etc.). They may as well be transferred to a third party that will use them for its own commercial activities.
The law on data processing has long been established in France, since the first piece of legislation dates back to 1978 and is highly protective of individuals. The breach of legal provisions regarding data processing is a criminal offence sanctioned by a fine up to €300.000 per infraction and up to five years imprisonment. In addition, the French Data Protection Authority (CNIL) has a power to send warnings and impose financial penalties to the extent of €150.000. The CNIL receives a great number of complaints and claims and regularly uses its power of sanction. Therefore, there are very few court decisions making use of criminal sanctions.
We have already insisted on the necessity of being legally and technically protected when conducting e-business activities or using cloud-based services1. Digital data protection is particularly important since companies collecting data and their data controllers have to ensure an optimal level of technical protection and provide legal guarantees to the individuals. For instance, users must opt in for the use of their data and have a right of access to and rectification of their data.
As such, the use of personal data collected on the web is not forbidden as long as the individuals concerned have consented upon it and been comprehensively informed of the use of their data. In particular, they must be advised of:
- The nature of the data collected;
- The reason for their collection;
- Any use that will be made of the data;
- The process for accessing, rectifying, or deleting their data;
- The location of the servers;
- The persons to whom the data may be transferred;
- The duration of data storage.
Consumer protection is regarded as a priority in Europe and personal data protection follows exactly the same logic. To date, there is no case of sanctions in respect of the illegal use of data collected through the use of mobile applications. Nevertheless, the CNIL has published on its website, in June, concerns and recommendations regarding the use of smartphones and the issue of data collection through mobile devices, in particular geolocation data.
Furthermore, mobile apps are proprietary software. In that respect, they have to be duly protected under the terms of a specific license agreement. Even if mobile apps are merely mobile interfaces enabling users to have access to an Internet platform, whereby a company provides its services, they shall still be protected from any unauthorised use, copy, modification, rental or sale. The End User Licence Agreement covering the use of the Internet platform does not cover the use of the corresponding mobile app. If developers and companies follow Apple’s recommendations and offer more durable mobile applications, such protection might be of utmost importance because competition between applications will then be booming.
Privacy issues with respect to the use of mobile applications have not triggered any legal action in France yet. However, as we said above the CNIL has expressed concerns and will be undoubtedly be very watchful. The first noticeable judicial illustration is actually very recent and has been initiated in the United States.
On 23 December 2010, an action was brought before the District Court of California against Apple Inc., Gogii Inc., Pandora media Inc., Backflip Studios Inc., The Weather Channel Inc., Dictionary.com LLC, Outfit7 Ltd., Room Candy Inc. and Sunstorm Interactive Inc. The case involves privacy issues concerning the uses of the Unique Device ID (UDID). The UDID is a serial number that Apple assigns to every smartphone it manufactures. The UDID is comparable to the IP address, the number that identifies computers on the web, except that the UDID is absolutely unique to each device. The UDID is also comparable to the cookies used by advertisers to track web users’ activities.
In France the IP address is not considered personally identifying information following ruling by the Court of Appeal of Paris on the grounds that it does not enable to directly identify individuals2. This point is a subject of controversy in France since all European regulators consider the IP address as personal information and the CNIL has also expressed disagreement toward such ruling.
This lawsuit is a Class Action brought on behalf of individuals, owners of iPhones, who downloaded the applications provided by the Defendants. The statement of facts alleges that the apps operated by the Defendants were accessing Plaintiff’s UDID and location information and transmitted that information to numerous third-party advertising networks. When that information is coupled with all type of information (e.g. consumer habits) gathered through the users’ mobile devices each time they use apps, it becomes a very powerful commercial tool for advertising networks.
This action follows the release of several papers and articles reporting that mobile applications are breaching privacy rules.3 Even if the case has not been judged, it is still a relevant illustration of how privacy rules may sometimes be dumped. This also reminds us that one should be very careful while browsing the web through a computer or a mobile phone. On the developers and software publishing companies’ parts, it shows how paramount it is to provide a contractual framework, protective and efficient.