The ‘privacy by design’ approach for mobile apps: why it’s not enough

The mobile apps installed on our smartphones are one of the biggest threats to our digital privacy. They are capable of collecting vast amounts of personal data, often highly sensitive.

The consent model on which privacy laws are based doesn’t work. App users remain concerned about privacy, as a recent survey shows, but they still aren’t very good at protecting it. They may lack the technical know-how or the time to review privacy terms, or they may lack the willpower to resist the lure of trending apps and personalised in-app offers.

As a result privacy laws have become more detailed, imposing additional requirements about notice, data minimisation, and user rights. Penalties have become harsher. And the laws are often global in reach, such as the US Children’s Online Privacy Protection Rule and the EU’s General Data Protection Regulation. For instance, a South African developer of an app downloaded by children in the US and the EU must comply with both and with South Africa’s Protection of Personal Information Act. This complexity can create a significant compliance burden.

But the real problem, according to a report by the EU Agency for Cybersecurity, is that lawyers and app developers don’t speak the same language. An app developer may have no idea how to translate abstract legal principles into concrete engineering steps.

Cavoukian set out seven foundational principles for a privacy by design approach. But it is the second principle, “privacy as a default setting”, that really sets the bar for a privacy-friendly app.

Build in the maximum degree of privacy into the default settings for any system or business practice. Doing so will keep a user’s privacy intact, even if they choose to do nothing.

This places the responsibility on the app developer to think about the user’s privacy upfront, and design the app in such a way that privacy is protected automatically, while still offering a fully functional app experience.

But my research showed that design decisions made by app developers are constrained by existing technologies and platform rules designed by others. These include the device hardware and operating system, the software development kit, ad libraries and app store review policies.

The answer is privacy by (re)design, where all roleplayers in the ecosystem take privacy seriously and redesign existing platforms and technologies. But enforcing that approach will require tighter legal regulation of third party data sharing.