The National Telecommunications and Information Administration (NTIA) led a multi-stakeholder process last year aimed at developing a voluntary code of conduct for mobile app transparency. Some of those who  participated in the process spoke at a Global Privacy Summit preconference session Wednesday on why a multi-stakeholder process was chosen, what the code looks like and whether the process was a success.

The NTIA’s John Verdi led the stakeholder process for the Department of Commerce but was quick to tell the room that the code—now in its final draft after 142 earlier versions, 19 of which became public—is not a government product.

“This is not something NTIA drafted; we are indebted to the very hard work of stakeholders and will continue to be indebted as we debate, negotiate and find creative solutions, especially given the gridlock of Washington.”

Why the Process? Why Transparency?

The NTIA initiated the process, Verdi said, because, well, President Barack Obama asked it to do so. It was clear some guidance on mobile app privacy was needed as the space continues to grow rapidly, and developers, particularly the small ones, continue to bump up against enforcement actions and struggle with how to communicate their privacy practices to users.

“We understood that the app marketplace relies on trust, unlike some other enterprise markets where consumers buy from well-known vendors where they have trust relationships,” Verdi said. “The app marketplace relies in many ways on users visiting a platform store and an app that looks useful and entertaining, regardless of whether they know the company that developed that app. They need to trust that app won’t kill their phone, track their location or upload their contact lists. All those trust factors are needed for apps to thrive.”

But why focus on transparency? Because it was something related to privacy the NTIA felt everyone could agree on as a necessity. And agreement was certainly reached in the end.

“Every single word, down to every comma was negotiated,” World Privacy Forum Executive Director Pam Dixon said of the process.

The ACLU felt good about participating in the group because it wanted to prove “the cats and the dogs could be in the same room without getting in big fights,” said ACLU privacy lobbyist Chris Calabrese.

He added, however, that the ACLU would have hoped that the code would have included all the Fair Information Practice Principles and not just the principle of transparency. It would also have liked to see all platforms included in the talks, but “we’re also in a difficult legislative environment,” he said. “So we looked at this thing and said, ‘What value can we add?’ I think what we decided was the value we could add was giving consumers the ability to compare apps in a standardized way, the way you compare food on the shelf.”

Using that metaphor, consumers can make food comparisons at a glance; they can compare soup ingredients and then pick a different soup, or they can choose to not eat soup at all.

Comparatively, we’re in a time when a variety of apps all do the same thing. A user can buy multiple flashlight apps from various developers, for example.

“So perhaps this creates an opportunity for the first time to compete on privacy,” he said. “I want to be able to compare different apps; I want to be able to compare their practices. At its heart, that was the basic idea. We were trying to operationalize.”

Tim Sparapani of the Application Developers Alliance said he received a lot of flak—namely, being called a heretic—for participating in a process on mobile app transparency. But he saw a huge opportunity rather than a speed bump.

“You all know, because you work with data every day, that consumer trust is always under assault by data breaches, hacking, data brokers selling stuff. Nowhere is the erosion of confidence felt more than in the mobile app space. If you don’t have consumer trust, if you don’t do things to enhance consumers’ understanding of the tools they’re being offered to do what they want them to do, it is likely to lead to a steady deterioration of the mobile app space instead of a broad embrace by the public.”

Implementation

Intuit’s Amanda Pedigo said the software company is in phase two of implementing the prototype of the code. Phase one indicated some confusion and some design concerns, among users.

The code itself contains eight data points the customer would want to know and should be indicated to consumers, including which data you collect and which data you don’t; consumer tests indicated consumers were “delighted” with knowing the data sets that could potentially be collected and appreciated knowing which data sets were not collected despite that.

Lookout Mobile Security Policy Advisor Deepti Rohatgi showed attendees the short-form privacy notice Lookout has recently released as open source, allowing companies to make their own short-form privacy policy in five steps—or in less than an hour. The notice indicates to users not only the data the app is collecting and using but that which it could collect and does not. Rohatgi echoed testing has indicated users especially appreciate the latter.

But one attendee wanted to know how to communicate to the company the importance of including a short-form notice.

DLA Piper’s Jim Halpert said to simply point to the news. For example, California Attorney General Kamala Harris is expecting firms to do it.

“She has already sued one and is knocking on other doors,” he said, speaking of the suit she recently filed against Delta Airlines for not having a mobile privacy notice.

“We all know you’re gonna have to preach to product people in your companies … What I think might be really compelling here is showing them how lightweight this is to implement,” Sparapani said, speaking of Lookseek and Intuit’s models. “That’s a low resource-intensive means of advancing user privacy.”

If product people are concerned about the notices resulting in additional clicks and losing users offsite, it’s important to show how little friction is involved.

“We’re not talking about a process that forces a consumer to go through multiple clicks,” he said. “It was paramount to our membership that this be low-friction from that perspective.”

Will the Code Succeed? Did the Process?

Dixon said the process was a great opportunity to get beyond the noise and look at the research and see where the patterns pointed.

“Overall, I believe the important incremental step that this code takes is that there is notice of things that never had notice before, including data brokers,” she said.

Sparapani said that at the end of the day, he left the process “quite excited” about the ability of multi-stakeholder processes to move groups toward consensus and bring groups that need to make decisions about their data together in a positive place.

Halpert agreed: “For privacy in America, given the stasis that exists on Capitol Hill, the way to change standards … is actually through running processes like these that can be made usable by small enterprises.”

“I really didn’t think we would get here,” Pedigo said. “It’s been an incredible journey.”