Platforms, Privacy and Pandora’s Box

The Wall Street Journal just ran another piece in its series covering online privacy issues, this time focusing on how mobile apps on the Apple and Android platforms may share unique device ID numbers without consent. If matched against real names, UDIDs pose a bigger privacy risk than cookies on websites since people usually have one phone and carry it with them constantly.

The storyline from here on in will be familiar. Apple has already been cracking down on developers the Journal inquired about this week. At least one company we know started employing SSL encryption for UDIDs yesterday. There might be a fall guy (like how Lolapps and Gambit were singled out when Facebook faced privacy-related criticism). There will be fixes — some necessary, some cosmetic. Then things will go back to the way they were.

On the whole, the “What They Know” series is great for mainstream consumer education. But its sometimes simplistic descriptions of industry practices and occasional scaremongering creates risk that uninformed policymakers will draft poorly targeted legislation. It could end up being unnecessarily destructive to consumer Internet businesses or be so cosmetic that it doesn’t really fix underlying problems.

The thing is: Data collusion is a problem inherent to platforms and their ecosystems. The same power that gives two guys the ability to quickly build and ship a product that 1 million users know and love is the same power that gives two guys the ability to walk off with sensitive, personal data on millions of people.

Platforms like Facebook, iOS and Android have unleashed the fastest-growing businesses ever known. Zynga trades at an implied market capitalization of just under $5 billion on highly illiquid secondary markets. Groupon became a $6 billion company in 24 months, after growing in a large part through targeted performance advertising on Facebook. There are more than 550,000 applications on Facebook, 300,000 on iOS and 100,000 on Android. People use apps to book flights, find restaurants, play games and serendipitously run into friends.

But with that incredible distribution power comes risk to consumer privacy.

The incentives for data collusion among developers will always be strong. As long as these powerful platforms exist, so will some symbiotic entity that barters, trades, collects and matches data on individual users. Today it’s Rapleaf, which shares a venture investor with Facebook. Tomorrow it will be some other company.

Frankly, there is no way that companies like Facebook, with fewer than 2,000 employees can — day in and day out — police more than 2.5 million developers and 100% guarantee that there aren’t privacy violations or unauthorized data sharing by third-party apps.

That’s not to say these companies are lax.

Each one has a slightly different regulatory approach. Apple employs a preventative strategy. It vets apps ahead of time and puts them through an unpredictable approval process to the ire of developers. Once it gives an app the green light, Apple tends to leave it alone unless there is an egregious terms of service violation.

Google takes a post-hoc approach. It doesn’t do upfront vetting, but users can flag apps and Google can take them down after they’re already in the store. Unlike iOS, users can also return apps although the window was shortened to 15 minutes from 24 hours last week. A post-hoc approach has, of course, unleashed huge spam problems in the Android Marketplace, which Google is only beginning to come to grips with.

Facebook’s approach is closer to Google’s. It has algorithms that can automatically take down apps if they’re growing in suspicious ways, but it also employs human checks as well. Over the years, we’ve become pretty familiar with late Friday developer crackdowns.

What’s interesting at this moment is that there is an open question in Washington D.C. as to how legally liable platforms are for the behavior of third-party developers.

The overwhelming majority of developers produce immense value for consumers, but let’s take an extreme hypothetical example. If an unscrupulous app developer launches a “Sexual Purity Test” or “How Mentally Stable Are You?” Quiz (yes, the latter is real), gets millions of users and secretly sells that data to pharmaceutical or insurance companies, how much liability does the platform bear?

Technology companies are hoping more of that responsibility will fall to an empowered Federal Trade Commission. Momentum is also building for the Department of Commerce to create a federal office for guiding online privacy regulation.

But if the platform companies can’t entirely control their ecosystems, I sincerely doubt the FTC or any privacy czar can.

Consumer education is far from where it needs to be. On sign-up prompts, platform providers could force developers to excerpt key parts of their privacy policy and explicitly list third parties they share data with. They could also make it a lot clearer to users about who developers are (since violators often just go and set up shop under a different name if caught).

There aren’t easy answers here. For all of the value that that these platforms unlock, we’ve opened Pandora’s Box when it comes to privacy.

[Image via The Wall Street Journal.]

Facebook Marketing

Mediabistro Event

Facebook Marketing

Starting January 13, work with the group marketing manager of social media at Microsoft/BingAds to grow your business on Facebook! In this course, you’ll learn how to set up your company page, understand Facebook best practices, and execute a monthly content strategy. Register now!


Leave a Reply

11 Responses to “Platforms, Privacy and Pandora’s Box”

  1. GeekGirl_Random says:

    If it’s online, I just immediately assume that it is available to everyone, regardless of any protections that are specified. Technology malfunctions, daily, we all know that ( Relying entirely on the promises made by technology is naive and unrealistic.

    My rule: if I don’t want my Mother to see it, I don’t post it. Worked so far.


  2. bobz says:

    Its not scaremongering to call out a black market industry of companies collecting personal information and aggregating it from various suppliers without consent.

    And you’re a [ed. deleted] for suggesting it is.

  3. Eric Eldon says:


    First, please mind your language on our site.

    Second, please re-read the article, as you’ve misunderstood what we’re saying.


  4. Logical Extremes says:

    @GeekGirl_Random, this isn’t about what people choose to post, it’s about apps surreptitiously surveilling users and feeding a huge gray market of private data.

    There’s no legitimate reason why any app needs the permanent unique and unchangeable device ID. There’s no excuse for apps collecting more data than they need for operation. There’s also no excuse for collecting and using data in ways that are not clearly and simply identified to users before the fact.

    The online ad ecosystem is out of control, and apps are among the worst offenders. The platforms absolutely must do better for their users, detecting sensitive API calls, making sure users are alerted to exactly which data will be collected and why, and have a clear path to accept or decline in advance.

  5. Kim-Mai Cutler says:

    Hey there @bobz. I think you’re misinterpreting what I’m saying. This particular WSJ article was very good and much-needed. Consumers basically don’t understand what is going on.

    But there have been other articles though that have described what’s going on in a superficial way that doesn’t really lead to a long-term solution. For example, when they reported on the referrer ID issue a month or so ago, it resulted in a cosmetic fix and a temporary crackdown on developers. But the issue is much deeper than that. It’s still incredibly easy for developers to ask for extensive permissions and access and resell data far above and beyond the referrer IDs.

    Also, perversely, the creation of a federal office to oversee online consumer privacy — if designed incorrectly — may make it easier for platform providers to pass the buck and wash themselves of liability for unscrupulous developers.

  6. GeekGirl_Random says:

    @Logical Extremes, I must disagree with you. The way I see it is if there is no information available for collection, no information will be collected. For information to be available, the user in question had to in some way, directly or indirectly (i.e. through social networks), make this information available to those applications. But I do entirely agree with you that there is a lot more to it than just simply posting inappropriate content on Facebook, for example.

  7. Logical Extremes says:

    @GeekGirl_Random, Granted, Facebook operates much differently than smartphones and oversharing is as much of an issue as a privacy settings structure that makes it difficult to control the dissemination of your personal information. Keep in mind that most people use Facebook to share their lives with family and friends, not to see ads or contribute their personal data to an opaque and ever-growing multi-billion dollar industry.

    On the smartphone side though, apps collect and transmit info that is intrinsic to the basic operation of your phone, all largely without user knowledge, understanding, or consent. Users don’t even have to be doing anything “social” for an app to grab the device ID, address book, etc. And what happens to that data once grabbed is anyone’s guess.

  8. johann akram says:

    the questions that remains to be answered is this – can social networking ever be safe on the web. sites like diaspora and mycube promise this, but can they live up to it. as an avid facebook user who is now concerned about his privacy, i really hope one of these sites turns out to be secure and the future of social networking

  9. This Week’s Headlines on Inside Facebook says:

    [...] Platforms, Privacy and Pandora’s BoxCheck out the top headlines and insights this week from Inside Facebook— tracking Facebook and the Facebook platform for developers and marketers. [...]

  10. This Week’s Headlines on Inside Facebook says:

    [...] Platforms, Privacy and Pandora’s Box [...]

  11. Sarah's Faves » Blog Archive » FAVE TOOL: Free privacy policy for mobile developers says:

    [...] you might want to put a privacy policy in place. This isn’t the first time there has been concerns about how mobile apps use and share personal data and it probably won’t be the last. Just don’t let it be [...]

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Business Technology Editor

Washington, DC

Assistant Editor

8 Inc.
New York, NY

Editorial Manager

Air Age Media
Wilton, CT

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us