SAN FRANCISCO — Facebook is signing on to an effort from California Atty. Gen. Kamala D. Harris to make app makers more accountable for how they handle consumers' personal information.
With the explosion in the use of mobile devices, the state's top cop is looking to extend privacy protections that are commonplace on the Web to smartphones and tablets. With Facebook, Harris notched another win in her effort to get industry players to abide by voluntary guidelines.
Harris does not have the authority to write new rules for mobile apps. Instead, she's broadly interpreting a 2004 state law that requires "online services" that collect personal information from consumers to have privacy policies.
In February, her office brokered a deal with six of the largest companies running mobile app stores. Under the deal, Apple Inc., Google Inc., Amazon.com Inc., Microsoft Corp., Research in Motion Ltd. and Hewlett-Packard Co. agreed to give apps the ability to conspicuously post clear and complete information on how they collect, use and share consumer data.
Even though the mandate extends only to apps that collect personal information from Californians, Harris' efforts probably will have far-reaching consequences.
"If we can strengthen privacy protections here, we can benefit consumers around the world," Harris said. "App users should know what personal information is collected, how it is used, and with whom it is shared. If they know all of that, then they will have the tools and the ability to protect themselves."
Facebook Chief Privacy Officer Erin Egan said the agreement with the California attorney general "embodied essential protections for Californians and others who use mobile apps."
"Ensuring consumer trust on mobile platforms is an essential value to us here at Facebook," Egan wrote in a letter to Harris.
With Facebook and the other app stores, Harris has sewn up "a huge chunk of the app universe," said online privacy expert Ryan Calo, an incoming law professor at the University of Washington. Harris can then use her authority to prosecute app makers that mislead California consumers about what they do with their personal information. The penalties could be stiff under California law: as much as $5,000 per download.
The effort in California mirrors a larger one from the Obama administration, which is bringing together businesses, consumer groups and regulators to develop national guidelines for the collection and use of consumers' personal information. The first in a series of meetings to hash out the guidelines for mobile apps takes place in Washington next month. App makers that agree to the guidelines would be bound to follow them or risk scrutiny from regulators.
Privacy and consumer advocates say that voluntary agreements are not a substitute for comprehensive digital privacy legislation that would give consumers greater insight into and control over what happens to their data. But all efforts to pass federal legislation have stalled.
Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, said his organization supports efforts from California and the White House. But, he said, "at the end of the day, I don't think it goes far enough."
Consumers need protection on mobile devices at least as much as they do on the Web, Brookman said.
"More information is at stake," he said.
Smartphones are nearly always with their owners and are nearly always turned on, making them truly smart about the intimate details of consumers' lives. Sometimes the sensitive information to which apps have access surprises their owners. Apps often know an owner's name, contacts, browser history, current location — even the unique ID number tied to that device. Yet many mobile apps give consumers few details about how this information is being collected and used.
A Wall Street Journal examination in 2010 of 101 popular apps for iPhone and Android phones showed at the time that 56 apps transmitted that device's ID to third parties without the user's knowledge or consent. Forty-seven of the apps sent the phone's location. Five sent age, gender and other personal details. Forty-five of the apps didn't provide privacy policies on their websites or inside the apps.
"The mobile space is just like the Web in the first 10 years or so: It's the wild, wild West where there are a bunch of privacy problems and there is a lack of controls," independent privacy researcher Ashkan Soltani said.
In February, Path and other app makers found themselves embroiled in controversy when a blogger blew the whistle on apps uploading and storing users' address books from their phones without notifying them. The mobile app maker apologized and changed the way its software accesses user data.
The incident was just one in a series of privacy breaches that underscores how vulnerable mobile device users can be. Requiring app makers to have privacy policies "is at least a way to get developers to start thinking about privacy," Soltani said.
He said few consumers are aware of what's happening to their information. Even if they are, they assume that someone is watching out for them.
"If we need to get work done or we need driving directions or we need to connect with our friends, we are just going to do it, and hope that there are privacy protections in the law or that the consumer protection agencies are watching out for us," Soltani said. "And that's in fact not the case."
"We are still in the phase of raising awareness," LeBlanc said. "We don't want to squelch innovation. But there will be a point at which we take significant actions."