This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

Mobile Privacy Regulation Is Coming

Developers may have to tell users what personal information they upload, and ask permission first.

If just-introduced legislation becomes law, developers and others in the mobile ecosystem will have to be a lot more careful and proactive if they want to monitor user behavior.

In the US House of Representatives, Rep. Ed Markey (D-Mass.) has proposed the Mobile Device Privacy Act (PDF). If it passes both houses and is signed by the President, it will affect the work of most mobile developers and many other players in the mobile space.

ReadWriteWeb is running a nice analysis by Alex Wilhelm of this succinct piece of legislation (it's only 17 pages). In brief, it requires that any entity selling either a mobile service, a mobile device, or offering the download of a mobile application, which contains "monitoring software," must inform the person on the receiving end of that transaction. That user must be told (quoting ReadWriteWeb): "That the monitoring software is installed, what type of information is being monitored and transmitted, with whom that information might be shared, how the information will be used, and what the consumer can do to prohibit further collection, even if they have provided permission in the past." Also, any other information that the FTC determines is required.

The impetus for such legislation has been building for over a year now. Mobile devices have always tracked their users in multiple ways; most people weren't aware of how widespread the practice had become until publicity blew up over Carrier IQ late in 2011. Articles continued to come out in the popular press, reaching some sort of crescendo last July with this one in the New York Times: That's No Phone. That's My Tracker. The Antisec UDID affair focused more attention on the information that apps upload from mobile devices, and what happens to that data after it is uploaded.

The bill requires that if companies want to transfer information collected from mobile devices to a third party, they must file the agreements describing this transfer with the FTC or the FCC. The third parties are required to have policies in place to keep the data secure. (Such reporting requirements are not likely to be popular with companies that participate in cookie-based tracking for advertising purposes.)

The proposed legislation has already drawn fire from the Software & Information Industry Association, a group whose members include Oracle and IBM. Instead of legislation, this group would rather see a revival of government-industry talks on data transparency -- talks that petered out over the summer. reports that the legislation is not likely to be taken up in committee in this legislative session, with mere weeks remaining before the presidential election.

Taming of the Wild West
Whatever the fate of Rep. Markey's legislation in this session (or the next), it seems clear that the days are numbered for the personal data free-for-all that has existed in the mobile landscape. Before long, developers at all levels are going to have to be far more careful, deliberate, and transparent about what data they take from mobile devices; they're going to have to inform users and ask permission.

If this legislation or something like it had been in place, how would it have affected your work on the mobile apps you have released to date?