FTC: applications mobiles (recommandations et guide)

1. Début février, la Federal Trade Commission (FTC) a publié le rapport Mobile Privacy Disclosures: Building Trust Through Transparency et le guide Mobile App Developers: Start with Security.

2. Le rapport fait suite à des études (billet) et autres rapports de la FTC (notamment Mobile Apps for Kids (billet) ou encore Protecting Consumer Privacy in an Era of Rapid Change (billet)). Il s'adresse aux principaux acteurs du milieu des applications mobiles: plateformes mobiles, développeurs d'applications, réseaux publicitaires et autres associations. 

Pour chacun de ces acteurs, la FTC fait des recommandations présentées comme étant "sufficiently flexible to accommodate further innovation and change" (Source: FTC, p. 13) et qui se lisent comme suit: 

Platforms

- "before allowing apps to access sensitive content through APIs (Application Programming Interface), susch as geolocalisation information, platforms should provide a just-in-time disclosure of that fact and obtain affirmative express consent from consumers" (p. 15)

- "a "dashboard" approach - similar to one used by several existing platforms - may be promising. A dashboard provides an easy way for consumers to determine which apps have access to which data and to revisit the choices they initially made about the apps" (p. 16)

- "platforms could explore the use of icans. Icons, if appropriately designed and implemented, offer the ability to communicate keys terms and concepts in clear and easily digestible manner" (p. 17) 

- "platforms should consider imposing privacy requirements on apps" (p. 19)

- "platforms could educate app developpers on privacy and make available to them important information about consumer privacy considerations as they craft their apps" (p.19)

- "to alleviate any potential consumer confusion, platforms should consider providing consumers with clear disclosures about the extent of review platform undertake prior to making apps available for download in the app stores, as well as any compliance checks or review they undertake after the apps have been placed in the app stores" (p. 20)

- "a DNT (do-not-track) setting placed at the platform level could give consumers who are concerned about this practice a way to control the transmission of information to third parties as consumers are using apps on their mobile devices. The platforms are in a position to better control the distribution of user data for users who have elected not to be tracked by third parties" (p. 21)

App Developers

- "apps should have a privacy policy and make that policy available through the platform's app store" (p. 22)
- "app developpers should provide just-in-time disclosures and obtain affirmative express consent when collecting sensitive information outside the platfor's API, such as financial, health, or children's data, or sharing sensitive data with third parties" (p. 23)
- "app developers should improve coordination with ad networks and other third parties that provide services for apps so that the apps can provide truthful disclosures to consumers" (p. 24)
- "app developers should consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide industry-wide guidance on how to make uniform, short-form privacy disclosures" (p. 24)

Advertising Networks and Other Third Parties

- "advertising networks and other third parties that provides services for apps should improve coordination and communication with app developers so that the app developers can in turn make truthful and complete disclosures to consumers" (p. 24)
- "advertising networks should work with platforms to ensure implementation of an effective DNT system for mobile" (p. 25)

App Trade Associations

- "app trade associations could develop standardized icons to depict app privacy practices" (p. 23)
- "app developer trade associations could continue work on developing "badges" or other similar short, standardized disclosures that could appear within apps or within advertisements for apps" (p. 26)
- "app developer trade associations could develop ways to have more standardization within app privacy policies" (p. 27)

Il conviendra de suivre la mise en œuvre de ces recommandations par les principaux acteurs du milieu des applications mobiles.

3. Par ailleurs, le guide publié par la FTC destiné aux développeurs d'applications mobiles met l’emphase sur la sécurité. Il insiste notamment sur l'importance de nommer un responsable de la sécurité, de recourir à des mots de passe ou encore à la cryptographie, de ne collecter que les renseignements nécessaires au fonctionnement de l'application. 

 
Pour aller plus loin: 

• FEDERAL TRADE COMMISSION
• Mobile Privacy Disclosures: Building Trust Through Transparency, February 2013
• "FTC Staff Report Recommends Ways to Improve Mobile Privacy Disclosure - Recommendations Would Help Build Trust in the Mobile Marketplace, Agency Says", News Release, February 1, 2013.  
• Mobile App Developers: Stard with Security, February 2013.