Announcing the Act on the floor of the US House of Representatives, Johnson said, “Many consumers do not know that their data is being collected. This privacy breach is just not one’s and zero’s, it’s personal information including our location at any given moment, our photos, messages, and many of the things meant only for our friends and loved ones. Yet we lack basic rights to control how and how much of our data is collected on our phones, iPads, and tablets. Data has become the oil of the 21st century, and like any other resource there must be common sense rules of the road for this emerging challenge. Today I am introducing the APPS Act – a common sense approach to this urgent challenge. The APPS Act will protect consumers without disrupting functionality or innovation. Privacy is an issue that should unite us, not drive us apart.”
It follows a year-long effort by Johnson to understand what consumers want. “The overwhelming majority of participants who helped build the legislation,” more than 80%, he says, “confirmed that Congress should protect consumers’ privacy on mobile devices. These engaged citizens also wanted simple controls over privacy on devices, security to prevent data breaches, and notice and information about data collection on the device. The Apps Act answers the call.”
The Act will require developers to include a data retention policy and allow users to request the developer to stop collecting data and delete stored data. Enforcement will be provided by the FTC, and state attorneys general will be able to bring civil actions on behalf of consumers to enforce the Act and obtain damages.
Arxan Technologies, a mobile security firm, has come out in support of the Act – and suggests that the UK needs something similar. “We wholeheartedly agree with the proposed US legislation, and think that the UK should look to follow the US example and mandate that developers prevent unauthorized access to a user’s data through reasonable and appropriate security measures. This provision would need to address negligent data storage practices by promoting responsible data security practices.”
Google recently moved to limit privacy dangers by restricting app updates to those provided by their official Play store. One danger is that apps start without collecting data, but are then silently upgraded to new versions that start collecting more and more data. However, Google’s policy can only apply to apps that were originally downloaded from the Play store – it does not apply to side-loaded apps (not from Google’s Play store) which Android freely allows.
What the Apps Act does is put privacy within a legal rather than self-regulatory framework. “Laws can serve the purpose for creating a framework for enforcement,” Mike Dager, Arxan’s CEO, told Infosecurity. “Basically, something needs to break before it can be fixed. Hence, it is imperative that a law or industry regulation eventually be put in place, as this will create the necessary ecosystem required for enforcement to deter and even prevent the bad guys.”