You may have seen the recent Wall Street Journal article on the privacy implications of certain iPhone, iPod Touch and Android apps that disclose information to advertising networks without the explicit knowledge of the user. It didn’t take long, but now a class action lawsuit filed in California against Apple for allowing this to happen. See: Apple sued over privacy in iPhone, iPad apps | Apple – CNET News.
I think that this lawsuit is directed at the wrong party (Apple Computer Inc.) and, if it is at all successful, will be harmful to the internet.
This is similar to going after Facebook for everything that their app developers do. Where on party provides a platform (in this case, a mobile device) and another party builds applications on that platform, the key issue that needs to be addressed where privacy is concerned is “where should accountability for privacy lie?” Getting it wrong will stifle innovation in this currently burgeoning area of the Internet ecosystem. Placing all the responsibility on the platform provider will discourage innovators from making new technologies available to the public, to the detriment of those users who are supposed to be protected by privacy rules. Instead, third-party service and application providers should be responsible to users (and to the courts) for their collection, use and disclosure of personal information.
Just imagine what might happen if the already restrictive Apple is found liable for providing app developers too much latitude in structuring their apps. Would this encourage innovation in applications for users? Nope.
Similarly, should HP or Microsoft be responsible if I download spyware? No. Just because this technology is newer, we shouldn’t be thinking we need to start from scratch without common sense.
We are increasingly seeing platforms built on platforms, where third-parties can build on the technologies of others to contribute to the rich diversity of the Internet ecosystem. Layers of platforms, built by a diversity of innovators, is the key to what makes the Internet so cool. Open APIs and an open development environment lead to really great and innovative applications.
Perhaps the most widely known “online platform” in recent times is the framework that has been provided by Facebook to allow for the interaction of Facebook’s end-users with various third-party applications, including games, surveys and the like. Like most new technologies that handle personal information, the development of the Facebook platform requires close scrutiny from the perspective of consumer privacy. They perhaps didn’t get it right the first time around, but they’ve apparently learned from their mis-steps. But if something happens on Facebook (with an app) that is abusive of privacy, it doesn’t mean that it’s completely Facebook’s fault. But it’s a conclusion that is all to easy to reach. Same goes for privacy abuse on an iPhone: just because Apple created the device doesn’t mean that it’s really Apple’s fault.
These “platforms” are fundamentally akin to the hardware and operating systems that are available on large servers and, most importantly, similar to operating systems available on personal electronic devices, including personal computers, personal digital assistants and smart phones. When Facebook welcomed third-party applications onto its “platform”, Facebook went from being a single purpose application to an operating system on which, or through which, individual users are able to execute a range of applications provided by third-parties. The appropriate analogy would be the movement from dedicated, single-purpose word processing systems, such as those offered by single vendors in the 1960’s and 70’s, to personal computers that allowed the end-user to install and therefore interact with multiple software packages provided by multiple software vendors. In many instances, third-party applications are able to interact with each other and, almost invariably, all of them interact with the operating system. The move from single purpose devices to more general computing systems did not engender a significant fear about privacy. The platform (mainly, the operating system) was installed on hardware owned by the end-user him/herself, and the user decided what applications to install. This decision was hopefully an informed one in which the user was able to identify.
The suggestion that the hardware manufacturer or the supplier of the operating system is ultimately responsible for applications developed by third parties that are installed by end-users is very problematic, bordering on absurd, and lets the third-party application developers off the hook too easily. It also implicitly assumes that the third-party application provider is somehow acting on behalf of the other party. On the contrary, most third-party applications are installed and run independently of the creators of the platform . The individual chooses what applications are run. It is the user that makes the decision as to what software to install, hopefully based on clear disclosure by the application developer. It is the user’s decision as to whether the application that may use her personal information is installed and run. That use of personal information is no longer on the platform provider’s account, but rather on the application developer’s account. The application provider should be fully accountable for its collection, use and disclosure. In connection with that, the application provider should have the burden of complying fully with the obligations set out in law.
Most platforms are designed to permit significant interaction with user data so that legitimate functions are unimpeded. For example, programmers on Microsoft Vista systems are able to access email inboxes and documents. If that access is misused, one would not point the finger at Microsoft. Similarly, one should not point the finger at the provider of an online platform for what happens when a well informed user installs software him/herself that uses personal information.
This conclusion still applies if the provider of the platform ultimately controls what applications can be integrated with it. For example, Apple requires those who distribute applications for the iPod Touch, iPhone and iPad to register and agree to certain terms and conditions. Apple currently has thousands of third-party applications distributed through their app store, all of whom have a contractual relationship with Apple and with their end-users. However, until this lawsuit there has been no suggestion that Apple is accountable for the actions of third-party applications. Similarly, third-party developers of the Twitter API are able to build onto Twitter to extend its functionality in desirable (and perhaps undesirable ways), but as long as the end-user has installed the third-party app or has consented to connecting the third-party service to the user’s Twitter account, it should not be Twitter that is held responsible for the application developer. A final example is Research in Motion’s Blackberry device. Most of these devices are equipped with GPS transceivers and a number of software products enable to user to broadcast his or her location. If a user has chosen to disclose this personal information, it should not be RIM that is accountable.
To be clear, I am not suggesting that the provider of a platform has no obligation with respect to the handling of personal information. The platform provider is responsible for its own collection, use and disclosure of personal information. The same should be the case for third-party application providers. But the two parties, unless they are jointly providing a service to the end-users, should be kept distinct and each should be accountable for its own collection, use and disclosure of personal information.
The final question is, “why is this important?” This is important because we are seeing fantastic innovation on the internet based on sophisticated computing platforms that are welcoming to new, innovative developers. Software and user experiences can be crowdsourced. Oftentimes, the platforms and the application developers have no relationship at all. To hold all platform creators responsible for all applications that can be installed on them will likely have two very negative consequences: first, it will provide an incentive to lock down platforms, which will stifle creativity and innovation. Second, it will provide an incentive to interject complicated legalistic structures between the platform and the third-party apps, also stifling innovation and creativity.
In the end, users benefit from innovative new products and services, and should look to the application providers to be accountable for their own collection, use and disclosure. Making the platform developers responsible for it is paternalistic and problematic.
Update: you can find the pleadings on Justia here. The claim is against Apple, Inc, Backflip, Dictionary.Com, Pandora, Inc, and The Weather Channel.