Bank technology FTC Issues Rules on ID Theft Shields The Federal Trade Commission announced "red flags rules" last week that require financial institutions and creditors to develop and adopt written identity theft prevention programs by Nov. 1. July 14

The Federal Trade Commission has been toughening its stance on consumer privacy protection, and this directly affects the mobile applications banks offer their customers.

On Saturday the agency issued a report, Mobile Privacy Disclosures: Building Trust Through Transparency, that offers advice on keeping using consumers' data private. It offers recommendations to four sets of stakeholders: operating system providers (like Apple and Google), app providers, advertising networks, and app developer trade associations. Banks that provide mobile banking, PFM, trading or wallet apps fit in the app provider category.

The report cites a study showing that consumers are highly concerned about mobile device privacy: the Pew Internet and American Life Project found in September 2012 that 57% of all mobile app users have either uninstalled an app due to concerns about having to share their personal information, or declined to install an app for the same reason.

There are four main things the FTC would like mobile application developers to do to protect consumers' privacy as they bank, shop and surf the web on their mobile devices.

First, the FTC says mobile app developers should "have a privacy policy and make sure it is easily accessible through the app stores." Many mobile apps have privacy disclosures that pop up in a window and require the user to click "I accept." But the disclosures themselves are often legal gobbledygook that no one actually reads.

The FTC encourages financial companies to use its financial privacy notice prototype, which it developed with Kleimann Communication Group. The prototype aims for simplicity and the use of design techniques for better readability such as tables, headings, white space, bold text, bulleted lists and a large font size.

"A hidden challenge here is in making it easy for app developers to create good privacy policies," says Jason Hong, associate professor at the Human-Computer Interaction Institute at Carnegie Mellon University. "Most app developers are focused on making apps and on getting revenue, and don't have a lot of expertise in privacy."

The second thing the FTC asks of mobile app developers is that they provide just-in-time privacy disclosures and obtain express consent before collecting and sharing sensitive information such as financial data. One aspect of this that's not clear is whether applications that collect but then discard such data right away, rather than storing it, would be subject to this disclosure requirement. For instance, many mobile banking apps have person-to-person payments features that let the bank go into the user's address book and pull up the contact information of a friend or relative to send money to. Some banks are experimenting with using customers' geographic location information to send them a special offer (e.g. sending a customer who is shopping in the Gap a merchant-funded reward), but they don't necessarily to keep or share that information.

The FTC is aiming for transparency, according to Hong. "Right now, consumers have very little information about what data is being collected, for what purpose, and what is being done with that data," he points out.

Some of the answers about what banks will need to disclose about data collection and when may depend on the design of the app, the expectation of what the app will and won't do, and how often the app uses the customer's data, Hong says.

"In some of our research examining mobile app privacy, we found that people had a pretty good sense of some kinds of information sharing without needing to be explicitly informed of it," he says. "For example, it was clear to a large majority of participants that Google Maps was using data about their current location, since it was in the description of the app, and because it shows you your current location when you load the app. On the other hand, we also found a lot of apps where our participants were highly surprised by an app's behavior."

These include flashlight apps that require Internet access and games that use location data. "We also saw apps where people were uncomfortable with a feature, but were ok with it after it was made clear what the data was being used for," he says. "For example, there is a dictionary app for Android that uses location data. Nearly all of our participants assumed that the app used location data for ads and so were uncomfortable sharing this data. But it turns out that the app uses location data to show what words people around you are looking up, and only does so when you explicitly select the feature (rather than sharing your location data all the time). After being told this, our participants were much more comfortable with the app using their location."

There can be danger in confusing customers with too many disclosures, Hong points out. "If we're not careful, end-users could be inundated with notifications and warnings, some of which will be useful, and many of which won't be."

The FTC's third recommendation for mobile app developers is that they "improve coordination and communication with ad networks and other third parties, such as analytics companies, that provide services for apps so the app developers and provide accurate disclosures to customers." Many banks do work with analytics companies to craft merchant-funded rewards and with account aggregators to create personal financial management tools.

"My interpretation of this requirement is that the FTC wants app developers to have a better understanding of what the third-party libraries they use in their apps are actually doing," Hong says. "As part of our research, we've been crawling a lot of free apps and a few paid apps, and nearly all of them use third-party libraries of reusable code. The tricky part is that some of the privacy issues come from these libraries rather than the apps themselves. For example, a lot of the apps we've seen use location data, but if you drill down, it turns out that it's a library used for advertising that is accessing location data. Same thing with analytics libraries we seen."

Most banks should be able to handle this part without problems, Hong believes. "For many libraries, it's not too hard to determine if it accesses sensitive information," he says. "The bigger challenge is what happens on the back-end of those third-party libraries. For example, many analytics libraries send data to a server owned by the creator of that library. What is the data retention policy there? How secure is that server? These issues are not as clear, and go beyond just basic disclosures."

The last thing the FTC recommends is that mobile app developers consider participating in self-regulatory programs, trade associations, and industry organizations that can provide guidance on how to make uniform, short-form privacy disclosures. One such group is the National Telecommunications and Information Administration.

The FTC means to enforce its guidelines. It recently settled charges against a company called Path that collected address book information from children under 13 without providing notice and obtaining parental consent. The commission is especially worried about applications targeted at children; it has found that most applications for kids fail to provide parents with information about data collected through the apps.

An earlier privacy report the FTC issued in March recommended that for unusual app features, companies provide consumers with choices at a relevant time and context.

Newer versions of Apple's mobile operating system, iOS, offer just-in-time notifications that an app is requesting location data. "Since Apple and Google account for a vast majority of mobile related activities, we are especially interested in continued evolution of platform-level features such as prompting users before an app gains access to sensitive information such as location or contacts," commented a banker who preferred not to be identified.

"For mobile banking, there probably aren't too many unexpected features," says Hong. "One that comes to mind might include using SMS or the phone's unique ID as some kind of extra verification. Another might be using one's current location data as an extra check when withdrawing funds from an ATM."

Another, related point the FTC made in March is that companies should not collect location information unless the app truly needs it.

"We are encouraged that the FTC is taking an interest in setting consistent standards and expectations for privacy related disclosures," said the banker who preferred to remain anonymous. "Focusing on providing guidance on the principle of transparency and simplicity is ultimately in the consumer's best interests."