Department for Digital, Culture, Media & Sport (UK) – App security and privacy interventions

4 July 2022

Introduction

  1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to respond to the Department for Digital, Culture, Media & Sport’s (DCMS) call for views on proposals to improve the security and privacy of apps and apps stores operating in the United Kingdom.
  2. The OAIC is Australia’s federal privacy regulator. We play a critical role in ensuring entities subject to the Privacy Act 1988 (Cth) (Privacy Act) are meeting the community’s expectations for the secure handling of personal information they hold. The OAIC and the protection of personal information are an essential part of the ring of defence in ensuring Australia’s data security. In particular, the Privacy Act includes well-established security requirements and security of personal information continues to be a central regulatory focus for the OAIC.
  3. As recognised in DCMS’s App security and privacy interventions consultation document, protecting users from malicious and insecure apps is an issue of global concern. The OAIC’s 2020 Australian Community Attitudes to Privacy Survey (ACAPS) results show that the app ecosystem is an area where trust is lacking, with 54% of Australians feeling apps are untrustworthy in how they protect or use their personal information.[1] Additionally, 57% of Australians have deleted an app and another 57% have denied an app permission to access information out of concern for their data privacy.[2]
  4. Accordingly, we support the development of a voluntary code of practice for app store operators, platform developers and app developers (Voluntary Code of Practice) as outlined in the consultation document. A Voluntary Code of Practice has the potential to promote best practice and increase public trust in relation to privacy and security in the app ecosystem both in the UK and internationally.
  5. In particular, we note that one of the fundamental objectives of the Voluntary Code of Practice is to ensure that security and privacy information is clearly communicated and accessible to users of apps. This submission sets out some further considerations that may help to achieve this outcome.
  6. The consultation document also recognises the importance of international cooperation in this area, and we welcome DCMS’s commitment to keep abreast of regulatory developments in other jurisdictions to ensure global interoperability and alignment. Australia is undertaking a wide range of regulatory interventions to help protect Australians online.[3]
  7. To support a streamlined and cohesive approach to the regulation of digital platforms and the online environment, the OAIC together with the Australian Competition and Consumer Commission, the Australian Communications and Media Authority and the Office of the eSafety Commissioner formed the Digital Platforms Regulator Forum (DP-REG). The DP-REG’s strategic priorities for 2022/23 include a focus on issues surrounding digital transparency, which it considers is essential for the protection of Australians given the power and information asymmetries between digital platforms and users.[4]

Providing security and privacy information to users in an accessible way

Standardising privacy and security information

  1. The Voluntary Code of Practice sets out seven principles with practical steps for app store operators and developers to protect users. Principle 4 requires app store operators and app developers to provide important security and privacy information to users in an accessible way. This includes requirements for app stores to display the permissions required by an app and inform users about an app’s usage and storage of data. It also includes requirements for developers to provide the permissions required by the app and to ensure it is up to date whenever a new version is published.
  2. Transparency is an important privacy concept. Data protection laws around the world contain transparency obligations which are intended to ensure that individuals have knowledge of, and choice and control over, how information about them is handled. This empowers users to make choices and exercise control around their personal information including choices about what apps they wish to engage with based on the app’s information handling practices.
  3. Enabling users to effectively exercise choice and control relies on entities making information about their personal information handling practices accessible and understandable.
  4. Consumer research shows that individuals find it difficult to properly compare entities’ practices where different entities provide different amounts of information.[5] Relatedly, the OAIC’s ACAPS results show that 45% of Australians who downloaded an app since the start of the pandemic read half or less of the privacy policy attached to the app.[6] Consequently, we consider that consistency and simplicity are important elements to reduce information burden and ensure important privacy and security information is provided to users in an accessible way.
  5. We recommend DCMS consider expanding Principle 4 to encourage app stores and developers to create a common language and iconography to ensure individuals are provided with consistent and accessible security and privacy information across different apps.
  6. This could involve the development of standardised icons, words or phrases to denote certain types of data practices.[7] This would enable individuals to readily identify the information handling practices of most relevance to them, and to compare apps in order to make choices based on the app’s privacy and security credentials.[8]

App permissions

  1. The University of Nottingham literature review of security and privacy policies in apps acknowledges that regularly checking app permissions is a laborious process for users and highlights evidence that many users do not appear to give appropriate consideration to limiting permissions when installing aps.[9]
  2. We recommend that DCMS also consider expanding Principle 4 to encourage the development of technological solutions to reduce the burden of understanding and consenting to the permissions sought by apps when downloaded. Standardising the language used in the information provided to users may allow the development of technological solutions that automatically compare and apply a user’s privacy and security preferences to the permissions sought by an app.
  3. This could simplify and reduce the steps users need to take to consider app permissions. For example, it could support functionality for an app user to set their preferences regarding what app permissions they are willing to accept in a central location. Users could then either only be shown apps matching their preferences or receive a warning when an app does not match their preferences, making it easier for them to engage with the data practices of apps they use. Another application of this functionality could be to automatically reject app permissions that are not required to deliver the app’s core service and do not align with the user’s preferences.
  4. Developing solutions to make it easier for users to limit app permissions, such as limiting permissions that are not required to deliver the app’s core service, may also help to protect users from excessive and unnecessary data collection.[10]

Recommendation 1 - Expand Principle 4 to encourage app stores and developers to create a common language and iconography to ensure individuals are provided with consistent and accessible security and privacy information across different apps.

Recommendation 2 – Expand Principle 4 to encourage the development of technological solutions that automatically compare and apply a user’s privacy and security preferences to the permissions sought by an app.

Footnotes

[1] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, report to the OAIC, September 2020, p 55.

[2] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, report to the OAIC, September 2020, p 45.

[3] This includes legislative reforms to strengthen Australia’s online safety regime, an ongoing Digital Platform Services Inquiry, implementation of the Australian Code of Practice on Disinformation and Misinformation and a review of the Privacy Act to ensure it is fit for purpose in the digital economy.

[4] The Digital Platforms Regulators Forum communique sets out the collective priorities for DP-REG for 2022/23 and is available at Digital Platform Regulators Forum communique - Home (oaic.gov.au).

[5] E Costa and D Halpern, The behavioural science of online harm and manipulation, and what to do about it, The Behavioural Insights Team, 15 April 2019, accessed 27 June 2022, pp 35–36. Our ACAPS results also show that 87% of Australians support the introduction of standard, simple language to improve privacy policies – Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, report to the OAIC, September 2020, pp 75-76.

[6] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, report to the OAIC, September 2020,p 117.

[7] ACCC, Digital Platforms Inquiry – Final Report, ACCC, July 2019, p 463.

[8] Apple’s privacy nutrition labels are an example of standardised icons and phrases intended to assist users to understand how apps handle their data.

[9] S Furnell, Literature review on security and privacy policies in apps and app stores, University of Nottingham, 4 May 2022, accessed 27 June 2022; Kaspersky Lab, One-In-Five Could Be Signing Away Their Privacy When They Install A New App, Kaspersky Lab’s Quiz Shows[media release], Kaspersky Lab, 16 March 2016, accessed 27 June 2022.

[10] In the Australian context, research from the Australian Competition and Consumer Commission (ACCC) found the excessive tracking and data collection that occurs within the app marketplace does not align with consumer preferences. See ACCC, Digital platform services inquiry: Interim report no. 2 – App marketplaces, ACCC, 28 April 2021, accessed 27 June 2022, ch 7.