[MyData & Open Data] privacy by design mobile apps

• Previous message: [MyData & Open Data] Open Data *about* Privacy and Data Protection
• Next message: [MyData & Open Data] [open-government] Examples of dates of birth being published as part of the public record?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 19, 2013 at 04:30:37PM +0100, Javier Ruiz wrote:
> these are the guidelines I mentioned at the meeting. I think they are quite useful for advocacy organisations working on mobile platforms. I was hoping to use them as a model for other similar practical guidelines for other domains. 
> 
> I haven't checked them forensically, and I am sure there are some points where it can be improved but it is a very good starting point
> 
> http://www.gsma.com/publicpolicy/privacy-design-guidelines-for-mobile-application-development 

just wanted to throw in, that smartphones are designed to siphon data. to
quote from the doc:

> Scope
> These guidelines apply privacy design principles to applications and
> their related services designed for mobile devices. They are intended
> to apply to all parties in the application or service delivery chain that
> are responsible for collecting and processing a user’s personal
> information – developers, device manufacturers, platforms, and OS
> companies, mobile operators, advertisers and analytics companies.

commercial phones in general have so many cheap attack surfaces (baseband,
sim-card, user cpu), that believing any data on them can be secure/private is
only a matter of religion. but of course this depends who your adversaries
are, from the 4c model (citizens, criminals, corporations, countries) i guess
some civil rights orgs are certainly threathened by the last c.

reading the doc, it seems to me that it basically addresses the 1st 2 c's and
part of the 3rd c. basically it is a policy document with lot's of promises,
but no hard details. i searched for end-to-end encryption, isolation,
compartmentalization, or provably secure/private handling of data. however i
read about social media, advertising. :/

i believe this document is a classical example of proactive self-regulation,
on enforcement it says:

> Each entity that collects personal information about users
> must ensure a company representative (or representatives)
> is assigned the responsibility for ensuring end-user
> privacy is built into applications and services and business
> processes.

i'm missing the criminal sanctions and financial liability, like the EU does
for competition:
http://ec.europa.eu/competition/cartels/overview/factsheet_fines_en.pdf
not 2% as in the original EC GDPR proposal.

cheers,s

-- 
pgp: https://www.ctrlc.hu/~stef/stef.gpg
pgp fp: FD52 DABD 5224 7F9C 63C6  3C12 FC97 D29F CA05 57EF
otr fp: https://www.ctrlc.hu/~stef/otr.txt

• Previous message: [MyData & Open Data] Open Data *about* Privacy and Data Protection
• Next message: [MyData & Open Data] [open-government] Examples of dates of birth being published as part of the public record?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]