Request For Research Presentations For the PrivacyCon Conference
Rating Privacy Harms in the Mobile Application Setting: An Empirical Analysis The paper presents an empirical analysis of the perceived sensitivity of various categories of data in the context of mobile applications. It seeks to provide insight into the "nature and evolution of privacy and security risks" and can help identify "substantial injury" in this context. In a survey of more than 400 privacy professionals globally, the International Association of Privacy Professionals (IAPP) undertook to rate respondents' perception of risk associated with 55 mobile application data collection and use examples. The project's goal was to determine, from the perspective of an enterprise deploying a mobile application, the degree of risk that the enterprise is exposed to as a result of collecting and using certain consumer- or device-related information. Of course this assessment does not necessarily reflect consumer perceptions of risk created by collection and use of the same data. Privacy professionals measure risk to their organizations whereas consumers are concerned about risks to their own privacy. Yet ostensibly, there is a close correlation between the two measures, since elevated risk to consumer privacy propagates and becomes organizational risk. In addition, the risk measured by privacy professionals who deal with data processing on a daily basis presents an opportunity to evaluate possible gaps between the public perception of risk -- reflected in the press, by advocacy groups and in class action litigation -- and that of enterprises that gather and use data. Looking at various categories of data, the survey discovered that privacy professionals assigned the highest risk score to information that presents security vulnerabilities and can be misused for theft or fraud, such as passwords, credit card or banking information. Information traditionally considered sensitive, such as health and children's data, also ranked high. Privacy professionals also raised concerns about data collection and uses that could be perceived as "creepy": for example, activating a device's camera or microphone, viewing text messages, or accessing video or audio recordings. The privacy of users' browser histories is currently a hotly debated issue. Congress has recently rolled back regulations set forth by the Federal Communications Commission, which required internet service providers to obtain users' opt in consent before using such data for advertising and marketing purposes. In the VIZIO case, the FTC suggested that a consumer's record of television viewing constitutes sensitive data. Interestingly, browser history did not make the top-tier of risk concerns among survey respondents, nor did users' geolocation, despite its potential to identify users and shed light on their day to day habits. Also low on the survey scale were persistent identifiers like device IDs, or information about other connected devices, which attract a great deal of attention among policymakers and industry groups, particularly in the latest debates about cross-device tracking. The survey ranked mobile app data risks globally and compared the results from respondents in the U.S. and the European Union, where cultural and legal differences drive interesting variations in perceptions of mobile app privacy risks. In summary, this study provides a unique look at the risk perceptions of multiple data collection and use practices in the mobile application setting, from the enterprise perspective. It can inform policymakers, researchers and economists in their assessment of whether or not certain data practices create risks of substantial consumer injury.