Yesterday marked the inaugural Privacy Multistakeholder Meeting at the Department of Commerce, hosted by the National Telecommunication & Information Administration (“NTIA”). The meeting brought together representatives of technology companies, advertisers, consumer groups, and other stakeholders for a discussion of mobile application transparency and the process for future discussions and meetings. While the meeting did not bring consensus on either process or goals, it did engender considerable discussion between a large number of participants, both in-person and through the online meeting tool.
Representatives from NTIA worked with an outside facilitator to solicit stakeholder views on 1) potential key elements of a mobile transparency policy and 2) methods that the group might employ to move the conversation forward in the future. The use of the facilitation process itself generated a considerable amount of debate and substantive discussions were often interrupted by questions about or objections to the process.
By the end of the day, the participants had generated a substantial list of items to consider during future meetings and had informally “voted” to express whether they felt the item needed to be addressed early in the process. John Verdi, Director of Privacy Initiatives, stated that the list of ideas and the results of the informal poll would be released next week. Verdi also announced that NTIA would schedule an additional meeting in August, though no specific date was announced.
Lawrence E. Strickling, Assistant Secretary for Communications and Information and Administrator of NTIA, began the meeting by acknowledging that mobile transparency was just one of many possible starting points for the conversation about online privacy. That comment likely was in reaction to criticism by the mobile community that it had been singled out when there are so many possible topics for discussion, and concerns by consumer groups that transparency should not be looked at in isolation from the other fair information practices (“FIPs”). Strickling went on to say that NTIA viewed its role merely as a facilitator of the discussion. He then introduced Marc Chinoy of The Regis Group, Inc., who led the discussion on behalf of the NTIA, to “surface issues” and establish a point of reference for a conversation about process.
This resulted in both a lively discussion about the process itself as well as brainstorming around “key elements of mobile app transparency that are either already being advanced today or should be advanced.” Suggestions for key elements included: accessibility of privacy statements to consumers, particularly children and teens; the ability to provide transparency about privacy policies in the context of the user experience (“just-in-time” notifications); the need for machine-level transparency; the use of icons or other methods to convey complex information in a small space; a need for accountability, wide adoption, independent verification, and enforcement; and definition of the scope of information that mobile applications would need to provide, such as what data they collected, how it was used, and why it was collected. As a part of this last point, at least one commenter suggested that consumers need to be aware of the benefits of data collection, such as the ability to receive apps for free.
During the brainstorming process, some participants questioned who in the mobile ecosystem (e.g., the app developer, the operating system) should be responsible for conveying privacy policies and how to make policies consistent across platforms and devices. There were differing opinions as to whether or not app distributors should “police” the system to assure app compliance with the code of conduct.
In addition to these specific suggestions, participants also expressed concerns about the process. First, several commenters objected to launching into a substantive discussion without first agreeing to a process. Among the concerns raised was the lack of transparency of what interests were represented in the room. This led to an informal poll asking individuals to identify whether they represented industry, public interest groups, or other interests (including government). The show of hands indicated that industry representatives comprised approximately 75% of the room, public interest groups accounted for approximately half of the remaining participants, and the balance of the room either did not vote or were in government.
Additionally, many participants — primarily representing consumer groups —expressed concern about focusing on transparency without addressing other FIPs at the same time. One commenter stated that transparency offered “no value” to the privacy discussion if it was not coupled with the substantive rights consumers should have with regard to online privacy. However, other commenters disagreed, and found value in transparency alone.
Another concern raised by several commenters related to the international environment in which mobile applications operate. Some were concerned that any process undertaken by the group could be for naught if there is not a way to operationalize it outside of the United States. One commenter suggested that the group should look to European policies on data privacy for context.
After brainstorming on what substantive issues the group might tackle, Chinoy led the group through an informal voting process designed to “get a sense of the room” as to how the stakeholders prioritized the ideas that had been presented. Though this voting process led to many objections and clarifying questions, ultimately the group did “vote” on the relative importance of 27 of the more than 60 proposals.
Participants were asked to vote on a scale of 1 to 4 how strongly they felt each proposal needed to be addressed early on in the process, with 1 representing the belief that addressing the item early was critical to the process and 4 representing the belief that it was unnecessary to address the item early (if at all). Though the process was extremely informal, and participation varied item-by-item, a few trends could be seen. There was general agreement that it was important to discuss the following topics early in the process:
- the functional use of the data collected by mobile applications;
- common practices in use today;
- how applications collect or use data outside of the application itself;
- the potential need for policies to be “technologically neutral” or “platform agnostic;” and
- the need for simple language to be used in privacy statements so that they could be understood by all.
Other potential topics appeared to produce split votes, with industry representatives and public interest group representatives assigning different priority to the issue. Some of these topics included:
- the need to maintain limitations on liability for intermediaries;
- the need for a clear statement of privacy rights;
- the need to develop a common consumer friendly vocabulary.
As mentioned above, the NTIA expects to release the informal tallies next week, as well as a full list of the comments captured on flip-boards during the brainstorming session.
The brainstorming/voting procedure was then repeated, this time focusing on what process tools may be useful for the group to employ going forward. One suggestion, supported by several consumer groups, included engaging in a fact-gathering exercise to educate stakeholders about what data-collection methods were currently employed by mobile applications, and how these data are being used.
Several commenters offered opinions on how much or little participation the NTIA should continue to have as the group moved forward. No consensus was actually reached as to how the group should next proceed as the meeting wound to a close.
Strickling concluded the meeting by stating that, though many participants found the day to be frustrating, he saw productive conversations result from the facilitation process. He reiterated that NTIA sees itself as a facilitator committed to assuring openness, transparency, and fair participation, but that the ultimate process will be in the hands of the stakeholder participants.