[image credit privacygrade.org]
Rating systems are ubiquitous shortcuts in an information-overloaded society. Movie ratings, ESRB ratings for video games, bond ratings, and crowd-sourced review sites such as Yelp and TripAdvisor all help us parse essential information at-a-glance. While they may occasionally oversimplify, the convenience and relative clarity is well worth it. The ratings provide a point of departure for effective decision making.
The mobile apps and websites we use every day could benefit enormously from a clear, fair and objective rating system designed to empower consumers to make informed privacy choices.
Rating systems should be transparent so that consumers understand:
1) the criteria used to determine the ratings;
2) who is rendering the assessment (experts or crowd-sourced feedback); and
3) how ongoing compliance tied to the ratings in monitored and audited.
Current Rating Style Systems
Badges, icons, and seals from companies such as McAfee provide social proof regarding a site’s identity and security standards. They help us verify if a site is legit before we submit our personal information. Programs offered by CARU and TRUSTe, for example, will certify a company’s compliance with privacy best practices or specific compliance with childrens’ privacy regulations.
Also, you can search for local Better Business Bureau (BBB) Accredited Businesses that are rated with letter grades here. These are businesses that have applied for and met the BBB Accreditation Standards which include a commitment to make a good faith effort to resolve any consumer complaints and safeguard consumer privacy. There are however, limits to scope of the BBB ratings;
“BBB accreditation does not mean that the business’ products or services have been evaluated or endorsed by BBB, or that BBB has made a determination as to the business’ product quality or competency in performing services.”
Note that not all companies are BBB Accredited and that a high rating does not mean the company and its privacy practices are without controversy. See, for example Facebook’s BBB rating.
Ratings on App Privacy
One effort underway to bring rating systems to the world of privacy practices is PrivacyGrade. Led by Professor Jason Hong and researchers at Carnegie Mellon University’s CHIMPS lab (Computer Human Interaction: Mobile Privacy Security lab).
“provides detailed information about an app’s privacy-related behaviors. We summarize these behaviors in the form of a grade, ranging from A (most privacy sensitive) to D (least privacy sensitive).”
The PrivacyGrade website goes on to provide an overview of the grading methodology:
“Grades are assigned using a privacy model that we built. This privacy model measures the gap between people’s expectations of an app’s behavior and the app’s actual behavior. For example, according to studies we have conducted, most people don’t expect games like Fruit Ninja to use location data, but many of them actually do. This kind of surprise is represented in our privacy model as a penalty to an app’s overall privacy grade. In contrast, most people do expect apps like Google Maps to use location data. This lack of surprise is represented in our privacy model as a small or no penalty.”
App developers and users can provide feedback to PrivacyGrade regarding the rating given to an app. While PrivacyGrade only measures Android-based free apps at this time, the team would like to expand its rating system to other platforms. There are some other limitations, such as PrivacyGrade’s inability to truly dive deeply into how third-party software libraries are using your information.
Regardless, PrivacyGrade is certainly a step in the right direction. Shining a light on how our information is used, stored, and leveraged to target our behaviors should have tremendous value to consumers unsure about the choices they’re making with mobile technology. Wider transparency across platforms and public pressure could help bring additional scrutiny to companies’ privacy practices. With effort, this kind of awareness should bring about wider adoption of Privacy by Design (PbD) best practices.
If you think you know how the latest free game or mobile app uses your information, take a look at some of PrivacyGrade’s reports. You might be surprised at the range of access apps have when it comes to your personal information.