Ian Glazer

A member of the Gartner Blog Network

Ian Glazer
Research Vice President and Agenda Manager
4 years at Gartner
16 years IT industry

Ian Glazer is a research vice president and agenda manager on the Identity and Privacy Strategies team. He leads IdPS' coverage for authorization and privacy. Topics within these two main areas include externalized authorization management, XACML, federated authorization, privacy by design, and privacy programs. Read Full Bio

Coverage Areas:

I “like” you, but I hate your apps – Part 2: Desires and Expectations

by Ian Glazer  |  January 20, 2011  |  3 Comments

In my last post, I contrasted the nature of our relationships with the nature of our relationships when apps are involved. In this post, I will examine the desires and expectations of parties involved in these relationships.

What about my needs, my desires?

I’m not unreasonable, but I have four desires:

  • awareness
  • control
  • visibility
  • redress

First and foremost, I want to be aware of when an app or devices uses information about me. I want to reduce the asymmetry of relationship between me and your apps. Second, I want the ability to declare what information can be used for what purpose. If I send you an electronic business card, I’d like to send along with the information about me a statement concerning how this information can be used. Also, I’d like to be able to declare (and delegate) authority of information about me. Ideally, I’d want to point your apps to a source of authoritative information about me, but we’ll get to that later. Third, I’d like some visibility into how information about me is propagated forward. Ideally, I’d love a way to know how information about me ended up in a service provider’s database. Lastly, I want some means of redress. This can take two forms. First, redress could be the ability for me to declare my information off limits to an app. Second, mirroring our relationships, I’d like the ability to sever my relationship with your apps independent of my relationship with you.

Simply put – I desire better controls.

What about you?

Unless you are a sociopath (and I am pretty sure most of you are not), you have tried to be a good member of society. This means that you have attempted to learn and adhere to both social norms and laws. It is safe to assume that you’d like your apps to be as upstanding as you are. No one wants to be perceived as trustworthy and yet have a blabbermouth social network profile.

With this in mind, you’d likely desire something that made it clear how your apps use information about the relationships you have. If apps could announce their information use practices as you enter a relationship with them and when you enter a relationship with me, then at least you could be better informed. This awareness enables you to decide whether you really do want to use the app. Imagine:

  • As you enter a contact into your smartphone, you would be informed as to how all the apps on your smartphone would use that information.
  • When you add a new app to your Facebook profile, it showed you how the app was going to use your social graph data – an impact assessment.

What this gets back to is a desire for control. An app that tries to be as upstanding as you are would provide better visibility and choice with respect to the use of information about your relationships. Apps that are bad actors will not provide such choice and likely go to great lengths to hide their actual use of the information.

What is expected of app developers?

But what of the other parties: the app developers, device makers, and service providers? The benefit you reap from their apps depends on the app developer being able to continue to provide services. The use of relationship-related information has to be expected and ought not to a surprise.

But that being said, app use of information from the app user as well as their relationships must be:

  • declared
  • understandable
  • allow for innovation

First and foremost, apps developers must declare how they use information gathered by their apps. There are too many issues related to notice to list here, but we can agree how information is used must be declared to all parties in the relationship. That declaration must be in a language that all parties can understand. Explaining to grandpa in rich legalese that pictures he shares will be associated with his contacts in his social graph and used for targeted marketing is not acceptable. Thankfully the movement for clearer, more approachable notice is well on its way.

Keep in mind that app developers need room to use information to innovate and offer new services. It would be a fool’s errand to enumerate every attribute possibly shared and declare specific uses for those attributes. Not only would such an enumeration become out of date almost instantly, but it would also constrain developer imagination and potential.

Control and redress must be provided. App developers and service providers must provide a method for people to express their preferences. Not only must app users be able to express how they want information about them and their relationships used, but the people in those relationships must be able to express their preferences as well. Furthermore, redress must be provided to all parties. When your app does me wrong, I need a way to seek redress from the app developer and have information about me removed.

From a responsible app developer’s point of view, the risks of unintended disclosures need to be limited. This points to a world of collecting less information and referencing more of it. Referencing has a secondary benefit to app developers – they do not have to develop as many controls over the information because people would express their information sharing preferences at a trusted source. The trusted source would enforce controls when the app referenced data at the time of use. Thus referencing not only reduces that amount of information that could be accidentally disclosed, it also reduces that amount of work an app developer has to do.

I’ll talk more about controls and this idea of a trusted source of information in the next and final post, which I’ll post on Data Privacy Day, January 28th.

3 Comments »

Category: Privacy     Tags: , , ,

3 responses so far ↓