Developers should learn from the Palm Pre's privacy mistakes

If software vendors don't make their data-collection practices more transparent, regulators are liable to step in and do it for us

Is Palm watching you? If you bought one of its snazzy new Palm Pre phones, the answer is apparently yes -- and not just sometimes, either. According to Palm Pre hacker Joey Hess, the Pre's WebOS constantly logs usage data, including which applications you use, when, and for how long; it catalogs every app you have installed on your phone; it tracks the system state following application crashes; and it even tracks your location, obtained via GPS. All of these logs are sent back to Palm on a daily basis.

Could anyone even feign surprise that Palm Pre customers would be disturbed by this? It's one thing to agree to disclose certain personal information when you sign up for a service, but quite another to be made to disclose information all the time, every day, everywhere you go. To any rational person, that's the difference between a friend and a stalker.

[ See how the Palm Pre stacks up against the iPhone in InfoWorld's deathmatch. | Get the full scoop on next-gen mobile devices in InfoWorld's Mobile 2.0 Deep Dive PDF report. | Read our hands-on evaluation of the Palm Mojo SDK for Pre. ]

But there's no reason to single out Palm. As computing moves away from the desktop software paradigm toward Web-based services and cloud computing, a growing number of software vendors must confront similar issues. If Google's Chrome OS vision comes to pass and the bulk of computing moves from the desktop to the Web, virtually every application will become another opportunity to collect usage patterns, location, and other personally identifying user data. It's time software developers and vendors took an active role in addressing consumer concerns about data collection and privacy -- because if we don't, someone else might step in to do it for us.

Privacy policies aren't enough
Are there legitimate uses for the data Palm collects? Sure. Palm could use it to "customize your experience; troubleshoot and provide updates; ... resolve disputes; collect fees owed; detect and protect against error, fraud and criminal activity; comply with applicable law, regulations, legal processes or enforceable governmental requests," just like its privacy policy suggests.

Other proposed uses sound less appealing, however. Palm further asserts that it may use your personally identifying data to "measure interest in our products and services" and to "provide offers that might interest you." Were you aware that when you bought your Palm Pre, simply using it would make you part of a focus group?

And then there's the age-old catchall: Palm claims (naturally) that it may use your data "for other legitimate business purposes." But what does that really mean? Does the customer have no say at all?

These problems are compounded by the fact that Palm Pre customers are not engaged with Palm alone. One of the great strengths of Palm WebOS is that it's an open platform. Palm says it may share your user information "to third-party service providers and suppliers acting on [its] behalf to provide products or services to you." But what then? Once Palm has handed over your personally identifying information to a third-party vendor, where does it go from there? What are that vendor's terms of service? Will the third party be as dedicated to protecting your privacy as Palm itself? And suppose that someday Palm is acquired by still another company -- what happens to your data then?

These are hardly trivial issues. In the modern information economy, user data is rapidly becoming the new currency. Witness the rise of identity theft. The more information criminals know about you, the easier it is for them to usurp your identity for fraudulent or deceptive purposes. Unfortunately, data breaches are still far too common, preventative measures seem largely ineffective, and there's too little transparency into the ways in which customer data is shared behind the scenes.

Data transparency for customers -- or else
The software industry is not the first to travel down this road. Financial institutions have maintained and shared sensitive customer information for years -- in fact, some would say that your credit score has become your single most important piece of personally identifying data. At one time, the information that financial firms passed among themselves was as secretive and mysterious as Web usage data is today. But with the passage of the Fair Credit Reporting Act (FCRA) and later amendments, consumers now have the opportunity to see what their banks and creditors are saying about them, who requested what information about them, how often, and when.

If consumers have a right to see their own credit reports, shouldn't they be allowed to view the usage data that software application vendors collect about them, and how it is shared? If Palm wanted to regain its users' trust, it could offer to provide access to the detailed usage logs it collects from Pre customers -- say, once a year, upon request. In addition, it could provide a log of every transaction between Palm and its developer partners so that users could know when and where the data they have disclosed to Palm is being shared with third parties.

Would such a plan be too cumbersome? Too difficult to implement? Hardly. Five years ago it might have been easy for software vendors to brush off such a suggestion, but today such complaints just sound disingenuous. The more it becomes apparent that vendors like Palm are compiling individually identifiable user data at this level of granularity anyway, the less comfortable customers will be with that data exchange remaining a one-way street.

The alternative is simple: regulation. The FCRA didn't come out of nowhere. The credit industry had to be dragged kicking and screaming toward transparency. So did corporate accounting -- and we all know the impact Sarbanes-Oxley compliance has had on enterprise IT. Do we really want new, blanket legislation regulating how providers of Internet-based software and services do business?

If the answer is no, then now is the time for action. The software industry must shed its complacent -- or conniving -- attitude toward customer data privacy. It's irresponsible to gather ever-increasing volumes of user data if we are not also leading the charge in developing new technologies to protect that data. Software vendors should also work to be more candid, upfront, and direct about the ways in which user data will be collected, used, and shared -- not hide such policies among pages of legal boilerplate. Providers of online software and services have a right to conduct business as they choose -- but they also have the responsibility to deal with customers with the honesty and fairness each of us deserves.