Recent studies have demonstrated that as many as nine of out ten Canadians are concerned with how their personal information is collected, secured and sold by businesses. These concerns, over where data is stored, how it is collected, and by whom, has at times impeded the use of technology in the legal profession, where the information being stored is regularly the most confidential information a person possesses. The law on privacy is far from clear. Nor is it the only consideration developers need to be concerned with when developing an app or program for use by the general public. Developers must be aware of the social repercussions of privacy intrusions that may not be illegal as well.
(Credit: XKCD at https://xkcd.com/1269/)
There are a number of incentives for a developer of an app to intrude on their user’s privacy. These incentives vary greatly in terms of who receives the benefit of the infringement, and the extent to which they infringe privacy. For example, a developer might decide to allow users to store their information on the application to facilitate ease of use over time. A user would be able to access the advice and information received without answering all the questions needed each time. This information could be stored offline, on the user’s device and of course only with consent. This would deal with many of the privacy concerns that might arise.
Keeping the information offline however means that a user could not access their information on any other device such as on a laptop, or another device owned by the user. From an ease-of-use standpoint, it might make sense to allow information to be input on a computer at home, then, at a later date have the recommendations be brought up in court on a smart phone. To allow this a developer might upload the information to a cloud server. This has privacy implications in that a user’s personal information would then be hosted by a third party who could, theoretically, hand it over to authorities or review it themselves.
Users are often unaware of just how quickly their privacy can be violated. The Canadian Broadcasting Corporation (CBC) provided a demonstration earlier this year of how quickly an application could be used for rogue purposes. After creating a horoscope app in a day, the CBC could use it to access users text messages, call history, photos and even take photos in real time without the users’ knowledge. For many of those users’ whose information was taken it was an eye-opening experience, and served to underline the inherent responsibility a developer has regarding their users’ privacy.
The Privacy Commissioner of Canada has provided general considerations for developers to keep in mind. The five key considerations can be summarized as:
- Developers are accountable for their conduct and their code.
- Developers should be open and transparent about their privacy practices.
- Developers should collect and keep only the data needed to make the app function, and secure it.
- Developers should strive to obtain meaningful consent.
- Developers must provide the above at meaningful times, such as when the data is being used.
More information on the legal requirements in British Columbia and across Canada can be found at the Privacy Commissioner of Canada’s website here. Regardless of which jurisdiction a developer is publishing from, it would be best practice to ensure compliance with the privacy legislation of any region where the developer intends the app to be used in.
Taking more than just legal considerations into account is vital to the success of any app, but particularly so in the development of an app in the field of law. Users must be able to trust the application to adequately protect their privacy and what is required for trust will often be more than the bare minimum legal requirement. An app focused on helping abused youth will have drastically different privacy expectations from the public at large than one focused on strata disputes – but both are subject to the same legal requirements. Developers of legal apps in particular must be vigilant about the use of their users’ information, given the sensitive nature of the data being collected and used. Given the central roles that privacy and the justice system play in our society, adding technology into the mix must be done with unwavering caution.
This is a topic that I’ve thought about since I first started using apps. I can still recall the first time I read the permissions required by the Facebook App and how appalled I was by their extent. I was shocked that Facebook sought to intrude into my privacy in such a profound manner, and all so that I could post funny cat videos. In a legal app it seems to me that the potential jeopardy of privacy infringement or breach is much, much higher. One would imagine that the seriousness of privacy concerns in a legal context warrants extra protection, but – as you point out – that might not be the case. I think it behooves all app developers to pay careful attention to privacy protection; legal app developers even more so.
Great read. Well done Scott!