Sometimes, I wonder if anyone in the entire history of computing has every bothered to read and consider the contents of a typical end-user license agreement (EULA). Some Product Manager, I suppose (though truthfully, I’m not even sure of this one).
The EULA, however, is important. It’s the foundation of an vital consent ceremony that ends with only one effective choice: pressing OK. This much-maligned step in every software installation is the only real binding between an end user and a provider of software. Out of this agreement emerges a contract between these two parties and it is this contact that serves as a legal framework for interpretation should any issues arise in the relationship.
Therein lies the rub, as the emphasis in a EULA — as in so much of contract law — is on legal formalism at the expense of end-user understanding. These priorities are not necessarily mutually exclusive but as any lawyer will tell you, it’s a lot more work to make them coexist on a more-or-less equal footing.
Mobile devices may provide the forcing function that brings change into this otherwise moribund corner of the software industry. Mobility is hot right now and it is demanding that we rethink a wide span of business processes and technologies. These new demands are going to extend to the traditional EULA and the result could be good for everyone.
Case in point: the New York Times reported recently on a study conducted by the FTC examining privacy in mobile apps for children. The researchers found that parents were not being adequately informed about what private information was being collected and the extent to which it could be shared. Furthermore, many mobile app developers are channeling data into just a few commercial analytics vendors. While this may not sound like too big a deal, it turns out that, in some cases, these data are tagged with unique device identifiers. This means that providers can potentially track behavior across multiple apps, giving them unprecedented visibility into the online habits of our children.
You could argue that there is nothing new about this problem. Desktop applications have the same capacity for collecting information and so pose similar threats to our privacy. The difference is mostly the devil we know. After years of reading about the appalling threats to our privacy on the Internet, we have come to expect these shenanigans and approach the conventional Web guarded and wary. Or we don’t care (see Facebook).
But the phone, well the phone is just… different. Desktop computers — or even laptops — just aren’t as ever-present as phones. Your phone goes with you everywhere, which makes it both a triumph of technology and a tremendous potential threat to your privacy.
The problem with the phone is that it is the consumer device that isn’t. Apple crossed a chasm with the iPhone, taking the mobile device from constrained (like a blender) to extensible (like a Lego set) without breaking the consumer-orientation of the device. This was a real tour de force — but one with repercussions both good and bad.
The good stuff we live every day — we get to carefully curate our apps to make the phone our own. I can’t imagine traveling without my phone in my pocket. The bad part is we haven’t necessarily recognized the privacy implications of our own actions. Nobody expects to be betrayed by their constant companion but it is this constant companion that poses the greatest threat to our security.
The good news is that the very characteristics that make mobile so popular also promise to bring much needed transparency to the user/app/provider relationship. Consumer-orientation plus small form factor equals a revolution in privacy and security.
Mobile devices tap into a market so vast it dwarfs the one addressed by the humble PC. And this is the market for which consumer protection laws were designed. As we’ve seen in the Delta Airlines case above, the states have a lever and apparently they aren’t afraid to use it.
But legislation is only part of the answer to reconciling the dueling priorities of privacy and consent. The other element working in favour of change is size — and small is definitely better here. The multi-page contract just isn’t going to play well on a four-inch screen. What consumer’s need is a message that is simple, clear and understandable. Fortunately, we can look to the Web for inspiration on how to do this right.
One of the reasons I get excited about the rise of OAuth is because it represents much more than yet another security token (God knows we have enough of those already). OAuth is really about granting consent. It doesn’t try to say anything about the nature of that consent but it does put in the framework to make consent practical.
Coincident with the rise of OAuth on the Web is a movement to make the terms of consent more transparent. This will need to continue as the process moves to the restricted form factor of the mobile phone. I have no doubt that, left to their own devices, most developers would take the easy route and reduce mobile consent to a hyperlink pointing to pages of boilerplate legalese and an OK button. But add in some regulatory expectations of reasonable disclosure and I can see a better future of clear and simple agreements that flourish first on mobile devices but extend to all software.
Here at Layer 7, we are deeply interested in technologies like OAuth and the role these play in a changing the computing landscape. We are also spending lots of time working on mobile because, more than anything, mobile solutions are driving uptake around APIs. When we built our SecureSpan Mobile Access Gateway, we made sure this solution made OAuth simple to deploy and simple to customize. This way, important steps like consent ceremonies can be made clear, unambiguous and — most importantly — compliant with the law.