Researchers from Carnegie Mellon University launched a mobile app privacy grading system earlier this month called privacygrade.org. Last week, I wrote about privacy policies, and so this fit perfectly. I'm really excited to watch this project because it could be an initial phase of the taming of the wild android west.  The privacygrade team is led by Professor Jason Hong. The main contributors are Jialiu Lin, Shahriyar Amini, Song Luan, Mike Villena, and Richmond Wong.

Each app is assigned a letter grade between A and D based on:

  1. the gap between user expectation of an app's behavior and its actual behavior- the surprise factor;
  2. software analysis of app data collection and usage;
  3. use of data for the app's purpose vs. advertising;
  4. the characteristics of the libraries being incorporated into the apps; and
  5. user feedback regarding privacy expectations of an app.

If successful, this project will fill an important gap that has existed for consumers to evaluate and understand the apps they use.

For developers, this project provides a wealth of data and information that you may use to improve the quality of mobile apps you are developing. You can also use it to research and gauge what types of data use and collection are appropriate for the particular app you are developing.  For example, on the Stats page, the researchers have included all sorts of information categorized by type of app. Below are the most commonly collected types of data for business-related apps:

The project organizers provide the following advice in the FAQ on their site:

The most common problem that leads to low privacy grades is using too much personal data for advertising. For example, we've seen some ad libraries that want to use location data, contact lists, and cameras for advertising.

As part of our research, we have interviewed and surveyed many app developers. It turns out that many developers don't realize that the ad libraries they are including in their apps are accessing a lot of personal data. So, if you are using a lot of ad libraries, we encourage you to take a second look at what those libraries are doing, and see if there are other APIs that you can use that don't require so much personal data.

The key takeaways I see are:

  1. avoid apps with cartoon cat logos;
  2. investigate the third party libraries and tools you use to be sure you understand what data you are collecting;
  3. be sure that your app is collecting/using data that a typical user would expect you to use; and
  4. make sure your privacy policy is upfront and easy to read about how you collect and use data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.