7

On the Android operating system details about the phone are available via the Android.OS.Build class. These details include things such as the phone manufacturer, model, version, etc. The customer may want us to collect this data and save it to our database for analytics and tracking. I think this raises some privacy concerns for the end user.

Are we obligated to inform the user that we are collecting this information (similar to how the use of the device's capabilities, such as camera or microphone, are presented in the Play Store) and what we intend to use it for? If we are not required to do so, is this something that we should, from an ethical perspective, inform the user that we are doing?

Thomas Owens
  • 79,623
  • 18
  • 192
  • 283
Alex Wiese
  • 211
  • 3
  • 5
  • as far as I can tell, changes made in [rev 2](http://programmers.stackexchange.com/posts/187642/revisions) made the question worth reopening (and totally invalidated [the pre-edit answer](http://programmers.stackexchange.com/a/187645/31260) by the way). Title still feels a bit slippery but that's rather minor. – gnat Feb 20 '13 at 19:13
  • 1
    You need to take this up with legal if you want a usable answer, we can only hem and haw about what we've seen and think, but absolutely none of this should be acted upon as though you had received proper legal advisement. Privacy issues are seriously messy right now, especially if your app can be bought in multiple countries as can many apps on the play store. – Jimmy Hoffa Feb 21 '13 at 17:16
  • @JimmyHoffa Yes I totally agree with you. We will definitely need legal advice. Unfortunately our product requirement is dictated solely by our customer and they don't think privacy is an issue at all. – Alex Wiese Feb 21 '13 at 22:51
  • then the onus is on the client, if they say go then feel free so long as they're the one's hosting the data (if you host the data it's your company's responsibility regardless of client requests). If your management team says they aren't concerned than it's not your job to worry, just get it in an e-mail you save from them lest someone complain and they come around asking why you didn't raise the issue. Basically, don't worry about legal so long as *you* CYA. – Jimmy Hoffa Feb 21 '13 at 23:08

2 Answers2

3

The available hardware/os specifications given to an application running on a device are no more secret than the user agent of a web browser hitting a given web page. I assume that every web site out there is collecting information about that I am browsing with a linux firefox application.

Some of this information is widely reported (Google has such information on the android dashboard). Gathering and reporting the information back would be invaluable use for marketing.

The question of if this is privacy is "are you reporting back information that can be uniquely identifiable to an individual?" If not, there is likely no privacy issue nor any ethical issue.

Realize that many people are quite savvy and analyze the data going back. If you do not disclose that you are reporting such, people might be frustrated or alarmist. But this is a question for do you want to do that, the risks, benefits, and how you want to respond.

One approach could be "on startup, put the information that you are reporting back in an alert and ask if they want to send the information back." This gives the user a way to say "no", and yet still collect the data (you only need to do this once). For additional user happiness, allow different fields to be reported (yes, I'm willing to report back the hardware and the os, but not the carrier).

1

If you are collecting personally identifiable information (PII) then you should tell them quite loudly what you are doing. Beyond that it's pretty much a given that most applications report non-PII usage info back to their home base.

However, in the real world, you should tell them if you are collecting anything at all regardless of if its PII. You should explicitly spell out what it is you are collecting and give them the option to opt out.

Most vendors (Apple, MS, etc) have these types of usage / auto bug reporting features. And those vendors let you know exactly what it is they are collecting and why. They also give you the option to opt out of sending it.

This is expected behavior in today's world regardless of any laws requiring you, as a developer, to do anything.

The reality is that even if you think it's not PII, it can usually be linked to information that is. In most cases, this is OK. However, some people are uber paranoid (in many cases for good reason) and don't wish our devices to tell anyone anything.

NotMe
  • 1,063
  • 6
  • 13
  • Collecting PII without notification is perfectly legal in Uganda. This question must be answered by a lawyer, which P.SE doesn't keep on staff. – Jimmy Hoffa Feb 21 '13 at 17:15
  • @JimmyHoffa: The part about from an "ethical perspective" doesn't have to be answered by a lawyer and is certainly fair game here. My answer covers that perspective which is more open about information disclosure than any current law on the books regardless of country. – NotMe Feb 21 '13 at 18:05
  • Actually the ethical system of the mongols dictates it would be unethical to tell someone you are storing their data. Ok, so I made that up, but the ethical question is extremely subjective, and again very different from culture to culture. The ethical question is 100% subjective and lacking one true answer. – Jimmy Hoffa Feb 21 '13 at 18:08