Privacy Advisor

Did NTIA's Multi-Stakeholder Process Work? Depends On Whom You Ask.

September 3, 2013

By Angelique Carson, CIPP/US

While many members of the National Telecommunications and Information Administration’s (NTIA) multi-stakeholder group on mobile app transparency will tell you they laud the NTIA’s efforts to bring together opposing forces to compromise on a self-regulatory code of conduct for mobile apps, not everyone is hot on the newly released code as it stands, and one consumer group says the NTIA isn’t the body that should lead the effort. Period.

The code, which took a year of meetings between industry, consumer advocates and government representatives in Washington, DC, to draft, requires app developers who voluntarily subscribe to it to adopt a short-form notice that describes the types of data they collect, provide users the ability to access a long-form policy and disclose both the sharing of user-specific data and the identity of the entity providing the app, among other requirements.

Boiled down, it aims to give consumers persistent, transparent notice about the data a mobile app is collecting and using about them and allows them to make decisions based on that information. See a breakdown of the standard here.

The Department of Commerce’s (DoC) Cam Kerry told The Privacy Advisor he was pleased with the multi-stakeholder process, though he did not confirm if the model would be used for future collaborations. Given the struggles to create a Do-Not-Track standard, for example, will this structure be effective in the future?

“We are delighted with the outcome here,” he said. “This is an important milestone in implementing the White House blueprint and really working through, successfully, the multi-stakeholder process.”

Can Industry and Advocacy Cooperate?

Pam Dixon of the World Privacy Forum, who is historically critical of self-regulatory efforts in general, participated in the process and said it changed her perspective. Rather than being industry-driven, consumer input was considered and compromises were reached.

“For me personally, it was kind of a put-your-money-where-your-mouth-is moment,” she said. “I had to either walk away because it wasn’t perfect or sit there and craft something that was a heavily negotiated document … Every single word in that document pretty much was negotiated. I was getting calls over commas and conjunctions.”

Not every bullet point on Dixon’s wish list was included in the final code, but that’s what negotiations are about, she said: “I don’t think full 100-percent consensus is ever going to be possible in a multi-stakeholder proceeding … There are just polarities in this space. There were some consumer groups who really just hated this. And then there were industry groups that hated it. But I think a rough consensus was there for sure.”

Not everyone has been so enthusiastic. The Direct Marketing Association’s Stu Ingis, for example, recently said the code is “not a consensus and not done.”

But disagreement is a part of the nature of the process, said the NTIA’s John Verdi, who facilitated the process.

“With that many diverse groups working together,” Verdi said, “certainly there are bound to be people who are not satisfied with particular outcomes, but that’s part of the nature of compromise.”

A little disagreement is one thing, but the Center for Digital Democracy (CDD) last week published a 34-page report calling the NTIA process “flawed from the outset” and claiming the process failed to examine the big picture. Mobile apps are only a part of the services collecting real-time data and operating targeting services, CDD argues.

The CDD’s Jeff Chester told The Privacy Advisor that the Obama administration—which called for the code—risks strengthening “the perception held by the EU and others that it doesn't support a robust consumer protection regime. The last year was a wasted effort, with a lack of commitment by the Commerce Department to seriously address privacy threats from mobile applications.”

Morgan Reed of the Association for Competitive Technology was more measured, saying any multi-stakeholder effort is simply “managed chaos,” and while the NTIA did a good job managing it as best it could, the problem in the end was a lack of real, usable knowledge.

“We’re voting on things we don’t even know about,” Reed said at an August 29 “lessons learned” meeting, adding that a greater focus should have been placed on education of how things are done “in the wild” before drafting rules.

Chester, however, seemed to think the NTIA process as a whole was a waste of time and called for the Obama administration to release its long-awaited privacy legislation proposal.

Susan Grant of the Consumer Federation of America agrees with Chester that the code won’t cut it.

“What we really need is a basic privacy law that creates a framework under which the stakeholders could conceivably fill in some things,” she said. “I don’t know if it’s possible to do anything useful and meaningful in absence of that.”

Asked whether a privacy bill from the White House can be expected, Kerry told The Privacy Advisor, “We have continued to look at legislation to implement the consumer privacy bill of rights mechanism and to strengthen multi-stakeholder processes. We have been in discussions with a number of members of Congress. We are certainly encouraged by the news that the House Subcommittee is going to have a privacy taskforce, and we look forward to working with them on a bipartisan basis.”

The CDD is also calling for the FTC to replace the NTIA in facilitating the process moving forward.

“The NTIA is incapable of leading an effort to protect consumer privacy,” Chester said. “Its job is to help expand data collection by U.S. companies all across the world.”

Chris Olsen of the Division of Privacy, Identity Protection at the FTC said at the meeting that that wouldn’t fly, though.

“We view ourselves as enforcers. Our job would be to enforce what comes out of the multi-stakeholder group,” he said. “Because of that, we’re less well-suited to serve a convener role and think the NTIA should continue that role.”

The Code Itself

“I know there are some consumer groups who detest the code. I like it,” WPF’s Dixon said. “I think it offers incremental but important information for consumers, and there are a couple of really important firsts for us. For the first time, we have data brokers included in a privacy notice regime and we also have the definitions of health and medical data, and they’ve been greatly expanded from previous self-regulatory regimes.”

That said, the code itself may not be ready to roll.

“Not all of us think that it’s totally there yet,” said Rachel Thomas of the Direct Marketing Association (DMA). “The goal of the NTIA process is to reach an outcome that is both technically feasible and widely adoptable by industry while at the same time providing a significant increase in transparency for consumers.”

Thomas said it’s important that the code is vetted before finalized, adding that DMA companies are reviewing it now.

Kerry agrees that there’s room for improvements.

“I think one of the great virtues of the multi-stakeholder code of conduct is that it is an iterative process,” he said. “This does not need to be the last word on the subject, and compared to rules and regulations, it’s far easier to come back as people learn from experience and as technology evolves and do another version.”

Verdi points to the 39 out of 40 stakeholders at the group’s July 25 meeting who voted to move toward testing and implementation, a plan Verdi said he’s comfortable with.

“We said from the beginning that consensus does not mean unanimity,” Verdi said. “No single person can stop the group from moving forward and improving privacy protections for consumers. If anyone suggests that there is more work to be done, I wholeheartedly agree. But I am really looking forward to seeing the enhanced privacy disclosures companies will roll out based on the work of this group.”

Dixon said she’s hearing the “busy sounds” of brands getting to work on testing and implementation, but it’s too early for a verdict.

On Implementation

Verdi said he’s optimistic that implementation and testing will be widespread, even among small developers. But both Verdi and Kerry acknowledge there may be a slow progression toward success, and it may be tough to reach small developers.

“That is exactly the challenge. When it comes to small developers, the challenge is translating a code of conduct into computer code. There are ways to encourage that, and there are tools that trade associations and others can provide to facilitate that process,” Verdi said.

The Association for Competitive Technology’s Reed reported that Apple, BlackBerry and TRUSTe are all conducting independent testing reviews, and between 25 and 30 app developers have indicated their willingness to put the short form on their apps for A/B testing.

“They’re willing to lead with their chin and see if they get a difference,” Reed said.

Kerry told The Privacy Advisor associations will be useful in encouraging members to develop tools to make it easier for small developers to write privacy protections in the absence of chief privacy officers or lawyers.

Verdi said that while the FTC has indicated it will look favorably upon companies adhering to the code when it comes to enforcement actions, enforcement in general will look more like a carrot than a stick.

“Trust is a critical foundation for the mobile app marketplace in particular,” Verdi said. “One reason the DoC decided to focus on the mobile space is that small app developers, with whom consumers may not have any previous relationship, rely on trust when it comes to ensuring an even playing field in the app marketplace. The stakeholder group focused on ensuring that companies be honest, upfront, transparent and concise about the most important privacy practices.”

Dixon said the fact that companies are starting to test is a good sign that this thing may be successful in the end: “I think that’s really positive and that’s the outcome we wanted.”

For now, it’s a waiting game. If the code doesn’t pass the test, the stakeholders may find themselves back together, red pens in hand.

Read More by Angelique Carson:
The Campaign for a Universal Declaration of Digital Rights
Former FTC Staffer Hired as FPF’s First Policy Director
Where Domestic Violence and Technology Collide
Warning Bells for an Enforcement Tsunami? Regulators and CPOs Weigh In