A Developer's Guide to Privacy and Fairness?

Over the past few months I've noticed a range of different articles expressing privacy concerns about mobile apps, wearable devices and internet-enabled things, like smart TVs and bathroom scales ("the Internet of Things") on the one hand; and initiatives like 'Midata' to help you create your own 'personal data ecosystem', on the other. But regulation aimed at unfair trading is also relevant in this context, as are the various security requirements being proposed at EU level in relation to payments and 'cybersecurity' more generally. Official guidance in these areas is often broad but not comprehensive, as in the summary of privacy rules given in the context of Midata. It would be great to see a more concerted effort to draw all the guidance together. I have suggested this to the SCL. In the meantime, this overview explains briefly where to find guidance on meeting privacy and fairness requirements when using apps and other devices for consumer marketing purposes.

Note: as a developer, it's worth reading such guidance as if you were a consumer, to understand the regulatory intent. As a consumer it's worth reading guidance aimed at firms, since that gives you a better insight into how things actually work 'behind the scenes'.

The Information Commissioner has plenty of practical guidance on privacy in the context of cookies, mobile applications and data sharing (and a other guidance by sector or activity).

The Advertising Codes are important sources of information on how systems are supposed to behave in a marketing context.

PhonepayPlus has issued guidance on the use of premium rate numbers.

The Office of Fair Trading had plenty of guidance on how to comply with consumer protection regulation, which is now hosted by the Competition and Markets Authority, including principles for online and app-based games.

The OFT's guidance on what's appropriate in a consumer credit context, such as debt collection, is now in the FCA's consumer credit rules, and the FCA also recently consulted on updates to its guidance on financial promotions in the social media.

Firms seeking FCA authorisation often have to provide a lot of detail on their IT systems and governance in the process. The proposed new EU directive on payment services will broaden the range of regulated services and go into considerable detail on data security. In fact, security standards will be produced by the European Banking Authority, just to add to the confusion.

Knowing where consumers can complain is a guide to other regulators who may be interested in how your application works. There is an overview of UK consumer complaints channels here. There are specific complaints bodies for sectors, such as energy, financial services and telecoms, as well as for activities, like advertising and processing personal data.

However, it's you should be aware that the Data Protection Act gives businesses separate rights to process your personal data in the following circumstances:

• for the performance of a contract to which you are a party, or for taking of steps at your request with a view to entering into a contract;
• for compliance with any legal obligation, other than an obligation imposed by contract;
• in order to protect your vital interests;
• either for the exercise of a function conferred on a business by law or for the exercise of any other functions of a public nature exercised in the public interest;
• for the purposes of legitimate interests pursued by a business or by someone else to whom the data are disclosed, except where that processing is unwarranted by reason of prejudice to your rights and freedoms or legitimate interests.

Public sector bodies also have certain rights to use your data which I haven't covered here. However, it's important to mention the ID Assurance Programme run by the Government Digital Service team, which has issued useful guidance on ID assurance. And the Connected Digital Economy Catapult that builds platforms for SMEs is due to develop a code of practice on consumer protection.

Enable Best Customers to Create Financial Services

All vendors and platform operators feel an obligation to look after their best customers. But to what extent are those customers really allowed to influence product development?

In the course of researching a presentation on the long tail of payments services for GikIII (a two day workshop on the intersections between law, technology and popular culture), I've been struck by how these observations combine to emphasise the same point:

• There is value in marketing "long tail" products if adding selection is cheap (as it is online): Anderson;
• Compared with heavy users of online retail services, light users much prefer better selling products; both prefer “hit” products more than those in the tail; but it is the heavy users who venture into the tail: Elberse;
• Successful Web 2.0 businesses are those that facilitate an 'architecture of participation': O’Reilly;
• "Lead-user product development can be a far more effective means of innovation than conventional product development in a closed system": Sheahan (citing von Hippel, of course) and giving various illustrations of the same concept in Threadless, Jones Soda, LEGO's Mindstorms Users Panel, and of course Linux.

Suggestions that even "excellent retailers" have run out of ways to improve the online shopping experience, and the only scope for real innovation is on the buy-side, are way overdone. But it must be true that improved tools for buyers as well as, e.g. 'power sellers', are an important set of features in the overall consumer experience mix. And it should also follow that enabling your prolific buyers to add to the range of products available for all buyers is a powerful step to take. Some of those products might even prove to be popular enough to work their way up the 'tail'.

In the payments context, it's interesting that recent research by Datamonitor suggests financial institutions are too mired in last century's anxieties to let their online customers loose with a bunch of web-based tools.

Seems my 2008 predictions for the SCL are still holding up nicely!

The Price of "Free" Software

The recent Open Source Summit, alerted me to the fact that perhaps relatively few business people realise the commercial implications of relying on open source software.

A glance at the excellent programme shows why this should come as no surprise: there's an awful lot to get your head around just to understand what open source software is in the first place.

But, let’s not lose sight of the wood for all the trees (the history and philosophical debate between the Open Source Initiative and the Free Software Foundation, the vast array of licences and nor the complexities of GPL2 vs GPL3 and AGPL3).

The fact is that software developers can easily import any computer code via the Internet without fully understanding the licence obligations. What seems "free" code can actually come with an obligation to licence the source code for you proprietary product to the world, free of charge.

So, as Kat McCabe of Black Duck explained, sophisticated buyers of businesses are now requiring an audit of the source code for the target's IT systems and products in an attempt to exploit the target's inadvertent use of open source software, and reduce the price for acquiring the business. Overseeing that due diligence is Jim Markwith's legal role at Microsoft. And it explains the incredible degree of licensing rigour imposed on Nokia's open source programme by Dietmar Tallroth.

This is not an argument against using open source software. But anyone with an eye on the value of their business ought to get a handle on how their developers are operating and consider regular audits of their source code.