TrustArc Blog

HTML5 and Mobile Privacy

May 25, 2011

By Janet Jaiswal
Sr. Director and Mobile Product Manager

Image Credit: Ashkan Soltani

What is HTML5?

HTML5 is the latest revision of HTML standard for browser syntax and behavior whose popularity, especially in the mobile world, is rapidly increasing. Although it is still under development, almost all mobile browser manufacturers support at least some of its features.

HTML5 is used to provide rich user experience on mobile web sites. Some regular apps, such as Gmail, could invoke a browser window with HTML5 features being used. Such browser window is technically separate from the regular app that invoked it.

Geo-location API – The Fastest Growing Feature of HTML5

The GeoLocation API lets websites obtain location information (longitude and latitude) through Javascript and send it to the remote web server of a company whose web site is accessed by a user. The smartphone location can be obtained through: 1) GPS, 2) Cell tower, 3) WiFi hot spot (IP address), or any combination of the above. Note that often, the notion of geo-location services is associated with GPS only whereas it is possible to obtain a phone’s geo-location through other means as well. See the above diagram for how a smart phone’s location information is captured and shared.

What is the Threat?

  • Inconsistent Web Browser Implementation. The HTML5 standard suggests that the operation should require users’ permission for access. However, given the fact that the HTML5 standard is still under development combined with the variety and volatility of the mobile browser landscape, the possibility that this restriction is implemented inconsistently with the location sharing preferences for the general apps is very high. For example, a user might be able to restrict geo-location services for certain regular apps and allow them for others. However, as long as the geo-location services are enabled on the device for at least one regular app, all HTML5 apps might be able to use them.
  • Third-party data collectors. The standard potentially enables the ad companies displaying ads on mobile web sites to obtain users’ location without the knowledge or consent of the web site owner, and in contradiction with the web site owner’s privacy policy. For example, the web site owner might genuinely say in their privacy policy that they don’t collect user location. However, they might be serving ads on their web site that do. Although TRUSTe doesn’t have any specific example at the moment of writing this blog, the dynamic nature of the mobile advertising industry suggests that the widespread misuse of HTML5 geo-location features by ad companies is only a matter of time.

What Can a Mobile Web Site Owner do?

Most companies realize that having a mobile site is almost required in order to stay on par with their peers. More and more users are using the mobile device to access their favorite sites and learn of new ones. Increasingly, those sites that provide a rich user experience are rewarded with loyal users. HTML5 enables a business to provide a rich users experience that can rival the experience of a mobile app.

In order to not lose a user due to loss of trust, a company should check for the following:

Update your privacy policy to reflect your practices on the mobile web site. Many companies that have a web site privacy policy incorrectly think that the same privacy policy is also sufficient for their mobile web site. However, this is not the case for the mobile site privacy policy requires additional disclosures and in some cases, a modification of the existing disclosures. Examples of additional disclosures can be around the use of geo-location and advertising using geo-location or the use of the devices’ unique identifier.

Make sure that any third party data collector, such as an ad company, on your mobile website has practices that are consistent with your privacy policy. If you aren’t sure, perform a check before you accept ads from them. Remember, users whose data is collected without their consent aren’t going to care who did the actual collection, all they are going to remember is that when they visited your site, their information was collected without their express consent. Guilt by association is applicable here so you want to proceed with caution when your brand and reputation is at stake.

Notify users when you are collecting their data. If users know that you are collecting data and there is a good reason for it, they are likely to grant permission and reward you for respecting their privacy. Here’s an example of when it’s okay for you to track a user’s location: A user wants turn by turn directions to your nearest location form their current location.

TRUSTe’s Mobile Privacy Certification Program Can Help

More than 50% of retailers have a mobile presence and 26% of people who aren’t mobile have plans to go mobile in the next 7-12 months according to FitFor Commerce’s M-commerce survey. In order to less user concerns and increase your mobile initiatives’ success, TRUSTe strongly believes that you have to create a strategy to address privacy concerns across all user-facing activities. To learn more about TRUSTe’s programs including our mobile web and mobile app certification program, visit us at www.truste/mobile.

Subscribe to Blog