• by Steve Smith , Staff Writer @popeyesm, April 7, 2010

The mania over mobile apps is not going to abate soon. Even as the Apple app store seemed full to the brim, the Android platform is getting serious traction with developers, and Microsoft is repositioning Windows Mobile's next iteration as an app-centric operating system. And perhaps you didn't hear -- but deep background sources tell me that a new portable tablet-sized device that runs apps just came in under the radar this past weekend. But if anyone asks, you didn't hear it from me.

The mobile app model raises a number of interesting issues regarding data ownership and privacy. Location-based services (LBS) came into their own this year as apps like foursquare, Yelp, Gowalla, Loopt and others let users "check-in" from specific places. This process not only leaves a trail of usage data, but also leaves open a number of questions about who gets to see and retain this information about your usage. Mobile media is a complex stack of technologies and partners that now include the carriers, the mobile ad networks, the app operating system makers and literally hundreds of thousands of apps and scores of thousands of third party app providers.

I asked an old friend of Mediapost's, Alan Chapell of Chapell & Associates, about the state of mobile privacy and data handling under the new regime of apps. Alan chairs the Mobile Marketing Association (MMA) privacy committee and is himself a longtime consultant on privacy issues to online and mobile companies.

So who handles and owns all of this new kind of location-based data? "The bad lawyer answer is, it depends," says Chapell. "In many respects, all of them hold at least some of it." Traditionally, and before we grew this new app economy, the carriers pretty much had the ownership of usage data, and they controlled the programs and communications that came through our mobile handsets.

"LBS standards to data have fallen under the jurisdiction of the CTIA (Cellular Telephone Industry Association)," says Chapell. Two years ago, the CTIA issued a fairly rigid set of privacy guidelines around LBS that were recently revised. They involved giving the user notification and choice about being tracked. As Chapell points out, however, the new generation of LBS apps usually involve the user in a much more open but controlled release of their own data. "In an example like foursquare, you have a user who makes a choice to say that here I am going to check in, and here I am not. Here I may check in, but not share it with anyone. Here I may check in -- but share it with Facebook and not Twitter."

But the app economy and supply chain add a wrinkle to privacy that many of the early policymakers didn't anticipate - namely, the emergence of open and semi-open systems that move the center of gravity away from the network operators who once had tight control over just about anyone who wanted to get to consumers through the phone deck.

The MMA had great early success in tamping down potential irritants like SMS spam and shady content subscription models because the carriers could enforce "guidelines" for mobile commerce on everyone. MMA guidelines on how vendors could and could not sign people up for things like ringtone subscriptions and such were enforced in the U.S. by all the carriers who refused partners who wouldn't abide by them. The app universe breaks that control.

"I often compare the carriers to Boss Tweed," says Chapell. "It is easy to point fingers at them and say that they were the cause of all the problems in the ecosystem. But as the control has been wrested away from them, it makes things a lot more complicated and potentially more open to evil-doers of the world to come in and mess things up. It is not just the app world, but the Apple world and Google world. If you now control the operating system and you have things going on top of the operating system that are outside the carrier's control, then that is a whole different world."

The dirty little secret of the otherwise wondrous mobile app platforms is that no one really knows yet how to handle the layers of user data going every which way, including the most sensitive data point of all - where you are at any given moment.

Who owns this data point? Apparently, a lot of people. But then who is responsible for the privacy protections around the data -- and how many hands along the way touch it? Just because you want your friends to know that you were at a particular bar on Friday night doesn't mean you want marketers associated with the carrier, Google, Apple, or foursquare to know and act on it.

Where does a consumer go to opt out of this? Just a few years ago, carriers were really the main holders of this data, and most of them were too terrified of ticking their users off to let marketers get anywhere near it. Now, it doesn't really matter much what the carriers want. They are only one link in a chain.

Who in this system of hundreds of thousands of apps would enforce privacy and data handling policies? "It is going to have to be a bunch of folks," says Chapell. "It has to be the operating system folks. It is whoever controls the apps. It's whoever controls the pipes, which includes the carriers, but now on a lot of phones you have Wi-Fi. Even search providers and browser makers all have some ability and some control. And it is not entirely clear to me that mobile will head in the same direction as online media and develop the exact same set of standards."

Chapell tells me that the MMA is about to rethink its guidelines to account for a new universe of apps and start addressing some of the issues that the cross-industry consortium of IAB, 4As, DMA and Better Business Bureau are doing online. He suggests that some of the controls for LBS will revolve around data retention and especially how long entities hold and build your trail of locations. "I think mobile becomes a third rail for privacy issues when location bits are personally identified and tracked over a long period of time. But I think that if one can keep the retention period down, then the creepiness factor goes down significantly."

Perhaps. But in order to get there, we need to know who is holding which data, with what degree of personal identification, and with whom it is shared.

For now, and certainly for the next few weeks as the iPad enjoys our star-struck attention, the app market gets to dazzle us with its wild creativity. But at some point, even the mighty Apple, along with Google, RIM and their carrier partners will have to start to unravel this new daisy chain of user data.