Snowden's leak about spies tapping apps fires tech privacy debate

If you're not working in the technology industry, it might be a surprise to learn that tech workers are also shocked at the brazen theft of private and corporate data revealed by the Edward Snowden leaks.

The most recent revelation - that the NSA has been targeting analytics data from mobile app developers - is something very close to my heart because I am a mobile developer.

I use analytics to help improve my products and understand how users interact with them. At a basic level, analytics provide developers with the ability to see what sections of their app users access, how long they spend in sections, or how frequently they launch the app. For many developers this kind of benign, anonymous analytical information is crucial, as it helps them improve the functionality of their products. Snowden's leaks have revealed that apps like Angry Birds and others collect far more information about consumers than they would expect. This has been a point of contention in the developer community for some time now, especially with the rise of "free to play" or "advertising-supported" apps.

Obviously, developers would want to see some rate of return from the apps they're developing. Thus, many either collect this data to help target advertising they have in-app, or to on-sell to third parties. But what need does Rovio, the producer of Angry Birds, have for your specific location every time you decide to fling a pig at a bird? Conversely and more worryingly, if producers are making money from the on-sale of that data, what incentive is there to inform the consumer of this collection and to provide them with a mechanism to opt out? What considerations should Rovio be taking regarding the storage and security of that data?

Here's the worst-case scenario: say you download an app or a game that asks you to log in with your Facebook account and accesses your GPS information. If the app silently logs this info to the cloud in a manner that isn't encrypted, the NSA (or any other party for that matter), could easily have access to where you have been when you played the game, along with your full identity.

At a fundamental level, the mobile operating system you use can have an impact on this. Apple iOS applications are forced by the system to ask users for permission to access things like location, address book, photos and the like, and require user consent before the system will grant access. This consent is often given in the terms of service - which realistically, many don't even read.

This is why the mobile development community needs to have a discussion about privacy with their users, and figure out what degree of user collection is acceptable to them and what isn't. And as many companies have become addicted to this data for revenue, it's up to media outlets to inform consumers of the amount of their data that's being collected and on-sold.

If developers are so hungry to collect this data, they need to provide clear and concise information on how that data is used and whether it's on-sold to third parties. If developers are transmitting user-identifiable data to services in ways that are easily eavesdropped, they obviously aren't entirely concerned about the privacy of the consumers they are collecting data about. Consumers need to be educated to say "no more" to requests from software for things like location data, or contact information or photos if the app doesn't specifically need them.

As a user, if a to-do list app (on iOS at least) is asking for access to your location services and your address book, you'd best err on the side of caution and say no, unless there's an explicit and justifiable reason for the app to access that data. As for us developers, we need to collect and transmit data in a way that is secure so that third parties can't snoop on and steal the data. It's not only good corporate practice, it's a fantastic way to make sure you don't end up with egg on your face, surprising consumers with just how much data you're collecting on them without really letting them know.

The Guardian