Over the past year we’ve seen a marked increase in “adware,” software that contains ad networks that compromise a user’s privacy or interfere with his experience. While the majority of mobile ads are legitimate, there are a few bad ad networks that put users at risk. Ad networks and advertisers are both the gatekeepers for vast amounts of personal data and an important part of the overall mobile ecosystem; it’s important that they get user privacy right.
Currently, there is inconsistency in the way adware is classified by the mobile industry. This lack of clarity gets in the way of tackling the problem.
Today, we are announcing rules and standards for acceptable advertising practices that promote good user experience and privacy best practices. We will give the industry – ad networks, advertisers, app developers – a set amount of time to change their practices; if the advertising does not abide by these rules it will be classified as adware.
In 45 days, Lookout will classify as adware, ad networks that do not request explicit and unambiguous user consent for the following actions:
- Display advertising outside of the normal in-app experience;
- Harvesting unusual personally identifiable information;
- Perform unexpected actions as a response to ad clicks.
Lookout defines “consent” as a easy-to-read modal alert that notifies the user that the app includes an ad network capable of one or more of the listed behaviors above. It must also allow the user to accept or decline. The notice must be on its own, must not be part of a blanket terms of service, and above the fold. It must be mandatory for all app developers to implement. A good example is StartApp’s notification:
Any ad network that displays the behaviors listed below, without appropriate consent, will be considered adware on June 24, 2013. For a full look at ad network privacy and security best practices, please see our Mobile App Advertising Guidelines.
App Advertising Guidelines for Adware Classification
Ad networks that use out-of-app advertising must request consent before any of the below behaviors are exhibited:
- Delivering ads in the system notification bar (also known as “push” notification ads);
- Placing new icons or shortcuts on the mobile desktop;
- Modifying browser settings such as bookmarks or the default homepage;
- Modifying phone dialer settings such as the ringtone;
Unusual Harvesting of Personally Identifiable Information
Lookout considers collection of personally identifiable information unusual and generally unnecessary for collection by ad networks. Ad networks that collect any of below data must request consent when the application containing the ad network is first launched.
- The user’s MSISDN (phone number);
- The user’s email address;
- The user’s browser, phone call, or SMS history;
- The user’s IMSI (unless used for non-advertising purposes, such as carrier billing).
Unexpected Ad Click Responses
If for any reason, an ad network initiates phone calls or sends SMS message in response to a click on an advertisment, or for any other reason, it must prompt for consent each and every time the action is taken.