On the Android operating system details about the phone are available via the Android.OS.Build class. These details include things such as the phone manufacturer, model, version, etc. The customer may want us to collect this data and save it to our database for analytics and tracking. I think this raises some privacy concerns for the end user.
Are we obligated to inform the user that we are collecting this information (similar to how the use of the device’s capabilities, such as camera or microphone, are presented in the Play Store) and what we intend to use it for? If we are not required to do so, is this something that we should, from an ethical perspective, inform the user that we are doing?
4
The available hardware/os specifications given to an application running on a device are no more secret than the user agent of a web browser hitting a given web page. I assume that every web site out there is collecting information about that I am browsing with a linux firefox application.
Some of this information is widely reported (Google has such information on the android dashboard). Gathering and reporting the information back would be invaluable use for marketing.
The question of if this is privacy is “are you reporting back information that can be uniquely identifiable to an individual?” If not, there is likely no privacy issue nor any ethical issue.
Realize that many people are quite savvy and analyze the data going back. If you do not disclose that you are reporting such, people might be frustrated or alarmist. But this is a question for do you want to do that, the risks, benefits, and how you want to respond.
One approach could be “on startup, put the information that you are reporting back in an alert and ask if they want to send the information back.” This gives the user a way to say “no”, and yet still collect the data (you only need to do this once). For additional user happiness, allow different fields to be reported (yes, I’m willing to report back the hardware and the os, but not the carrier).
1
If you are collecting personally identifiable information (PII) then you should tell them quite loudly what you are doing. Beyond that it’s pretty much a given that most applications report non-PII usage info back to their home base.
However, in the real world, you should tell them if you are collecting anything at all regardless of if its PII. You should explicitly spell out what it is you are collecting and give them the option to opt out.
Most vendors (Apple, MS, etc) have these types of usage / auto bug reporting features. And those vendors let you know exactly what it is they are collecting and why. They also give you the option to opt out of sending it.
This is expected behavior in today’s world regardless of any laws requiring you, as a developer, to do anything.
The reality is that even if you think it’s not PII, it can usually be linked to information that is. In most cases, this is OK. However, some people are uber paranoid (in many cases for good reason) and don’t wish our devices to tell anyone anything.
3