The High Costs of Free SDKs
December 8th, 2016
The High Costs of Free SDKs
In this day and age of massive data collection, data security and privacy are top of mind for many enterprises and consumers. The concern centers around the collection and use of Personally Identifiable Information (PII).
Enterprises that ship mobile apps need to be careful which third-party libraries and SDKs are included during the development stage. The issue is that many tools are available for free, but end up harvesting user data in order to monetize it through targeted advertising. The vast majority of the time this is against the legal policy of the enterprise, as well as the end user license agreement (EULA) between the company’s software and its end users.
Developers often have no idea this is happening behind the scenes for two reasons: (1) SDKs are black boxes, so the harvesting of the data is hidden from the developer; and, (2) to download the SDK, the developer signs up and agrees unknowingly to terms and conditions (click-through agreements) permitting the practice.
For example, here is a typical excerpt:
“Developer hereby grants _______ a nonexclusive, license-fee free and royalty-free right and license to access, copy, distribute, process and use all information, data and other content provided by Developer…”
After reading that, you’re probably worried for good reason. If you read through to the end of the statement, you might find that this data can be used “… for any other business purpose.”
Many companies we hear from are justifiably worried that the “other business purpose” equates to data harvesting — building user profiles to further enhance a dataset then sold for targeted advertisers, even to competitors.
The realization that developer freeware is exposing your customer data causes alarm. To prevent this from happening, digital leads should audit which service providers are in use, especially those that do not require payment or a subscription fee. Any third-party code or SDKs that did not receive signoff from legal should be removed immediately. Your legal professionals should review/redline the terms and conditions.
EU & COPPA
This practice is even more problematic for global enterprises, as well as enterprises that may have end users under the age of 13.
The Data Protection Directive outlines movement of personal data within the European Union. The replacement for Safe Harbor, EU-US Privacy Shield, still under legal scrutiny, outlines the transfer of that data to the US. Free tools will often try to get around the EU restrictions by requiring the developer to prompt the end-user for permission to release their personal information. In practice, this almost never happens for the reasons mentioned before: developers do not read the terms and product managers aren’t aware of the requirement. This puts enterprises out of compliance with data privacy laws in the EU.
Finally, companies that collect data from minors must comply with the Children’s Online Privacy Protection Rule (COPPA). Companies that harvest user information behind the scenes are not COPPA compliant. Parental consent must be given, along with many other requirements, in order to collect PII from minors.
While it can seem daunting to keep up with the latest regulations regarding data security and privacy, enterprises can deploy a proper vetting process to get ahead of any issues with their apps. We recommend you review the third-party tools embedded in yours apps, make sure your team is educated on the legal requirements, and ensure you’re in compliance with local regulations.
Disclaimer: this article is meant to represent by-proxy opinions held by our enterprise Fortune 500 customers. It is in no way meant to convey legal advice. Consult your user privacy counsel to assess the risk to your app.