After a board meeting of the Developers Alliance back in early 2018, a few of us discussed the (then) coming GDPR requirements - and how they would impact developers here in the U.S. The sense was that eventually, the U.S. would follow in Europe’s footsteps - and because of the political uncertainty, those regulations could take a number of directions.
In an effort to lead that direction to a place that we believe best works for developers, development and innovation - while also protecting our privacy and data as citizens - we undertook to get out ahead of government regulation by creating a grassroots program that the Developers Alliance could spearhead.
That conversation continued and grew and eventually, thanks to considerable effort from some hardworking folks at the Developers Alliance, became the Developers Trust Alliance.
To create the framework and principles of the DTA, the team from the Developers Alliance spoke to developers and development shops across the spectrum. They surveyed the best of what’s being done today to protect users. And they considered the needs of those creating the innovation that is powering our society.
The resulting organization and the principles it aims to uphold can, in my estimation, help to create the most important element required between those who build technology and the people who use it: Trust.
As such, it is an honor for me as President of MEDL Mobile to sign on as a founding member of the Developers Trust Alliance. As a member, we have promised to uphold the principles of the organization, and to work with our clients with the goal that they do the same. And while we, and all developers, will need to implement these guidelines in a way that best accomplishes each client’s business goals, the principles remain the same.
There are eleven principles in total, and they fall into three categories: Openness and Transparency; Security and Data Integrity; and Responsible Data Stewardship.
The principles are:
1. INTRODUCE YOURSELF
Developers should clearly identify themselves and provide mechanisms for users to easily connect and interact on privacy issues. Developers should not seek to mislead users or to hide their identities.
2. INFORM BEFORE ACCESS
Developers should not access or allow access to any user content or private user data without informing the user in advance in clear and simple language. This includes clearly establishing the user’s identity before allowing them access to their previously shared personal data or content.
3. OBTAIN EXPLICIT CONSENT
Developers should obtain consent before accessing user content or private user data. Developers should explain in clear and simple language what user content or private user data will be accessed and what it will be used for (including uses beyond the service involved), including what service limitations would result from denied permission, before asking for user consent.
4. EXPLAIN DATA RETENTION PRACTICES
Developers should indicate whether specific data use will be transient (queried, used, and immediately forgotten) or retained, and whether data will be stored locally on the user’s device or transmitted and stored remotely.
5. DISCLOSE WHO ELSE MIGHT HAVE ACCESS TO DATA
If user content or private user data will be shared with third parties, developers should inform users of the obligations they will impose on those involved, the purpose for sharing, the names or attributes of the third parties involved, and seek consent in advance of access.
6. PROVIDE NOTIFICATION OF CHANGES & SIGNIFICANT EVENTS
Developers should inform users in the event of breach, legal process, or a change in practice or business control that implicates user content or private user data, the developer/user relationship, or privacy policies.
7. SECURE YOUR SYSTEMS
Cybersecurity and physical security measures should be taken to ensure systems integrity. Industry best practices should be in place throughout the development process.
8. DESIGN SYSTEMS TO MITIGATE DAMAGE
Developers should explicitly acknowledge the risk of breach, and should take steps to minimize the damage to users and themselves, and limit the value to attackers, when designing systems.
9. PLAN FOR FAILURES
Backup and remote storage procedures should be in place to ensure continuity and resilience in the event of system failures.
10. BE A GOOD CUSTODIAN
Developers should act on the user’s behalf in protecting and defending user content or private user data under their control.
11. RESPECT THE RIGHTS OF USERS TO CONTROL OR INFLUENCE HOW DATA IS USED
Developers should provide users with the ability to access, retrieve, or permanently delete their content and private user data, and should carefully consider user impacts when deciding how shared data is used.
We’ll now start displaying the verified Developers Trust Alliance badge on our website - and I’m incredibly proud of all that signifies. If you’re a developer who shares our passion for respecting privacy while driving innovation, I invite you to join us at www.developerstrustalliance.org. Perhaps if we get out ahead of this issue as a community - we can help lead policymakers toward a path that truly works best for the future.
If you're a developer, I encourage you to take this survey and help shape the future of consumer trust.
- Dave Swartz, President, MEDL Mobile