The National Privacy Commission (NPC) has called on developers of instant messaging apps to reduce the number of permissions that they require before users can use their apps.
The IM applications often seek permissions to access features in a user’s device, such as contacts, microphone, location, camera, photos, and files. Though they ask permission from the user to grant access to certain features of their device, a denial would prevent a user to effectively use such application.
“The NPC believes that limiting access to the full features of IM apps due to the user’s denial to grant app permissions may be unnecessary. Thus, the NPC is encouraging these IM developers and their companies to revisit their policies and allow users who opted to refuse to grant app permissions, due to data privacy concerns, to allow them full access of their apps features,” the agency said in a statement on Friday, June 25.
The NPC recommended the following guidelines for developers of IMs to respect the users’ privacy by allowing them to opt-out of device permissions that can track, store, and access their data:
1. Request minimum permissions. Look for alternatives that will help limit the number of permissions you seek. Specific permissions that get denied by users often should influence subsequent updates to the IM app.
2. Ask for access only in appropriate timings. Tweak the user interface in a way that it provides an explanation. While some in-app features are necessary to operate the app, some are only needed to improve user experience. For example, in meetups, users press location sharing in their IM apps to know each other’s proximity or location. Never force or let users accidentally allow access to optional features.
3. Plan for users to select deny. Whenever possible, minimize how long the app is permitted to access a device’s features. The user can allow a permission through the following options:
- While using the app. The IM app will have access to the specific permission only if the app is active or in use.
- Only this time. The IM app will have access once or at the time it was granted, and access will automatically be revoked.
- Deny. If the requested permission is denied:
- Do not lock out users from using your app. Whenever possible, users must still be allowed to use the app even if they choose the “deny” option. For example, denying microphone permission will still let users browse messages and chat through the app.
- Expect permanent deny. Do not push users to go to their device’s Settings page. Ask for permission and allow the permission to be dismissed within the app.
4. Access sensitive permissions only when the user expects it. Instant messaging apps must show visual indicators that it is currently accessing sensitive permissions such as camera and microphone.
5. Pay attention to libraries. Regularly review current data, especially sensitive data, accessed by external parties through components such as Application Programming interfaces and libraries.
6. Practice privacy engineering. Privacy engineering integrates the data privacy principles of transparency, legitimate purpose, and proportionality into the life cycle of software development. This helps the software achieve privacy-by-design and privacy-by-default.
The NPC said the responsibility of protecting data privacy rights of IM users does not fall solely on the developers. Aside from embedding privacy by design in these applications, users can secure the app by applying restrictions.
“Simple configurations to the instant messaging app such as setting off your active status, sync contacts, who can see your birth date, and location help maintain your privacy. Applying a passcode or fingerprint lock as well as two-step verification are examples of adding another layer of security to the app you are using,” NPC chair Raymund Liboro said.
Users are also advised to examine and tweak the privacy and security settings of their IMs by being vigilant when conversing with strangers and practicing caution when joining group chats.
Members of group chats will gain access to your phone number once you permitted to join. However, some IMs allow users to prohibit anyone from viewing their phone number.
“Do not click links and files sent via IM apps from unknown senders or if you are not expecting to receive them. These links and files may be attempts to phish information from you, or they may carry malware that can infect your device,” Liboro warned.
