Many of today's mobile and Web applications collect personal data. This makes plenty of users pause before downloading. To ease user's minds -- and to help developers demonstrate that they have legitimate reasons for collecting that information -- MyPermissions has established a permissions certificate process to deem apps 'trustworthy.'
By Paul Rubens
Someone, somewhere, is about to install the mobile app that took you hundreds of hours and cost thousands to dollars to develop. Just as he’s about to, though, he changes his mind — and you’ve just lost another potential user.
This scenario happens to developers every day. Often, it’s a matter of trust. Many apps request permissions to access private data of many different types. Users — quite rightly — are often reluctant to grant those permissions to an app they have no reason to trust. Do they really want the app to be able to post “on their behalf” on social networks?
“Some apps ask for access to your phone log or your photos, and you start scratching your head as to why,” says Olivier Amar, CEO of MyPermissions, a company that has set up a free permissions certification process for developers. “Sometimes, developers really need those permissions, but they don’t have a way to explain that.”
Developers Must Meet ‘Clear Guidelines’ for MyPermissions Certification
MyPermissions’ certification program covers mobile apps as well as also websites and other applications that connect to online services (such as Twitter or Instagram) or that allow users to authenticate themselves using services such as Facebook Connect. That’s important because about 80 percent of the top 100 iOS apps, and almost two-thirds of the top 100 Android apps, use Facebook Connect to let users sign in to the games or services they provide, Amar says.
To become MyPermisions Certified, developers must go through a form-filling process. This includes a review of the required permissions and a privacy questionnaire that justifies the personal information that their apps access and details why they need it. “We have guidelines, and they are very clear,” Amar says.
Any developer asking for permissions that contravene these guidelines will have to make changes in order to become certified, he explains. “We won’t certify author[s] if we can’t understand why they want certain types of information. Why do they want to know your friends of your political views? An answer like ‘We might need it in the future’ is not acceptable.”
Amar says the certification process is fairly painless. If a developer’s well-organized, it can take as little as 20 minutes. Otherwise, the process could very well last weeks.
Of course, this raises a key question for developers: Why bother? Why go through such an administrative process just to get a certification that, let’s face it, most users have never heard of?
One answer is that it allows you to establish your trustworthiness. Users who are curious can click on the “MyPermissions Certified” logo to bring up information about the certification, along with an explanation of why you needs each permission and what you will do with the personal data your app can now access.
Perhaps a better answer is that it may bring more users to your apps. During testing, apps that displayed the MyPermissions Certified mark saw conversion rates rise between 5 percent and 9 percent, Amar says. (In this case, “conversion rate” means users actually ran the applications after downloading them or signed into them using a system such Facebook Connect, rather than abandoning them.) That’s a significant amount of numbers users — and it could provide a useful increase in revenue as well.
Given that most people have never heard of the MyPermissions certification scheme or know what the “Certified” mark means, does it really work?
Rounds — developer of the video chat service that can be accesses through an iOS or Android mobile app, through the company’s website, or as a Facebook or Chrome app — went through the MyPermissions certification process.
“When you download the app, the first screen you see when you connect via Facebook is the MyPermissions certification,” says Rounds CMO Natasha Shine-Zirkel. “Even if the user doesn’t know what MyPermissions is, seeing that we are certified by a third party means a lot to end users. They trust us.”
There’s hard evidence to support this, too. When the company started to display the MyPermissions Certified mark on its start screen, it saw an 8 percent rise in the number of people who downloaded the app and then logged on using Facebook Connect, Shine-Zirkel says. (That said, a simultaneous application redesign may have contributed to the increase as well.)
Binpress, a marketplace for commercial open-source projects, also earned MyPermissions certification. CEO Adam Benayoun set up an A/B test on his website and found that “significantly more” people signed up when presented with the MyPermissions Certification mark than when they weren’t.
“We saw the difference the same day,” he says. “A lot of people clicked on the seal to find out what it meant — but, in fact, a lot of people just saw the seal and it inspired trust. That’s important. So many people decide not to sign up at the last minute because they don’t trust you.”
Changing Application Permissions May Require Recertification
For now, many users seem willing to accept a third party trust mark, even if they don’t know exactly what it means. But what happens if developers abuse this trust by adding extra permissions or using information in new ways after they’ve been certified?
Amar says his company monitors more than 400,000 apps. If any certified companies change their permissions, then they’re contacted if MyPermissions is not happy. If changes aren’t made to bring the app in to compliance with the program, then it could lose its certification.
The risk, of course, is that unscrupulous developers could use the Certification mark anyway. In those circumstances, MyPermissions is prepared to pursue legal action, Amar says. If the developer is based overseas, in a country that’s effectively beyond the law, then there’s little the company could do, he concedes.
Nevertheless, the attractions of the certification program seem clear. Aside from the time it takes to participate, it costs nothing to join. (This will change in the future, with a $50 monthly charge for applications with more than 100,000 users.) If it really does result in a 9 percent increase in users for your app every month, then getting certified might make a lot of sense.
Paul Rubens is a technology journalist based in England. Contact him at email@example.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.