Digital minister’s app lands on data watchdog’s radar after privacy cock-up

UK digital minister Matt Hancock, who’s currently busy with legislative updates to the national data protection framework, including to bring it in line with the EU’s strict new privacy regime, nonetheless found time to launch an own-brand social networking app this week.

The eponymously titled: Matt Hancock MP App.

To cut a long story short, the Matt app quickly ran into a storm of criticism for displaying an unfortunately lax attitude to privacy and data protection. Such as pasting in what appeared to be a very commercially minded privacy policy — which iOS users couldn’t even see prior to agreeing to it in order to download the app… [Insert facepalm emoji of choice]

In the words of one privacy consultant, who quickly raised concerns via Twitter: “You’d think the Digital Minister and one responsible for data protection package would get privacy right.”

Well — news just in! — the UK’s data protection watchdog isn’t entirely sure about that latter point, because it’s now looking into the app’s operation after privacy concerns were raised.

“We are checking reports about the operation of this app and have seen other similar examples of such concerns in apps as they are developed. So to help developers, we produced specific guidance on privacy in mobile apps,” an ICO spokesperson told TechCrunch in response to questions about the Matt app.

“The Data Protection Act exists to protect individuals’ privacy. Anyone developing an app needs to comply with data protection laws, ensuring privacy is at the forefront of their design,” the spokesperson added, pointing to the agency’s contact page as a handy resource for “anybody with concerns about how their personal data has been handled”.

(For the full lowdown on the Matt Hancock privacy snafu, I suggest reading The Register‘s gloriously titled report: What a Hancock-up: MP’s social network app is a privacy disaster.

This forensic Twitter thread, by the aforementioned consultant, @PrivacyMatters, is also a great exploration of the myriad areas where Matt Hancock’s app appears to be messing up in data protection T&C terms.)

Here’s a few screenshots of the app for the curious…

[gallery ids="1593982,1593979,1593981,1593980,1593983"]

Of course the minister didn’t intend to generate his own personal privacy snafu.

He intended the Matt Hancock App to be a place for people in his West Suffolk constituency to keep up on news about Matt Hancock, MP.

Among the touted “Core benefits for Constituents” are:

  • Never miss out on local matters via private networks
  • A safe, trusted, environment where abuse is not tolerated and user data is not exploited

But Hancock outsourced the app’s development to a UK company called Disciple Media, which builds so-called “mobile-first community platforms” for third parties — including musicians and social media influencers.

And whose privacy policy is replete with circumspect words like “may” and “including” — making it about as clear as mud what exactly the company (and indeed what Matt Hancock MP) will be doing with Matt Hancock App users’ personal data.

Here’s a sample problematic para from the app’s privacy policy (emphasis ours):

when you sign up [to?] the App you provide consent so that we may disclose your personal information to the Publisher, the Publisher’s management company, agent, rights image company, the Publisher’s record label or publisher (as applicable) and any other third parties, for use in conjunction with additional user promotions or offers they may run from time to time or in relation to the sale of other goods and services. You may unsubscribe from such promotions or offers or communications at any time by following the instructions set out in such promotion or offer or communication;

If you’re wondering whether Hancock has also started his own rock band or record label; spoiler — as far as we’re aware he hasn’t. Rather, as we understand it, the policy issued with the app was originally created for musician clients which Disciple more often works with (one example on that front: The Rolling Stones).

We also understand the privacy policy was uploaded in error to the Matt app, according to sources familiar with the matter, and it is in the process of being reviewed for possible amendments.

Tapping around in the app itself, other aspects also point to it having been rushed out — for example, expanding comments didn’t seem to work for some of the posts we tried. And three dots in the upper corner of photos occasionally does nothing; occasionally asks if you want to ‘turn off notifications’; and occasionally offers both choices; plus a third option of asking if you want to report a post.

Meanwhile, as others have pointed out, by calling the app after the man himself users get the unfortunate notification that “Matt Hancock would like to access your photos” if they choose to upload an image. Awkward to say the least.

Although it’s less clear whether reports that the app might also be breaching iOS rules by accessing users’ photos even if they’ve denied camera roll access stand up to scrutiny as iOS 11 does let users grant one-time access to a photo.

Hancock’s parliamentary office is deferring all awkward questions about the Matt Hancock App to Disciple. We know because we rang and they redirected us to company’s contact details.

We wanted to ask Hancock’s people what user data his office is harvesting, via his own-brand app, and what the data will be used for. And why Hancock decided to build the app with Disciple (which the app’s press release specifies hasn’t been paid; the company is seemingly providing the service as a donation in kind — presumably for the hopes of associated publicity, so, er, careful what you wish for).

We also wanted to know what Hancock thought he could achieve by launching an own-brand app which isn’t already possible to do with pre-existing communication tools (and via constituency surgeries).

And whether the app was vetted by any government agencies prior to launch — given Hancock’s position as a sitting minister, and the potential for some wider reputational damage on account of the unfortunate juxtaposition with his ministerial portfolio.

Eventually a different Hancock staffer send us this statement: “This app is ICO registered and GDPR compliant. It is consistent with measures in the Data Protection Bill currently before Parliament. And is App Store certified by Apple, using standard Apple technology.”

Re: GDPR, we suggest the minister reads our primer because we’re rather less confident than he apparently is that his app, as is, under this current privacy policy and structure, would pass muster under the new EU-wide standard (which comes into force in May).

As regards the why of the Matt app, the staffer sent us a line from Matt’s weekly newsletter — where he writes: “Working with a brilliant British startup called Disciple Media, I’ve launched this app to build a safe, moderated, digital community where my West Suffolk constituents and I can discuss the issues that matter to them.”

Hancock’s office did not respond to our questions about the exact data they are collecting and for what specific purposes (pro tip: That’s basically a GDPR requirement guys!).

But we’ll update this post if the minister delivers any further insights on the digital activity being done under (and in) his name. (As an aside, an email we sent to his constituency email address also bounced back with a fatal delivery error. Digital credibility score at his point: Distressingly low.)

Meanwhile, Disciple Media has so far declined to provide a public response to our questions — though they have promised a statement. Which we’ll drop in here when/if it lands.

The company is in the process of pivoting its business model from a revenue share arrangement to a SaaS monthly subscription — which a spokesman describes as “more ‘easy Squarespace for mobile/mobile web communities’ than ‘social media'”.

So — in theory at least — the business should be heading away from the need to lean on the data slurping of app users’ personal information to power marketing-generated revenues to keep the money rolling in. At least if it gets enough paying monthly customers (Hancock not being one of them).

We’re told it has relied on private investment thus far but is also actively seeking to raise VC.