The rapid growth and expansion in the mobile market presents a number of privacy and security issues for mobile software and hardware developers, platform operators, advertisers and marketers who collect, store, use and share consumer information. As awareness of privacy risks grow among consumers, legislators and regulators are increasing scrutiny of mobile privacy and privacy policies in mobile apps.
Businesses operating in the mobile industry are facing a widening array of Regulatory compliance issues. Staying abreast of legal risks and issues can be daunting. How can mobile operators and application developers spot trends and adjust strategies to start competitive? First, keep an eye on FTC activity. Second, monitor new bills coming up in Congress. Third, follow this blog, adlerlaw.wordpress.com.
FTC Privacy Enforcement Actions
Earlier this year, the FTC expanded mobile privacy obligations beyond software to include hardware makers when it announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
Congressional Privacy Laws, Bills & Initiatives
Not surprisingly, federal legislators are taking up the mantle of Consumer Privacy in the area of Mobile Applications. In January 2013, U.S. Rep. Hank Johnson, introduced his mobile privacy bill, The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,”. The bill focuses on transparency, user control and security, mandating that an application 1) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data, and 2) obtain the consent of the user to the terms and conditions. Significantly, the privacy notice is required to include a description of the categories of personal data that
will be collected, the categories of purposes for which the personal data will be used, and the categories of third parties with which the personal data will be shared.
The Bill also requires that application developers have a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user and the process by which the user may exercise such rights in addition to data security and access procedures and safeguards.
App developers unaware of the data protection requirements may face significant risks and potential harm to their reputation among users of smart devices. If you have concerns about what key data protection and privacy legal requirements apply to mobile applications and the types of processing an app may undertake contact us for a mobile app legal audit. Vague or incomplete descriptions of the ways which a mobile app handles data or a lack of meaningful consent from end users before that processing takes place can lead to significant legal risk. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.
Learn more David M. Adler here.
VIDEO: The Evolving Insider Threat- Dawn Cappelli, Randy Trzeciak of CMU’s Insider Threat Center
This video from RSA Conference 2013 discusses:
- Who typically commits insider crimes – and how;
- How employees are being victimized from outside;
- Why our critical infrastructure is at heightened risk.
Even if you are an employer using standard commercial verification measures, you should be cautious about misuse of any information by employees, managers and contractors. Accordingly, you should be careful with training and education and not on only newly-hired employees. Further, plan on how login credential and access to sensitive information will be handled and/or turned over when training or when terminating, suspending, withholding pay, lowering pay, or taking any other adverse action against an employee.
Intel Mobile Device (Photo credit: Frank Gruber)
On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.
Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:
- provide your engineering (programming) staff with security training
- review or test your software on mobile devices for potential security vulnerabilities
- follow well-known and commonly accepted secure coding practices
- establish a process for receiving and addressing vulnerability reports from third parties
Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.
Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.
Please comment, tweet and forward!
Related articles
- FTC moves against mobile device makers over security (networkworld.com)
- AT&T to usher in split-personality mobile devices (reviews.cnet.com)
10 Tips For Improving Your Security When Using Public WiFi Hotspots
February 23, 2013
Ah, public WiFi. nothing beats sitting in Union Square, San Francisco, with a Latte, a scone and free, public Internet access. I’m here attending RSA Conference 2013 where I’ll be speaking on security risks related to use of social media in the workplace. Thinking about information security started me thinking about how secure I was as I checked my email over a free, public WiFi network.
These days, Wi-Fi hotspots are ubiquitous. One can find free access in airports, universities, public parks, hotels, coffee shops, and libraries. While convenient, these hotspots are usually not secure. Hackers know this and may be sniffing the network for their next unwitting victim. so, how can one protect oneself? Short of ensuring a fully-encrypted VPN connection, one may never be truly secure. Here are some tups for improving your security and privacy when using a public hotspot.
Don’t Assume a Wi-Fi Hotspot is Secure
As noted above, most public Wi-Fi hotspots are not secure. They don’t encrypt information you send over the internet.
If you use an unsecured network to log in to an unencrypted site – or a site that uses encryption only on the sign-in page – other users on the network can see what you see and what you send. They could hijack your session and log in as you. New hacking tools – available for free online – make this easy, even for users with limited technical know-how. Your personal information, private documents, contacts, family photos, and even your login credentials could be up for grabs.
An imposter could use your account to impersonate you and scam people you care about. In addition, a hacker could test your username and password to try to gain access to other websites – including sites that store your financial information.
Protect Yourself When Using Public Wi-Fi
So what can you do to protect your information? Here are a few tips:
1. Make yourself a hard target. Take precautions to minimize risks associated with free public networks.
2. Limit information sharing to secure web sites. When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted. .
3. Don’t stay permanently signed in to accounts. When you’ve finished using an account, log out.
4. Do not use the same password on different websites. A recent story about a journalist illustrates how once hackers access one account, say Gmail, they can use that info to access all your other accounts.
5. Many web browsers alert users who try to visit fraudulent websites or download malicious programs.Pay attention to these warnings and avoid sites that cause red flags to go up.
6. Keep anti-virus and browser software up to date. If you get a notification that an update is available, install it. Typically updates patch vulnerabilities that have been identified.
7. Use a Virtual Private Network (VPN) connection when available. Many commercial ISPs and corproate networks offer a VPN connection to provide secure access for their employees who work
remotely. VPNs encrypt traffic between your computer and the internet, even on unsecured networks.
8. Some Wi-Fi networks use encryption: WEP and WPA are the most common. WPA encryption protects your information against common hacking programs. WEP may not. WPA2 is the strongest. If you aren’t certain that you are on a WPA network, use the same precautions as on an unsecured network.
9. Some browsers offer “add-ons” like Force-TLS and HTTPS-Everywhere for Firefox. These add-ons are free and force the browser to use encryption on popular websites that usually aren’t encrypted. They don’t protect you on all websites – look for https in the URL to know a site is secure.
10. Be aware of your surroundings. Don’t leave devices unattended. Don’t key in user names and passwords in plain sight of IDE sitting around you.
I don’t guarantee that just by following these steps you will be totally secure. But, the harder you make it for would-be attackers to access your information and device, the more likely they will be to move on to an easier target.
What's Next Toronto: Cloud Computing and the Drummond Report
January 20, 2013
Last year we began the process of organizing an event and white paper series entitled 'Cloud Computing and the Drummond Report'.
Due to the volume of preparatory work required to make this a home run we had to put it on the back-burner for a while. This is now complete and we're re-starting the project, stay tuned for further news.
2012 in review
January 20, 2013
The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.
Here’s an excerpt:
600 people reached the top of Mt. Everest in 2012. This blog got about 3,300 views in 2012. If every person who reached the top of Mt. Everest viewed this blog, it would have taken 6 years to get that many views.
Brazilian company launches Android iPhone, owns the trademark – iPad/iPhone – Macworld UK
December 20, 2012
See on Scoop.it – Social Media Legal & Regulatory Compliance
The Brazilian company that owns the legal right to the name iPhone in the country is now selling its own iPhone, running the Android operating system.
How’s that for consumer confusion?!
See on www.macworld.co.uk
Songwriters slam Government Copyright reforms | Music, Music, Music
December 20, 2012
See on Scoop.it – Social Media Legal & Regulatory Compliance
Cable says changes could generate £500m – a downgrade from previous estimate (Songwriters slam Government Copyright reforms | @scoopit http://t.co/FlL1oADw)…
See on www.scoop.it
|
The Federal Trade Commission today announced publication of an Interim Final Rule on identity theft “red flags” that narrows the circumstances under which creditors are covered by the Rule. Congress directed the FTC, along with several banking agencies to develop regulations requiring “financial institutions” and “creditors” to develop and implement a written identity theft prevention program. By identifying “red flags” for identity theft in advance, businesses can be better equipped to spot suspicious patterns that may arise — and take steps to prevent potential problems from escalating into a costly episode of identity theft. Under the Rule, Red Flag Programs must have four parts. First, the Program must include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business. Second, the Program must be designed to detect the red flags of identity theft identified by the business. Third, the Program must set out the actions the business will take upon detecting red flags. Finally, because identity theft is an ever-changing threat, a business must re-evaluate its Program periodically to reflect new risks from this crime. The agencies promulgated the Red Flags Rule in 2007. In December 2010, Congress enacted legislation narrowing the definition of “creditors” covered by the Rule. The amended Red Flags Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly:
The Commission is seeking comment on the Interim Final Rule for 60 days. After the expiration of the 60-day comment period and a review of the comments received, the Interim Final Rule will become final. The Commission vote approving issuance of the Federal Register notice announcing the Interim Final Rule was 5-0. The notice will be published in the Register shortly and can be found on the FTC’s Web site as a link to this press release. |
Social Media and the Financial Services Industry.
From the Madoff scandal, to the Occupy Wall Street Movement, to Mitt Romney’s tax returns, the financial services sector is accustomed to the scrutiny and ire of the public and government regulators. Therefore it is no surprise that on January 4, 2012, the SEC’s Office of Compliance Inspections and Examinations, in coordination with other SEC staff, including in the Division of Enforcement’s Asset Management Unit and the Division of Investment Management, issued its “Investment Adviser Use of Social Media” paper. The paper begins by observing that although “many firms have policies and procedures within their compliance programs” governing use of social media” there is wide “variation in the form and substance of the policies and procedures.” The staff noted that many firms have multiple overlapping procedures that apply to advertisements, client communications or electronic communications generally, which may or may not specifically include social media use. Such lack of specificity may cause confusion as to what procedures or standards apply to social media use.
The SEC paper suggests that the following factors are relevant to determining the effectiveness of a Social Media compliance program:
- Usage Guidelines
- Content Standards
- Monitoring
- Frequency of Monitoring
- Approval of Content
- Firm Resources
- Criteria for Approving Participation
- Training
- Certification
- Functionality of web sites and updates thereto
- Personal/Professional sites
- Information security
- Enterprise-wide web site content cross collateralization
Similarly, the Financial Industry Regulatory Authority (FINRA) has issued guidance for secutires brokerage firms. According to its web site, FINRA “is the largest independent regulator for all securities firms doing business in the United States.” FINRA protects American investors by ensuring fairness and honesty in the securities industry. In January 2010, FINRA issued Regulatory Notice 10-06, providing guidance on the application of FINRA rules governing communications with the public to social media sites and reminding firms of the recordkeeping, suitability, supervision and content requirements for such communications. Since its publication, firms have raised additional questions regarding the application of the rules. Key take aways from FINRA’s guidance include the flowing:
- Brokerages have supervisory and record keeping obligations based on the content of the communications – whether it is business related – and not the media
- Broker-dealers must track and supervise messages that deal with business
- Firms must have systems in place to supervise and retain interactions with customers, if they are made through personal mobile devices
- A broker must get approval from the firm if she mentions her employer on a social media site
- Pre-approval for instant messages, also known as “unscripted interactions’ in legalese, is not necessary as long as supervisors are informed after the fact
