On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.
Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:
- provide your engineering (programming) staff with security training
- review or test your software on mobile devices for potential security vulnerabilities
- follow well-known and commonly accepted secure coding practices
- establish a process for receiving and addressing vulnerability reports from third parties
Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.
Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.
Please comment, tweet and forward!
- FTC moves against mobile device makers over security (networkworld.com)
- AT&T to usher in split-personality mobile devices (reviews.cnet.com)
Tagged: "Privacy By Design" guidelines, developers, device, Federal Trade Commission, FTC, HTC, HTC Corporation, legal risks, manufacturer, Mobile, mobile application, Mobile device, Smartphone, Tablet computer, Vulnerability (computing)
December 23, 2012
As a result of the rapid shift in marketing from unilateral one-to-many communications, to the multilateral, many-to-many or many-to-one conversations enabled by Social Media, employees and employers are struggling to manage accounts that are used for both work and personal purposes.
This new phenomenon has benefits, but it also creates a number of legal challenges. For employees, it may result in greater efficiency, more opportunities for authentic customers engagement and the ability to stay on top of the most current grands and business issues. For employers, it presents opportunity to reap substantial benefits from lower communications and customer support costs. For in-house counsel, it raises a host of legal and practical issues with few easy solutions and significant liability and regulatory risks.
First, there are hardware issues. Smartphones, tablets and other personal electronics often have social networking capabilities built in. in addition, they contain contain both personal and business data. Because these devices are always on and always connected, they are more than just personal property. They have become essential business tools. For both sides of the workplace equation, employers and employees must understand where the privacy lines fall between personal versus work-related information.
Second, there are data issues. Employers must balance their needs to monitor employee usage, employees’ privacy concerns, and the risk of liability for theft or exposure of data if a device is lost or stolen, or from lack of proper safeguards on account usage. For in-house counsel tasked with drafting policies to address these risks, , Prior to implementation of any policy, the legal team needs to educate front line employees and management on reasonable expectations of privacy and security and the harms that the organization seeks to prevent.
Lastly, recent cases such as the Cristou v. Beatport litigation, highlight the struggle to define and control the beginning and end of employee social media accounts, ownership and protection of intellectual property and the post termination risks that arise from the absence of appropriate policies.
As we prepare to start a new year, the time is ripe to establish security and privacy policies governing creation, maintenance and use of employees’ social media accounts for work functions. In-house counsel must lead the charge to educate, inform and train employees about privacy, security and evidence-recovery implications associated with use of social media.
Tagged: accounts, attorney, Business, BYOD, Communications, counsel, employee, employer, in-house, infosec, Law, Lawyer, Legal, Marketing, media, Mobile, policies, policy, Privacy, regulation, security, social, Workplace
September 18, 2012
Representative Markey is no stranger to mobile privacy issues. Last year, Rep. Markey asked the FTC to investigate the practices of the Carrier IQ software company as a possible unfair or deceptive act or practice.
On September 12, 2012, Rep. Markey, co-Chair of the Bi-Partisan Congressional Privacy Caucus, released H.R. 6377, “The Mobile Device Privacy Act.” The legislation would require companies to disclose to consumers the capability to monitor telephone usage, as well as require express consent of the consumer prior to monitoring.
“Just because a mobile device is hand held doesn’t mean it should hand over personal information to third parties without permission,” said Markey in a released statement.
Tagged: Carrier, congress, data, Disclosure, house, legislation, Markey, Mobile, Mobile Device Privacy Act, monitoring, Privacy, software, telecommunications
September 7, 2012
Sept. 5 2012:
From the FTc web site:
The Federal Trade Commission has published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, “Marketing Your Mobile App: Get It Right from the Start,” notes that there are general guidelines that all app developers should consider. They include:
Tell the Truth About What Your App Can Do. – “Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth,” the publication advises;
Disclose Key Information Clearly and Conspicuously. – “If you need to disclose information to make what you say accurate, your disclosures have to be clear and conspicuous.”
Build Privacy Considerations in From the Start. – Incorporate privacy protections into your practices, limit the information you collect, securely store what you hold on to, and safely dispose of what you no longer need. “For any collection or sharing of information that’s not apparent, get users’ express agreement. That way your customers aren’t unwittingly disclosing information they didn’t mean to share.”
Offer Choices that are Easy to Find and Easy to Use. – “Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.”
Honor Your Privacy Promises. – “Chances are you make assurances to users about the security standards you apply or what you do with their personal information. App developers – like all other marketers – have to live up to those promises.”
Protect Kids’ Privacy. – “If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act.”
Collect Sensitive Information Only with Consent. – Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.
Keep User Data Secure. – Statutes like the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.
Tagged: applications, apps, data, FTC, kids, Mobile, policies, Privacy, security
June 20, 2012
Mobile carriers, app developers, and other technology stakeholders will meet with the U.S. National Telecommunications and Information Agency on July 12 to discuss privacy standards for mobile use. The focus of the discussion will be the privacy practices of mobile apps and their transparency.
Applications will be the main focus on July 12 when enforcement begins. The initial series of meetings will decide on rights, obligations and enforcement of online and mobile device security under President Obama’s virtual “Privacy Bill of Rights”.
The U.S. Department of Commerce’s National Communications and Telecommunication Administration (NTIA) has made the decision that it is now time to put the president’s Privacy Bill of Rights into effect. In order to get started, they have sent an invitation to all of the “privacy stakeholders” in order to “generate robust input” in the creation of the very first transparency code of conduct for consumer data collection and use.
The White House and Congress hopes that this discussion will eventually lead to a privacy bill of rights. July’s meeting will be webcast for the public.
Tagged: bill of rights, information, law enforcement, legislation, Mobile, Obama, policy, Privacy, regulation, telecom, telecommunications
US consumers are waking up to privacy issues related to smartphone use. About two-thirds of search engine users disapprove of the collection of information on their searches for the purpose of personalizing their future search results and an equal proportion of all internet users disapprove of being tracked for the purpose of getting targeted ads.
Interestingly, the two most popular smartphone platforms treat application data gathering differently. While Apple reviews prospective applications before launching them into its iPhone app store, Google’s open-source Android platform has no such system in place. But while the Android system runs each application separately and explicitly lists the services or data each application accesses, Apple’s iPhone system treats all applications as equal and allows them to access many resources by default.
Until application developers and hardware makers start taking Privacy-By Design” seriously, users must pro-actively protect their privacy. If you have a smartphone and use it to download apps, there’s little you can do to completely lock down your personal information. But there are a number of precautions you can take to ensure minimal risk exposure.
So, here are seven basic basic smartphone privacy tips you can take to cut down on risks:
- Don’t download apps form unknown sources. If you have not heard of an app, read its user reviews. Even better, look it up online and see what has been said about it.
- When possible, opt out of information sharing capabilities.
- Get acquainted with your phone’s GPS features. Most smartphones allow one to adjust which applications have access to GPS. Turn this feature off for all but the most essential of apps.
- On Android: Before you download an app, check its user permissions. This should give you a breakdown of what information the app will access. Ask yourself if a simple game apps really needs to access the contact list?
- For Android: If you’ve opted to “root” (obtain privileged access) your device, be wary of granting apps root access. Doing so grants them complete control over your phone.
- For iPhone: If you have “jailbroken” (circumvented the proprietary programming restrixtions) your phone, be sure to change its root password. You can find guides online, or else get a trusted technician to do so for you.
- If you are no longer using an app, uninstall it.
While there is no easy way to figure out which apps are the riskiest, paid apps tend to pass less data on than free ones. Remember, “free” content is usually monetized in other ways, most often by selling user data.
Tagged: android, application accesses, Mobile, prospective applications, search engine users, technology
Free content is not without a cost.
As our lives have become more digitally enmeshed with content, immersive entertainment and devices, the economic bargain that makes it possible has gone largely unnoticed. Simply put, the collection, analysis and sharing of personal data is driving the digital economy. Mobile applications (Apps), digital content and entertainment – from TV shows to games – are available for “free” but subsidized by income from online ads that are customized using data about customers. Vendors, advertisers and platforms compete for “eyeballs” based, in part, on the quality of the information they possess about users to whom the ads are targeted.
Across this interconnected landscape of users, content providers and devices, the issue of online privacy has become a major talking point for app developers, marketers, consumers and legislators. Recently, a wide range of stakeholders, from large institutions to smaller developers, have been accused of mishandling personal data. As the volume of public debate has increased, legislators have introduced a raft privacy initiatives. The Obama administration has called for a Privacy Bill of Rights, an industry consortium of leading web sites and search engines has proposed its own privacy best practices and the Electronic Frontier Foundation has published a consumer-oriented Mobile User Privacy Bill of Rights.
Part 1 of this article looks at several recent and high-profile revelations about how personal information is collected and used, often without the user’s knowledge and consent. Part 2 discusses the legal risks faced by vendors that don’t take adequate precautions to protect consumer privacy and Part 3 concludes with strategies and tactics that help leverage the power of personalization while avoiding the pitfalls of privacy and data security.
1. The current state of information gathering
The scope of personal information gathered is unprecedented and largely unknown. For years, “free” web-based content has been available because of the implicit compromise between content providers and content consumers. Advances in technology have made it easier to track a user’s web browsing habits, mobile browsing habits, and even real-time geospatial location (check in apps and GPS). In the last few months, we have learned that some apps not only gather this mostly non-personally-identifiable data, but also upload a user’s address book contacts and even photos.
On Wednesday Feb. 2012, software Developer Arun Thampi “outed” Path, the purveyor of a self-titled journaling app, for sending users’ address book contents to the company. Path lets users share what they’re doing with a select group of friends and gives users the option to find friends on the app through contacts or other social networks. Thampi disclosed the clandestine data transfer in a blog post after discovering that his phone’s entire address book, including full names and e-mail addresses, was being sent to Path without his explicit consent. According to Path, this data was necessary to in order to quickly notify users when people they know join Path.
Not too long ago, Google earned itself a similar PR (and legal) black eye when it launched its social network, Google Buzz, in 2010 through its Gmail web-based email product. At launch, users were not informed that the identity of individuals they emailed most frequently would be made public by default. Google Buzz automatically disclosed the email addresses of a user’s contacts by default. Google settled with the FTC over allegations that Google used deceptive practices and violated its own privacy policies.
On Feb 17 2012, WSJ reported that Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked. The companies used special computer code that tricks Apple’s Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.
A major topic for discussion just this week is the “Target Snafu.” As originally reported in the New York Times, Target used customer data and predictive analytics to determine that one of their customers was pregnant, and even her specific trimester. The girl’s father learned of the pregnancy when the retailer emailed her promotional material and coupons.
It used to take days or even weeks to gather, synthesize and extrapolate data about a customer’s buying habits and receptiveness to particular products or services. Now it takes milliseconds. A targeted ad can be sourced and served in the time it takes to hit “refresh” on a web browser. Companies are using massive amounts of data to predict what their customers are going to want next. More importantly, gathering that data is getting easier, cheaper and more ubiquitous as the source of that data moves from the desktop to mobile devices.
Tagged: Advertising, big data, content, Marketing, Mobile, online behavioral advertising, Privacy, security