The rapid growth and expansion in the mobile market presents a number of privacy and security issues for mobile software and hardware developers, platform operators, advertisers and marketers who collect, store, use and share consumer information. As awareness of privacy risks grow among consumers, legislators and regulators are increasing scrutiny of mobile privacy and privacy policies in mobile apps.
Businesses operating in the mobile industry are facing a widening array of Regulatory compliance issues. Staying abreast of legal risks and issues can be daunting. How can mobile operators and application developers spot trends and adjust strategies to start competitive? First, keep an eye on FTC activity. Second, monitor new bills coming up in Congress. Third, follow this blog, adlerlaw.wordpress.com.
FTC Privacy Enforcement Actions
Earlier this year, the FTC expanded mobile privacy obligations beyond software to include hardware makers when it announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
Congressional Privacy Laws, Bills & Initiatives
Not surprisingly, federal legislators are taking up the mantle of Consumer Privacy in the area of Mobile Applications. In January 2013, U.S. Rep. Hank Johnson, introduced his mobile privacy bill, The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,”. The bill focuses on transparency, user control and security, mandating that an application 1) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data, and 2) obtain the consent of the user to the terms and conditions. Significantly, the privacy notice is required to include a description of the categories of personal data that
will be collected, the categories of purposes for which the personal data will be used, and the categories of third parties with which the personal data will be shared.
The Bill also requires that application developers have a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user and the process by which the user may exercise such rights in addition to data security and access procedures and safeguards.
App developers unaware of the data protection requirements may face significant risks and potential harm to their reputation among users of smart devices. If you have concerns about what key data protection and privacy legal requirements apply to mobile applications and the types of processing an app may undertake contact us for a mobile app legal audit. Vague or incomplete descriptions of the ways which a mobile app handles data or a lack of meaningful consent from end users before that processing takes place can lead to significant legal risk. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.
Learn more David M. Adler here.
October 19, 2012
On September 25, 2012, the Federal Trade Commission announced a settlement with seven rent-to-own companies that secretly installed software on rented computers, clandestinely collected information, took pictures of consumers in their homes (WTF?!) and tracked these consumers’ locations.
If you haven’t vomited on your computer from the sickening outrage, you can read the FTC press release here.
Software design firm DesignerWare, LLC licensed software to rent-to-own stores ostensibly to help them track and recover rented computers. The software collected the data that enabled rent-to-own stores, including franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase, to track the location of rented computers without consumers’ knowledge
According to the FTC, the software enabled remote computer disabling if it was stolen, or if the renter failed to make payments. It included an add-on purportedly to help stores locate rented computers and collect late payments. Alarmingly, the software also collected data that allowed the rent-to-own operators to secretly track the location of rented computers, and thus the computers’ users.
When activated, the nefarious feature logged key strokes, captured screen shots and took photographs using a computer’s webcam, according to the FTC. It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.
“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC. “The FTC orders today will put an end to their cyber spying.”
“There is no justification for spying on customers. These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Lisa Madigan.
October 4, 2012
A complete collection of the 38 federal acts governing U.S. information privacy law.
1. Bank Secrecy Act
2. Cable Communications Policy Act
3. CAN-SPAM Act
4. Children’s Online Privacy Protection Act
5. Computer Fraud and Abuse Act
6. Communication’s Assistance for Law Enforcement Act
7. Computer Security Act
8. DNA Identification Act
9. Dodd-Frank Wall Street Reform and Consumer Protection Act
10. Drivers Privacy Protection Act
11. Economic Espionage and Protection of Proprietary Information Act
12. Electronic Communications Privacy Act
13. Electronic Signatures in Global National Commerce Act (ESIGN)
14. Employee Polygraph Protection Act
15. Fair and Accurate Credit Transactions Act of 2003 (FACTA)
16. Fair Credit Reporting Act
17. Family Educational Rights and Privacy Act
18. Federal Computer Crime Act
19. Federal Privacy Act
20. Federal Trade Commission Act
21. Foreign Intelligence Surveillance Act
22. Freedom of Information Act
23. Gramm-Leach-Bliley Act
24. HIPAA Regulations
25. Identity Theft Assumption and Deterrence Act
26. Medical Computer Crime Act
27. OECD Privacy Guidelines
28. PATRIOT Act
29. PIPEDA Privacy Act
30. Privacy Protection Act
31. Real ID Act
32. Right to Financial Privacy Act
33. Safe Harbor Privacy Principles
34. Telecommunications Act
35. Telephone Consumer Protection Act
36. Uniform Computer Information Transactions Act (UCITA)
37. Veteran’s Affairs Information Security Act
38. Video Privacy Protection Act
September 20, 2012
Computerworld – Germany’s cybersecurity agency on Monday urged users to drop Internet Explorer (IE) and switch to a rival, like Chrome or Firefox, until Microsoft patches a new critical bug in its browser.
Senators call for ‘cybersecurity’ executive order. This summer’s partisan sparring that derailed a federal cybersecurity law has resumed, with Democrats proposing an executive order and Republicans saying it would levy “more mandates.”
“The nation is in dire need of people who are capable of handling the cybersecurity challenges we face,” professor of computing and information sciences Xinming “Simon” Ou said. “We are lagging behind in the number of experts we have versus the threats.
Cybersecurity: Kay Bailey Hutchison condemns Obama’s ‘heavy handed …
Houston Chronicle (blog)
Amid escalating partisan rhetoric over the bipartisan goal of protecting U.S. computer systems from terrorist attacks, Texas Kay Bailey Hutchison criticized President Obama for a “heavy handed, regulatory regime” that would be created.
National Cyber Security Alliance Announces Theme for Data Privacy Day
The Herald | HeraldOnline.com
18, 2012 /PRNewswire-USNewswire/ — The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online and official coordinator of Data Privacy Day (DPD), today …
Over the past few years, the Obama administration and Congress have taken a variety of legislative runs at creating comprehensive cybersecurity law. See Also: How cybersecurity is like Star Trek’s transporter.
Cyber security biggest challenge for universal credit, says David Freud
Cyber security is the biggest challenge for the government’s universal credit roll-out, welfare reform minister David Freud has told a select committee. Speaking to a select committee, pensions minister Ian Duncan Smith said government had consulted …
NetLib teams with CIS to fight cyber security
Mass High Tech
Neil Weicher wants to win the battle in cyber security. NetLib, a Stamford, Conn.-based provider of encryption software founded by Weicher, has partnered with the Center for Internet Security, a non-profit focused on cyber security readiness.
The Government Communications Headquarters (GCHQ) said those aged 16 or over and not already working in cyber security could apply to test their ability to guard a computer network but only 150 contestants at most would be eventually allowed.
The FBI’s former top attorney for cybersecurity, Steven Chabinsky, who stepped down this month, thinks the FBI is doing a great job battling the problem, but told the Washington Post that the “federal government” has taken a “failed approach”.