As this issue focuses on rainmaking, I want to spend some time exploring with you the evolution of our use of mobility tools to facilitate our rainmaking activities. As most of you have some familiarity with the process of using mobility tools to garner, serve, and impress clients and potential clients, I will only mention that briefly, in order to get to the real focus of this column, the risks of this practice.
Please understand from the onset, I have no intention of trying to talk you out of using mobility tools to service your clients or to try to impress them or to try to get some new clients. I do intend, however, to try to convince you to use a healthy dose of caution in the process of doing that as the process can carry with it considerable risk of breaching confidentiality or unwittingly releasing information to the dark side, or at least to marketers (assuming for purposes of argument that marketers do not generally reside on the dark side).
Mobility, Apps, and Privacy
As a society, we have grown more and more dependent on the use of mobile devices. We find smartphones in the hands of professionals, white-collar workers, blue-collar workers, no-collar workers, homemakers, students, teachers, adults, and children.
In addition to smartphones, we have seen in recent years a dramatic increase in the use of slate or tablet devices (in particular the iPad). More and more of us have and regularly use these devices. In a recent press conference, Apple’s Tim Cook took the position that we are now in a “post-PC” world, by which he meant that more and more we rely on mobile devices for the conduct of our personal and business affairs and our interaction with the Internet.
As smartphones become ubiquitous and tablet usage dramatically increases as well, these devices will appeal more and more to the writers of software programs or applications (apps) designed to invade and abuse user information on these devices and/or stored by them in the cloud (online or over the Internet).
The mobile operating systems, including the major players in the field—the Apple iOS, the Android OS, and, on much smaller scales, BlackBerry and Microsoft’s offerings—rely on the availability of apps to provide additional functionality to the devices they inhabit. Some of these apps come from in-house development, but most of them represent the work of third parties, outside the control of the platform generator or the hardware generator. Some cost money and others come at no apparent price, making them much harder for most of us to resist.
End users acquire apps from Apple’s App Store, or Google Play (formerly the Android Market), or similar types of arrangements. They simply download them and install them on their devices so that they can use them. The apps include business programs, accounting programs, banking interfaces and other financial programs, simple contacts management programs and more sophisticated CRM (client relationship management) programs, calendar programs, reference materials, eBook readers, browsers, music players, and a variety of other categories.
Although many of the apps have no significant downside and create no major risks, recent news reports have warned that some of the apps access personal information and transmit it surreptitiously to marketers who use it for their own (sometimes nefarious) purposes or who remarket it to others, so that they can make use of it for their own (sometimes nefarious) purposes. It is for this reason that I spent some time debating with myself about whether to use the title that appears at the top of this article or, alternatively, to simply call it “The App Attack!”
To test security measures taken by Apple, The New York Times enlisted a developer to create a test app that requires permission to use a device’s location and thus gain access to the phone’s photos. The decoy app, PhotoSpy, asked for access to location data when it was opened. Once that information was provided, the app took photos and data location and sent it to a remote server. In essence, a third-party app could copy a user’s private content, without gaining additional consent and without providing the user with further notification. A similar test was done with an Android developer, and the Android test app also gained access to users’ photos.
The apps generally access your information in address books, contact lists, and similar locations inside the mobile devices and/or stored in the cloud. Although any app could theoretically serve as the Trojan Horse carrying the invading code, some of the apps will, by their very nature, access your data. They have to in order to do their job. The only question then becomes what will happen with the data once the app has accessed it. The apps that you should expect will access your contact information to do what they do include virtually all social networking apps. How else can the social networking apps tie you to your friends and associates and let them know what you are doing or where you are doing it?
Some of the apps that access personal information ask for approval prior to doing so; others do not. Some operating systems advise you that the app will have access to certain information; others do not. The newer iterations of Android do a pretty good job with that. Accessing your data without permission violates Apple’s rules for its App Store, but let’s face it: Someone intent on stealing your information won’t likely balk at violating Apple’s rules. Apple recently announced it would take stronger protective measures and has said that it will require apps to ask permission prior to accessing users’ data. Even if the app asks for approval or your OS warns you that the app will have access to certain information, you still have to deal with the question of what the app will do with the information it accesses. You have little protection that the app will only use the information for approved and appropriate purposes. Worse yet, some of the apps will take the information and secretly transmit it to a server for storage and further use at a later time, including possible distribution to third parties. I consider developers who design apps that secretly access and capture user information and data no better than hackers.
As most of us keep a wealth of confidential and private information on our smartphones, the fact that an app can accesses our data and transmit it to third parties should scare the heck out of each us on a personal level, and, as attorneys with ethical obligations respecting the protection of our clients’ privacy and confidentiality, on a professional level as well. Although I wish I could provide you with a list of what applications pose serious threats to you and your information, unfortunately I cannot. I do not have that information and, to the best of my knowledge, it is not readily available. This puts all of us in the unenviable position of having to guess what we can safely do. While I would probably avoid apps created by companies with names like “Sleazy Weasel Software” as a matter of principal, the fact that a major-name company created the app offers no assurance that it will not invade your data. [Note: For the record, I know of no company actually named “Sleazy Weasel Software.” I made the name up to make a point. I actually did a Google search on the name, and it produced no results. If it should turn out that some company actually does business under that name, I have no information to suggest that it did or does anything improper and by this reference do not mean to suggest that it did or does.]
Calls for Action
The discovery and publication of this practice has raised quite a stir. U.S. Senator Charles E. Schumer asked the Federal Trade Commission (FTC) to investigate reports that Apple and Android applications access users’ personal photos and address books (see Sinead Carew, “Senator Schumer Asks FTC to Probe Apple, Android,” Reuters.com, posted March 4, 2012).
Senator Schumer referred to the recent discovery that applications on devices such as the iPhone and iPad could upload entire address books with names, telephone numbers, and e-mail addresses to their own servers. The senator took the position that such conduct exceeded the scope of what a reasonable user understood that he consented to by allowing the app to access data on the device “for purposes of the app’s functionality.”
Senator Schumer also noted that although such conduct violated the terms of service (TOS) of the Apple and Android platforms, “it is not clear whether or how those terms of service are being enforced and monitored.” Id.
Senator Schumer took the position that “smartphone makers should be required to put in place safety measures to ensure third party applications are not able to violate a user’s personal privacy by stealing photographs or data that the user did not consciously decide to make public.” Id.
The White House has also recognized the problem. In a press release dated February 23, 2012, the Obama administration unveiled a “Consumer Privacy Bill of Rights” as part of a comprehensive blueprint to improve consumers’ privacy protections and “ensure that the Internet remains an engine for innovation and economic growth.”
The Consumer Privacy Bill of Rights endeavors to provide a baseline of protections for consumers and greater certainty for businesses. The press release referenced above describes the following aspects of the Bill of Rights:
- Transparency: Consumers have a right to easily understandable information about privacy and security practices.
- Respect for context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
- Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
You can find further discussion of this issue in an excellent entry in the New York State Bar Association’s Entertainment, Arts and Sports Law Blog entitled “Apple and Android Applications Access Private Data.”
What You Can Do Now
Although some have recommended the implementation of anti-malware software programs on your mobile devices, I have not yet found one that makes me feel comfortable. The state of the art for protection of mobile devices has yet to evolve to the point that it has for computers.
In the short term, you can do several things to help protect your mobile data:
- Use encryption for data stored in the cloud.
- Password-protect your encrypted data.
- Password-protect your mobile devices.
- Turn off features not currently intentionally in use, such as Bluetooth, WiFi, and location services.
- Turn off location services for apps that you do not want to access or broadcast your data. Note that this will not guarantee the data’s security, but it will help protect it.
- Do not install apps from unknown sources.
- Check out the reputation of the publisher of an app you find potentially worth having on your phone. Do this before you install the app.
- Stay off unknown or public WiFi networks.
- Do not accept apps through unsolicited e-mail or SMS (short message service) messages!
So the bottom line is that we have a potentially massive confidentiality leak. We will likely see some regulatory or legislative action to restrict the practice. In the meantime, some vendors have announced that they will modify their procedures to require apps to ask for permission to use the address book or other data. Even if they ask for permission to access the information, you want and need to know how they will use it to respond reasonably to the request for permission. You will also need to know exactly what information the app will access to know whether you want to give that permission. Unless you have that information and believe it with reasonable confidence, you will likely want to limit your exposure and the exposure of your information by following the same advice we give people about using drugs: JUST SAY NO!