Mobile Privacy and Security Q&A with the Regulators/Enforcers

Vol. 9 Special Edition

Ruth Hill Bro can be reached at ruth.bro@comcast.net. Ann Cavoukian can be reached at Ann.Cavoukian@ipc.on.ca. Christopher N. Olsen can be reached at colsen@ftc.gov.

At a time when everything seems to be going mobile, and corresponding privacy and security concerns are escalating, everyone wants to know what regulators/enforcers are saying on the topic. In this article, Ruth Hill Bro poses seven of the top questions on mobile privacy and security issues. Answering those questions are privacy experts from two of the leading regulators/enforcers: Christopher N. Olsen of the US Federal Trade Commission (FTC) and Dr. Ann Cavoukian of the Office of the Information & Privacy Commissioner, Ontario, Canada.

A common thread runs through their answers: privacy and security must be built into mobile devices from the start, transparency about data practices must improve, and data subjects must be given clear choices that are easy to exercise. Adhering to Privacy by Design (PbD) principles (see box on page 18 and discussion below) is key to minimizing mobile privacy and security risks. The experts interviewed here provide many practical insights, including references to guidance documents, for businesses and consumers operating in the mobile space.

1. How is the rapid adoption of mobile technology changing your office’s enforcement/regulatory priorities?

Cavoukian: The loss or theft of unencrypted mobile devices is one of the major causes of privacy breaches in government and health organizations. My office has issued numerous orders requiring the use of encryption and insisting that the protection of privacy be implemented from the outset as the default setting. The power of the default cannot be overestimated—the default rules! Organizations handling personal information must strive to avoid the harm before it happens. Encryption by default is the obvious solution.

Mobile devices should never contain unencrypted personal information. Either encrypt the information or remove all personal identifiers. Alternatives such as remote access through a secure connection or VPN should also be considered. Generally, in the event that a mobile device is lost or stolen, it will not be regarded as a privacy breach if sufficient safeguards were in place to ensure that personal information was not disclosed.

But encryption by default is not always easy to assure in large, complex environments. A Privacy by Design (PbD) approach needs to be applied proactively and systematically to embed privacy in the design of information technologies, business practices, and networked infrastructures as a core functionality, right from the outset, and to realize the positive-sum results.

Olsen: As mobile services have rapidly expanded, the FTC has devoted more resources to consumer protection issues affecting mobile consumers. Approximately two years ago, for example, the Bureau of Consumer Protection formed a Mobile Technology Unit designed to coordinate mobile activities across the bureau’s operating divisions, including those focused on fraud, privacy and security, and advertising practices. The agency has also held workshops and issued several reports addressing issues of significance in the mobile environment, including reports outlining best practices for mobile privacy disclosures and addressing consumer protection issues relating to mobile payments.

Of course, enforcement remains a top priority for us in the mobile space. We have taken a number of significant enforcement actions involving mobile services in recent years and will continue to make this a priority. Enforcement of our revised rules implementing the Children’s Online Privacy Protection Act (COPPA) will be a major focus for us as well.

2. What privacy and security practices associated with mobile apps are currently on your radar?

Cavoukian: I was delighted to read about BlackBerry’s efforts to notify its customers when their information may be shared by a third-party application. I feel it is vital for technology leaders to be transparent in their commitment to the protection of privacy. By reviewing mobile applications for privacy protective features and notifying customers of potential uses and disclosures of their personal information, I believe organizations can build a relationship of enduring trust with their customers.

Another example of trust building is Microsoft’s recent decision to implement “Do Not Track” as the default setting for its new version of Internet Explorer. This is truly a victory for consumers as it evidences an appreciation by Microsoft that default settings should be privacy protective.

Olsen: One area of significant attention has been inadequate disclosure of information practices by mobile apps. In 2012, we conducted two surveys and issued two reports examining the privacy disclosures and practices of apps offered to kids. The surveys found that apps offered very little information to parents and children about their information collection practices.

Similarly, we held a workshop in May 2012 that addressed ways that key players in the mobile ecosystem could improve their privacy disclosures. Following the workshop, we issued a staff report recommending steps that all major participants in the mobile ecosystem—mobile platforms, app developers, ad networks and other third parties, and trade associations—could take to improve mobile privacy disclosures.

From an enforcement standpoint, we are concerned about apps accessing personal data without giving consumers accurate information about their practices. Our consent decree with Path is a good example—we alleged that Path automatically collected users’ contact list information while deceptively telling consumers they had a choice to prevent such collection.

3. Beyond apps, what mobile privacy and security practices are getting your attention?

Cavoukian: The significant growth of mobile payment services is certainly worth keeping an eye on. My office drafted a paper in November 2011 entitled “Mobile Near Field Communications (NFC) ‘Tap ’n Go’—Keep It Secure & Private,” where we discussed the capabilities of NFC, the potential privacy and security risks, and how PbD can be applied to mitigate those risks.

I was also delighted to see the US Federal Trade Commission (FTC) issue a report (“Paper, Plastic . . . or Mobile: An FTC Workshop on Mobile Payments”) highlighting the key issues facing consumers and companies in the mobile payments environment. Mobile payments present a convenient option for consumers but also raise privacy concerns. The FTC report contained several recommendations, including encouraging companies to adopt three basic practices: (1) Privacy by Design; (2) simplified choice for businesses and consumers; and (3) greater transparency. Consistent with my position, the FTC pointed out in its report that when a company provides greater transparency regarding the information it collects, consumers are more likely to trust the company and use its product.

I recently discussed similar issues in a white paper coauthored with Oracle’s Marc Chanliau that examined how the convergence of privacy and security creates consumer trust, yielding significant benefits for businesses.

Olsen: The FTC’s recent consent decree with mobile handset manufacturer HTC is a good example of some of the privacy and security risks that concern us. In the HTC case, we alleged that the company failed to employ reasonable and appropriate security practices in the design of the software on its mobile devices, including by failing to adequately train engineering staff, failing to review or test software for security vulnerabilities, failing to follow well-known secure coding practices, and failing to establish a process for receiving and addressing security vulnerability reports from third parties. As a result, millions of HTC handsets were vulnerable to malicious applications that could have sent text messages, recorded audio, and installed malware on consumers’ devices.

Coincident with the release of the HTC case, we announced that we would hold a public forum in June 2013 to focus more generally on mobile security issues, including the risks that malware, viruses, and other mobile threats pose to smartphone users today and in the future.

4. What mobile privacy/security issues do you think companies are completely underestimating? In other words, where is the ticking time bomb or hidden minefield?

Cavoukian: Whenever organizations are not protecting information with end-to-end security, they are taking a significant risk. In this context, I was pleased to see the recent FTC settlement with HTC America. The FTC alleged that HTC, a mobile device manufacturer, did not sufficiently secure the software that it developed for its smartphones and tablet computers, and may have placed sensitive consumer information at risk. HTC allegedly failed to implement a number of specific PbD practices into its products that are capable of collecting, accessing, and transmitting personal information. HTC is now required to confirm that any representations it makes about a product and how personal information is handled—including statements in a product’s user guide and representations made on the interface of a software application—accurately reflect the product’s capabilities.

In today’s global digital economy, trust and privacy are imperative to a business’s success. If businesses do not consider consumer trust and privacy from the outset, they run the risk of damaging their reputation.

Olsen: We explored these very issues in our June 2013 mobile threats public forum, where we brought together technology researchers, industry members, and academics to examine the major risks currently presented in the mobile environment and those that loom on the horizon. It is difficult, generally, to predict the ticking time bomb, but certainly our HTC case sheds some light on an area of major concern. In that case, HTC’s customization of the software on its devices created security and privacy vulnerabilities. Today, it is common for mobile app developers and others to incorporate software obtained from third parties. Companies need to think carefully about security and privacy issues and threats as they incorporate these software features or customize the software developed for their devices or services. Privacy and security by design are critical to avoiding or minimizing privacy and security risks.

5. What do you recommend as best practices for app developers and publishers?

Cavoukian: The best practice for businesses is to incorporate PbD into their processes and product development. Businesses that adopt the PbD approach will make privacy the default setting from the outset and keep consumers informed of how their information will be used. Consumers should be able to easily acquire information about a company’s privacy policies and procedures, and this information should be written in plain, simple language. By maintaining transparency and making privacy the default, businesses will be laying the groundwork for a long, mutually beneficial business relationship based on trust. The PbD approach will deliver the maximum degree of privacy by ensuring that, by default, personal data are automatically protected in any app. If individuals do nothing, their privacy still remains intact. No action is required on the part of individuals to protect their privacy—it is baked into the application.

Olsen: The FTC has issued numerous reports and guidance materials for mobile app developers and others involved in mobile services. For example, in February 2013, the agency published Mobile App Developers: Start With Security. This guidance document lays out several security tips and best practices for app developers, including holding someone responsible for security, minimizing data collected and retained, encrypting the transmission of important consumer data, generating user credentials securely, and performing due diligence before using third-party software.

Similarly, in February 2013, the agency released a staff report addressing mobile privacy disclosures—Mobile Privacy Disclosures: Building Trust Through Transparency. This staff report outlined best practice recommendations for all major players in the mobile ecosystem for improving privacy disclosures. These guidance documents and others build on the principles the agency outlined in its major privacy report in March 2012, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. This report contains recommendations for all commercial data practices, centered on three key principles—Privacy by Design, Simplified Choice, and Increased Transparency.

6. How can consumers best protect themselves?

Cavoukian: Consumers need to be vigilant with their personal information and should not routinely agree to privacy policies and terms and conditions without reading them first. Consumers must be proactive by carefully protecting their passwords, creating passwords that are difficult to break, understanding who they are sharing their information with, and, most importantly, thinking before they click “yes.”

Olsen: The FTC has issued guidance for consumers on how best to protect themselves when considering and using mobile apps. Understanding Mobile Apps contains helpful information for consumers on ways to protect their privacy and security in the mobile app environment, including by reviewing disclosures made by mobile platforms and app developers about data collection and sharing practices. Consumers, however, are limited in their ability to exercise informed choices about which apps to use as long as apps continue to fall short in providing clear disclosures about their information collection and sharing practices. That is why we have issued guidance to app developers, mobile platforms, and others on ways to improve privacy disclosures.

7. What resources on these issues do you recommend?

Cavoukian: We have a number of materials available at privacybydesign.ca, including new white papers on how privacy and security are converging for business benefit and several fact sheets outlining important tips for consumer online protection. I invite your readers to explore our materials, which include everything from videos to presentations, so they can gain a comprehensive understanding of the enormous benefits of protecting privacy. When privacy is protected properly, all legitimate interests and objectives are maximized in a positive-sum, win-win manner that does not create winners and losers or require unnecessary trade-offs. As businesses and consumers by now understand, PbD can be deployed for the benefit of all concerned and can enable even greater innovation.

Olsen: Many consumer protection educational materials are available on our website www.consumer.ftc.gov. This site contains materials spanning a wide range of topics, including privacy and security: www.consumer.ftc.gov/topics/privacy-identity. The privacy and identity topics include educational materials on computer and mobile security, kids’ online safety, and tips for avoiding identity theft and repairing it when it occurs.

 

Sidebar: Privacy by Design (PbD)

 

Developed by Dr. Ann Cavoukian in response to growing threats to personal
information, Privacy by Design (PbD) has become a call to action heard around the world. PbD figures prominently in the US Federal Trade Commission’s privacy framework, federal privacy legislation, a landmark resolution adopted by international data protection and privacy commissioners, the sweeping new European Untion (EU) data protection
regulations, and countless other legislative and regulatory initiatives globally.
It has been translated into 31 languages. Below are PbD’s seven foundational principles, excerpted from www.privacybydesign.ca/index.php/aboutpbd/7-foundational-principles (where visitors can watch Dr. Ann Cavoukian discuss each PbD principle).


Seven Foundational Principles


The objectives of PbD—ensuring privacy and gaining personal control over one’s information and, for organizations, gaining a sustainable competitive advantage—may be accomplished by practicing the Seven Foundational Principles.


1. Proactive not Reactive; Preventative not Remedial
The PbD approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy-invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred—it aims to prevent them from occurring. In short, PbD comes before the fact, not after.


2. Privacy as the Default Setting
We can all be certain of one thing—the default rules! PbD seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If individuals do nothing, their privacy still remains intact. No action is required on the part of individuals to protect their privacy—it is built into the system, by default.


3. Privacy Embedded Into Design
Privacy is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that it becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.


4. Full Functionality—Positive-Sum, not Zero-Sum
PbD seeks to accommodate all legitimate interests and objectives in a positive-sum win-win manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both.


5. End-to-End Security—Full Lifecycle Protection
PbD, having been embedded into the system prior to the first element of information being collected, extends throughout the entire lifecycle of the data involved, from start to finish. This ensures that at the end of the process, all data are securely destroyed, in a timely fashion. Thus, PbD ensures cradle to grave, lifecycle management of information, end-to-end.


6. Visibility and Transparency—Keep It Open
PbD seeks to assure all stakeholders that whatever the business practice or
technology involved, it is in fact, operating according to the stated promises
and objectives, subject to independent verification. Its component parts and operations remain visible and transparent to users and providers alike. Remember: trust but verify.

7. Respect for User Privacy—Keep It User-Centric
Above all, PbD requires architects and operators to keep the interests of
the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.

Advertisement

  • About The SciTech Lawyer

  • Subscriptions

  • Contact Us

  • More Information