Today, the Federal Trade Commission announced settlements with two mobile app makers that allegedly failed to provide reasonable security for the personal information collected in connection with their apps.  In complaints against Credit Karma, Inc. and Fandango LLC, the FTC alleged that both companies’ apps failed to validate SSL certificates, a security shortcoming that could have allowed an attacker to connect to the app—and collect unencrypted sensitive information—by presenting an invalid certificate.  (This type of attack is sometimes called a “man-in-the-middle attack.”)  Both respondents agreed to 20-year consent orders requiring, among other things, that they establish comprehensive information security programs. 

These cases are important for a number of reasons:  they reinforce past FTC guidance on the importance of performing security reviews and testing, overseeing service providers, and providing channels whereby security researchers can report vulnerabilities.  But what might be most notable is that in neither case does the FTC specifically allege that the respondent’s practices were “unfair” within the meaning of the Section 5 of the FTC Act.  Instead, both cases appear predicated upon the FTC’s authority to take actions against companies engaged in “deceptive” practices.

Continue Reading FTC Announces Settlements with Two Mobile App Providers

Yesterday, the FTC announced a settlement with Goldenshores Technologies, a company that makes the most-downloaded flashlight app on the Android platform.  The FTC alleged that Goldenshores violated Section 5 of the FTC Act by failing to disclose to consumers that it shared location data it collected from users’ device with third parties.  Although a list

The National Telecommunications & Information Administration (“NTIA”) announced today that it will convene a series of meetings about the commercial uses of facial recognition technology.  The goal of the meetings will be to develop a voluntary, enforceable code of conduct specifying how the Obama Administration’s “Consumer Privacy Bill of Rights” applies to facial

Earlier today, two entities — the Direct Marketing Association (“DMA”) and a Coalition of Mobile Engagement Providers (“Coalition”) — filed petitions at the FCC asking the agency to stay and forbear from enforcing, or clarify, certain aspects of the “prior express written consent” requirement that went into effect yesterday for prerecorded calls to residential numbers and autodialed

The Digital Advertising Alliance (“DAA”) recently released a guidance document titled Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidance”).  The Mobile Guidance does not purport to establish new principles, but rather to explain how the DAA’s existing principles — the Self-Regulatory Principles for Online Behavioral Advertising and for Multi-Site Data — apply to the “mobile Web site and application environment.”  Still, the Mobile Guidance contains a considerable amount of new direction that should interest publishers, advertisers, and other companies that operate in the online advertising space.  Below is an overview of key takeaways from the Guidance. 

The Guidance explains how companies operating in the mobile space should provide consumers “transparency and “control” (i.e., notice and choice) in connection with four types of data: Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data. 

Although the DAA’s definitions of these types of data focus on the way in which data is collected, the application of the key principles of “Transparency” and “Control” depends mainly on the way the data is used.  For example, the Multi-Site Principles define “Multi-Site Data” as “data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites.”  This definition focuses on the nature of the collection, but the “Transparency” and “Control” principles’ application to the data turns on the way the data is used:  if Multi-Site Data is used for one of many enumerated purposes (e.g., IP protection, product or service fulfillment, and product development), the Principles’ transparency and control principles do not apply. 

Thus, the guidelines suggest that companies evaluate their obligations not only by considering whether the data they collect is covered by the Principles, but also by determining how that data will be used.  With that background, we turn to a discussion of the Mobile Guidance. 

Continue Reading The DAA Principles Applied to Mobile: Key Takeaways

Telecommunications carriers and providers of interconnected VoIP service with access to certain kinds of customer information collected through mobile devices are subject to existing privacy rules governing their use and disclosure of that information, the Federal Communications Commission announced in a declaratory ruling adopted at its June 27 meeting.  Significantly, the decision makes clear that third-party applications, device manufacturers and operating system developers are not covered. 

The ruling addresses the scope of the FCC’s rules governing Customer Proprietary Network Information (CPNI). A federal statute — Section 222 of the Communications Act — requires carriers “to protect the confidentiality of proprietary information” relating to customers, which is defined as information in customers’ bills and other information “that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” This includes information about numbers dialed and received, the length and frequency of calls, and the locations where calls are made.

Continue Reading FCC: Customer Data Carriers Obtain Through Mobile Devices Subject to Existing Privacy Rules

The Federal Communications Commission is scheduled to vote this month on a declaratory ruling stating that existing rules governing telephone carriers’ use of subscribers’ personal information also apply to data collected on mobile devices.

Existing regulations restrict telecommunications carriers’ ability to use or disclose Customer Proprietary Network Information (CPNI) that a carrier obtains in the course of providing service to the customer. CPNI includes information such as the locations where calls are made, the numbers called, the length of calls, and other information contained in a customer’s bill.

Continue Reading FCC to Consider Ruling on Carriers’ Use of Data Collected on Mobile Devices

Mobiel Security.PNG

By Chris Higby & Kurt Wimmer

Yesterday, the Federal Trade Commission held a forum on Mobile Security: Potential Threats and Solutions. The forum brought together academics, industry leaders, and security experts to discuss the security problems arising from the rapid adoption of mobile devices.

The first panel, consisting of security experts and researchers, gave a brief overview of mobile malware. They agreed that mobile malware infection rates are generally very low and that most malware accesses private information by using social engineering, rather than by exploiting technical flaws. Looking forward, Dan Guido, CEO of Trail of Bits, viewed the replacement of legitimate applications in app stores with malware versions as the most serious threat.

The second panel, consisting of security representatives from the major mobile operating systems (Microsoft’s Windows Phone, Google’s Android, Mozilla’s Firefox OS, Research In Motion’s BlackBerry, and Apple’s iOS), addressed how mobile platforms are designed with security in mind. Adrian Ludwig of Google advocated the use of install-time permissions, such as those found in Android, as a way to increase transparency to the user.  However, both Adrian Stone of Blackberry and Geir Olsen of Microsoft expressed skepticism as to the effectiveness of permissions for the average user. Ludwig also criticized Apple’s approach of restricting users to “curated” app stores as a restriction on user choice.


Continue Reading FTC Holds Forum Addressing Mobile Security

Today, the Federal Trade Commission released the agenda and panelists for the public forum it is holding on mobile security, Mobile Security: Potential Threats and Solutions, on June 4, 2013.  The forum will bring together technology researchers, industry members, and academics to explore mobile malware, the security of existing and developing mobile technologies, and