Mobile Apps Privacy & SecurityWhat the regulators want to see
Timothy M. BanksPartnerDentons Canada LLPT: 416.863.4424E: [email protected]: @TM_Banks
January 2014
Dentons Canada LLP
Mobile Apps Privacy & Security
January 2014 Dentons Canada LLP 2
Who is regulating privacy and security?
Why are mobile apps different for regulators?
What are some common themes for regulators?
Are there any differences in regulator focus?
What are the implications of some special areas of focus?
Next stop? CASL and ah, BYOD … what to do?
What the regulators want to see
Regulatory landscape
3January 2014
A continuing evolution
Dentons Canada LLP
Who is regulating privacy and security?
Out of the gateData protection authorities
• Office of the Privacy Commissioner of Canada
• UK Information and Privacy Commissioner
• Dutch Data Protection Authority
Consumer protection authorities
• US Federal Trade Commission
• California Attorney General
EmergingTelecommunications authorities
• Canadian Radio-television Telecommunications Commission (via CASL)
• US Federal Communications Commission
Voluntary codes (US examples)
• National Telecommunications and Information Administration (NTIA)
• Network Advertising Initiative (NAI)
• Digital Advertising Alliance (DAA)
January 2014 Dentons Canada LLP 4
Recent privacy guidance directed to mobile apps
January 2014 Dentons Canada LLP 5
• UK Information Commissioner’s Office, “Privacy in mobile apps: guidance for developers” (December 2013)
• Article 29 Data Protection Working Party, “Opinion 02/2013 on apps on smart devices” (February 2013)
• Federal Trade Commission Staff Report, “Mobile privacy disclosures: building trust through transparency” (February 2013)
• Kamala D. Harris, California Attorney General, “Privacy on the go: recommendations for the mobile ecosystem” (January 2013)
• Office of the Privacy Commissioner of Canada, Alberta Information and Privacy Commission, British Columbia Information and Privacy Commission, “Seizing opportunity: good privacy practices for developing mobile apps” (October 2012)
Other relevant recent privacy guidance
January 2014 Dentons Canada LLP 6
• Office of the Privacy Commissioner of Canada, “Gaming consoles and personal information: playing with privacy” (November 2012)
• Federal Trade Commission, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” (October 2012)
• Office of the Privacy Commissioner of Canada, “Policy Position on Online Behavioural Advertising” (June 2012)
• Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change” (March 2012)
• Office of the Privacy Commissioner of Canada “Data at Your Fingertips: Biometrics and the Challenges to Privacy” (February 2011)
Why mobile?
7January 2014
Opportunities and challenges
Dentons Canada LLP
Elements of the mobile challenge
January 2014 Dentons Canada LLP 8
Security
Portable and
Personal
Lots of Device Data
Opaque Functions
Lots of User Data
The potential to chronicle individual lives exceeds anything previous in human history
The datafication of our lives involves a large ecosystem of participants, including ourselves
App ecosystem
January 2014 Dentons Canada LLP 9
App User
App Developer
App Store
OS Developer
Device Manufacturer
Advertising Network
Analytics
Why are mobile apps different for regulators?
Potentially greater use of PI• Close interaction with operating
system permitting collection of sensor and other information from device
• Geolocation tracking
• Address book use
• Combining text, email and phone
*Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (adopted February 27, 2013)
Accountability challenges• More complicated ecosystem
• Less “real estate” for notice and choice
• Uncertainty regarding limits of scope of what constitutes PI
• Limits of regulatory authority to create and control gate keepers
January 2014 Dentons Canada LLP 10
Common themes
11January 2014
Differences in focus
Dentons Canada LLP
Risks cited as requiring intervention
January 2014 Dentons Canada LLP 12
• Fragmentation of the app ecosystem
• Many small players and start-ups without knowledge of privacy laws
• App use of PI is not transparent
• Consent is not free and informed
• Purposes are overbroad
• Collection is overbroad
• Security measures are inadequate to volume and sensitivity of data
Regulatory responses – key messages
Personal Information
• Expansive view, includes device information
• High standard for de-identification
• Even de-identified (hashed and salted) values might be PI
• Move to encryption
Notice & Consent
• Just-in-time, contextual, simple notices + detailed policy
• Specific and limited – watch function creep in new versions
Behavioural Tracking
• Implied consent / opt-out permitted only if clear notice, and non-sensitive information
• Do-Not-Track must be an option
• High standard for de-identification
• Opt-in for tracking and other “invasive” uses is the future
• Generally the default should be no collection of information from children
January 2014 Dentons Canada LLP 13
Gatekeepers
App store• Test apps before entry
• Disclose information on checks
• Review disclosures to ensure there are privacy policies and minimum disclosures
• Make privacy policy links and basic information conspicuous
• Reputation management by allowing users to report apps
Device & OS Manufacturers• Granular consent routines when app
seeks to access personal information
• Audit trail functionality to see what apps using what resources
• Dashboards
January 2014 Dentons Canada LLP 14
Notice & Consent
January 2014 Dentons Canada LLP 15
• Layered
• Use of icons, images, alerts
• Just-in-time notices for certain types of access – e.g. geolocation“app developers excel in programming and designing complex interfaces for small screens, and he Working Party calls on the industry to use this creative talent to deliver more innovative solutions to effectively inform users on mobile devices”
• EU - granular consent for:• Location• Contacts• UDID,• Name• Phone number• Credit card and payment data
• User activity history for telephone, text, social networks, browser
• Social network credentials• Biometrics
Best Consent Practices
• Just-in-time consent and graphics
• Layering information• Main points up-front• Details click through• Note: Worries in the U.S. regarding misleading representations
• Privacy dashboards allowing users to customize settings
Some differences in the focus of the guidance
United States• Focused on “notice” and “choice”
• More neutral with respect to uses
• More concerned with surprises• Although California: “Avoid or minimize the
collection of personally identifiable data for uses not related to your app’s basic functionality …”
Canada / EU• Limited reasonable purposes
“If the purpose of the data processing is excessive and/or disproportionate, even if the user has consented, the app developer will not have a valid legal ground and would likely be in violation of the Data Protection Directive.”
• Consent must be freely given, informed and specific (EU for sure)
• UDIDs should not be used for advertising (GMSA also agrees)
• User control over retention period (EU)
January 2014 Dentons Canada LLP 17
United States / EU• Children – legal processing COPPA
New IAPP resource – helpful!
January 2014 Dentons Canada LLP 18
www.privacyassociation.org/
Great guidelines
January 2014 Dentons Canada LLP 19
www.gsma.com
Special areas of focus
20January 2014
Address booksBehavioural advertisingGeolocation
Dentons Canada LLP
Address books
• Joint investigation by Dutch DPA and Canadian OPC
• Messenger application allowing individuals to exchange messages on mobile devices through the Internet rather than SMS
• User registers and provides:• Country of residence• Mobile phone number• Acceptance of terms of service • Double verification through SMS
response
• Collection of:• Device identifier• Mobile Subscriber ID• Mobile Country code• Mobile Network code
January 2014 Dentons Canada LLP 21
Address Book Collection
• According to the Findings, WhatsApp populated the “All Contacts” list by:• Accessing address book up to 2 x per day• Collecting only mobile numbers• Transmitting by Secure Socket Layer or Transport Layer Security• Matching against mobile numbers of other users• Hashing non-matches
January 2014 Dentons Canada LLP 22
Findings
• Users should have the ability to manually add and manage contacts rather than being compelled to provide complete access.• Allegedly violates the condition of service rule
• Did not require the out-of-network mobile numbers.• Allegedly violates the limited collection rules
• Rejected idea that it was no longer personal information• Because not truly anonymous if you got access to the salt value.
• Did findings go too far? • Do we need to revisit OPC approach to de-identification?• Is it truly unreasonable to store hashed values as part of providing user with
service of letting user know when new user joins?
Dentons Canada LLPJanuary 2014 23
Address books and children
• FTC Investigation
• Private messaging (1 to 1 and 1 to many) service
• Posts to other social networks
• Path automatically collected and stored address book information even if the user did not select the “Find Friends from Contacts” feature
• Collected name, address, phone numbers, email addresses, Facebook and Twitter user names and date of birth (if in the address book)
• Accepted registrations from children under 13
January 2014 Dentons Canada LLP 24
Path social networking
FTC Settlement
• Revised COPPA Rules – July 1, 2013
• Need verifiable consent
• Consent form
• Credit card for each transaction
• Telephone or video conference
• Government ID
• Other methods (you can get prior approval from FTC)
• New industry in designing verifiable consent methods and safe harbor seals
• Settled with FTC for $800,000 for: • making deceptive representations
regarding the automatic collection of personal information
• collected information from minors in violation of Children’s Online Privacy Protection Act (COPPA)
• Plus variety of monitoring and assessment orders
January 2014 Dentons Canada LLP 25
New COPPA Rules
Behavioural advertising
• Online behavioural or interest-based advertising (“OBA”) is advertising that is placed by an advertising service based on multiple unrelated Internet-based activities, geolocation data and other sources
• Apps are the medium
• Influencing your purchasing decision is the message
• Your personal information is valuable for delivering the right message at the right time
January 2014 Dentons Canada LLP 26
Mobile Apps are not free
Is it personal information?
Canada• MAC address / IP address, website
history, search terms, app activities and transactions, coarse location
• OPC says given the context and the purpose of OBA, the information collected will be treated as personal information and it is up to organizations to prove otherwise
EU• Different issue because Article 5(3) of
the ePrivacy Directive applies to any information stored in the terminal equipment of the user
• Also takes the position that personal data is data related to individual who is directly (such as by name) or indirectly identifiable to the controller or to a third party.
January 2014 Dentons Canada LLP 27
US• FTC attempts to avoid issue
• California – seems similar to Canada
Is it reasonable?
January 2014 Dentons Canada LLP 28
• Canada and the EU focus on reasonableness
• Consent is a necessary but not sufficient condition
• PIPEDA, s. 5(3)• An organization may collect, use or disclose personal information only for
purposes that a reasonable person would consider are appropriate in the circumstances.
• OBA can be a reasonable purpose but not a condition of service for accessing and using the Internet generally (OPC’s OBA Guidance)
• US focus is whether user would find the collection and use “surprising”
• Unclear what the legislative authority is in the US
Is it surprising?
What type of consent is required?
• Opt-Out if:• User has clear notice • User is able to opt-out without difficulty• Notice is given before collection
• Consent should be contextual (“just in time”)
• Information should not be “sensitive” information
• Information should be destroyed “as soon as possible” or effectively de-identified
• No tracking children (in U.S., get verifiable parental consent)
• Warning: Advertising to children in Québec
January 2014 Dentons Canada LLP 29
Geolocation
• Location awareness
• The mobile device is a voluntary tracker
• GPS is a small part
• Includes position in relation to cell phone tower
• Includes wifi mapping
• Where you are and where you aren’t is information about you
• Mobile devices are personal devices
• Location information is, therefore, likely to be information about an identifiable individual because the location of the device correlates with the individual’s location
January 2014 Dentons Canada LLP 30
Viewed as highly sensitive
Moving OBA into the real world
January 2014 Dentons Canada LLP 31
Presence ORB Technologyhttp://vimeo.com/66074106
Also recognized as tool of government surveillance
January 2014 Dentons Canada LLP 32
Malte Spitz: Your phone company is watchinghttp://www.ted.com/talks/malte_spitz_your_phone_company_is_watching.html
Private and public sector regulatory concern
Geolocation
EU• Separately ask for consent
• Consent limited to purpose of the app
• Consent to use for advertising or other purposes must be asked for separately
Canada• Evolving … but, hint …
• Legitimate security objective does not automatically justify the use of a surveillance technology.
• Four-part test• Is the use of the technology
demonstrably necessary to meet a specific need?
• Is the use of the technology likely to be effective in meeting that need?
• Is the loss of privacy proportional to the benefit gained?
• Is there a less privacy-invasive way of achieving the same end?
January 2014 Dentons Canada LLP 33
US• FTC calls for mobile do-not-track
Summing up - ongoing and emerging issues
• Emerging gatekeeper role for App Stores• Desired by FTC
• Concerns regarding layering and symbols• Solving one problem and creating another• “Gotcha” problem with transparency and misleading representations
• Leakage• The opaque nature of analytics companies
• Unlawful Use• Consumer Reporting / Credit Reporting• FTC settlement against two mobile Apps offering job applicant screening tools
(Filiquarian Publishing, LLC and Choice Level, LLC)
January 2014 Dentons Canada LLP 34
Safeguard challenges
35January 2014
Canada’s Anti-Spam Legislation
Dentons Canada LLP
Consent requirements
Installation• Express consent required to install an
app
• Consent deemed for • a cookie, HTML code, Java Scripts• an operating system• any other program that is executable
only through the use of another computer program whose installation or use the person has previously expressly consented to
• solely to correct a failure(but only if reasonable inference can be made from conduct)
Transmission data• Express consent to required to alter
transmission data in an electronic message to have it sent elsewhere or to an additional place
January 2014 Dentons Canada LLP 36
Special functions requiring disclosure
January 2014 Dentons Canada LLP 37
The following functions (among others) require additional disclosure in prescribed form:
• collecting personal information stored on the mobile device
• interfering with the owner’s or an authorized user’s control of the mobile device
• changing or interfering with settings, preferences or commands already installed or stored on the mobile device
• changing or interfering with data stored on the mobile device
• causing the mobile device to communicate with another computer system without the authorization
• installing a computer program that may be activated by a third party without knowledge of the owner
BYOD Security
Device
Digital Certificates & Tokens
Mobile Device Management Software Encryption
User Authentication
Anti-Virus / Endpoint Defence
Assumes Network-Side is Secure
January 2014 Dentons Canada LLP 38
Device Security Techniques
• Mobile Device Management• Control configurations• Apply authentication policies• May permit viewing of App
installations• May permit logging of activities• May separate personal and
corporate data
• Encryption • Secure encrypted containers for
corporate data
• Anti-Virus Endpoint Defence• Protection at the device end
• Controls on User ID and Passphrase characteristics• Authenticate the person (What You
Know)
• Use of Digital Certificates• Authenticate the device (What You
Have)
• Use of Tokens for Sensitive Databases• Double authentication (What You
Have)
January 2014 Dentons Canada LLP 39
Thank you
40
Timothy M BanksPartnerDentons Canada LLP
www.privacyanddatasecuritylaw.com
(formerly: www.datagovernancelaw.com)
Follow: @TM_Banks
© 2013 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.
The preceding presentation contains examples of the kinds of issues companies dealing with Privacy and Security could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.
Dentons Canada LLP
Top Related