Mobile Apps Privacy & Security: What the regulators want to see

Mobile Apps Privacy & SecurityWhat the regulators want to see

Timothy M. BanksPartnerDentons Canada LLPT: 416.863.4424E: [email protected]: @TM_Banks

January 2014

Dentons Canada LLP

http://www.dentons.com/

http://www.dentons.com/en/timothy-banks

https://twitter.com/TM_Banks

Mobile Apps Privacy & Security

January 2014 Dentons Canada LLP 2

Who is regulating privacy and security?

Why are mobile apps different for regulators?

What are some common themes for regulators?

Are there any differences in regulator focus?

What are the implications of some special areas of focus?

Next stop? CASL and ah, BYOD … what to do?

What the regulators want to see

Regulatory landscape

3January 2014

A continuing evolution

Dentons Canada LLP

Who is regulating privacy and security?

Out of the gateData protection authorities

• Office of the Privacy Commissioner of Canada

• UK Information and Privacy Commissioner

• Dutch Data Protection Authority

Consumer protection authorities

• US Federal Trade Commission

• California Attorney General

EmergingTelecommunications authorities

• Canadian Radio-television Telecommunications Commission (via CASL)

• US Federal Communications Commission

Voluntary codes (US examples)

• National Telecommunications and Information Administration (NTIA)

• Network Advertising Initiative (NAI)

• Digital Advertising Alliance (DAA)


Recent privacy guidance directed to mobile apps


• UK Information Commissioner’s Office, “Privacy in mobile apps: guidance for developers” (December 2013)

• Article 29 Data Protection Working Party, “Opinion 02/2013 on apps on smart devices” (February 2013)

• Federal Trade Commission Staff Report, “Mobile privacy disclosures: building trust through transparency” (February 2013)

• Kamala D. Harris, California Attorney General, “Privacy on the go: recommendations for the mobile ecosystem” (January 2013)

• Office of the Privacy Commissioner of Canada, Alberta Information and Privacy Commission, British Columbia Information and Privacy Commission, “Seizing opportunity: good privacy practices for developing mobile apps” (October 2012)

Other relevant recent privacy guidance


• Office of the Privacy Commissioner of Canada, “Gaming consoles and personal information: playing with privacy” (November 2012)

• Federal Trade Commission, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” (October 2012)

• Office of the Privacy Commissioner of Canada, “Policy Position on Online Behavioural Advertising” (June 2012)

• Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change” (March 2012)

• Office of the Privacy Commissioner of Canada “Data at Your Fingertips: Biometrics and the Challenges to Privacy” (February 2011)

Why mobile?

7January 2014

Opportunities and challenges

Dentons Canada LLP

Elements of the mobile challenge


Security

Portable and

Personal

Lots of Device Data

Opaque Functions

Lots of User Data

The potential to chronicle individual lives exceeds anything previous in human history

The datafication of our lives involves a large ecosystem of participants, including ourselves

App ecosystem


App User

App Developer

App Store

OS Developer

Device Manufacturer

Advertising Network

Analytics

Why are mobile apps different for regulators?

Potentially greater use of PI• Close interaction with operating

system permitting collection of sensor and other information from device

• Geolocation tracking

• Address book use

• Combining text, email and phone

*Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (adopted February 27, 2013)

Accountability challenges• More complicated ecosystem

• Less “real estate” for notice and choice

• Uncertainty regarding limits of scope of what constitutes PI

• Limits of regulatory authority to create and control gate keepers


Common themes

11January 2014

Differences in focus

Dentons Canada LLP

Risks cited as requiring intervention


• Fragmentation of the app ecosystem

• Many small players and start-ups without knowledge of privacy laws

• App use of PI is not transparent

• Consent is not free and informed

• Purposes are overbroad

• Collection is overbroad

• Security measures are inadequate to volume and sensitivity of data

Regulatory responses – key messages

Personal Information

• Expansive view, includes device information

• High standard for de-identification

• Even de-identified (hashed and salted) values might be PI

• Move to encryption

Notice & Consent

• Just-in-time, contextual, simple notices + detailed policy

• Specific and limited – watch function creep in new versions

Behavioural Tracking

• Implied consent / opt-out permitted only if clear notice, and non-sensitive information

• Do-Not-Track must be an option

• High standard for de-identification

• Opt-in for tracking and other “invasive” uses is the future

• Generally the default should be no collection of information from children


Gatekeepers

App store• Test apps before entry

• Disclose information on checks

• Review disclosures to ensure there are privacy policies and minimum disclosures

• Make privacy policy links and basic information conspicuous

• Reputation management by allowing users to report apps

Device & OS Manufacturers• Granular consent routines when app

seeks to access personal information

• Audit trail functionality to see what apps using what resources

• Dashboards


Notice & Consent


• Layered

• Use of icons, images, alerts

• Just-in-time notices for certain types of access – e.g. geolocation“app developers excel in programming and designing complex interfaces for small screens, and he Working Party calls on the industry to use this creative talent to deliver more innovative solutions to effectively inform users on mobile devices”

• EU - granular consent for:• Location• Contacts• UDID,• Name• Phone number• Credit card and payment data

• User activity history for telephone, text, social networks, browser

• Social network credentials• Biometrics

Best Consent Practices

• Just-in-time consent and graphics

• Layering information• Main points up-front• Details click through• Note: Worries in the U.S. regarding misleading representations

• Privacy dashboards allowing users to customize settings

Some differences in the focus of the guidance

United States• Focused on “notice” and “choice”

• More neutral with respect to uses

• More concerned with surprises• Although California: “Avoid or minimize the

collection of personally identifiable data for uses not related to your app’s basic functionality …”

Canada / EU• Limited reasonable purposes

“If the purpose of the data processing is excessive and/or disproportionate, even if the user has consented, the app developer will not have a valid legal ground and would likely be in violation of the Data Protection Directive.”

• Consent must be freely given, informed and specific (EU for sure)

• UDIDs should not be used for advertising (GMSA also agrees)

• User control over retention period (EU)


United States / EU• Children – legal processing COPPA

New IAPP resource – helpful!


www.privacyassociation.org/

Great guidelines


www.gsma.com

Special areas of focus

20January 2014

Address booksBehavioural advertisingGeolocation

Dentons Canada LLP

Address books

• Joint investigation by Dutch DPA and Canadian OPC

• Messenger application allowing individuals to exchange messages on mobile devices through the Internet rather than SMS

• User registers and provides:• Country of residence• Mobile phone number• Acceptance of terms of service • Double verification through SMS

response

• Collection of:• Device identifier• Mobile Subscriber ID• Mobile Country code• Mobile Network code


WhatsApp

Address Book Collection

• According to the Findings, WhatsApp populated the “All Contacts” list by:• Accessing address book up to 2 x per day• Collecting only mobile numbers• Transmitting by Secure Socket Layer or Transport Layer Security• Matching against mobile numbers of other users• Hashing non-matches


Findings

• Users should have the ability to manually add and manage contacts rather than being compelled to provide complete access.• Allegedly violates the condition of service rule

• Did not require the out-of-network mobile numbers.• Allegedly violates the limited collection rules

• Rejected idea that it was no longer personal information• Because not truly anonymous if you got access to the salt value.

• Did findings go too far? • Do we need to revisit OPC approach to de-identification?• Is it truly unreasonable to store hashed values as part of providing user with

service of letting user know when new user joins?

Dentons Canada LLPJanuary 2014 23

Address books and children

• FTC Investigation

• Private messaging (1 to 1 and 1 to many) service

• Posts to other social networks

• Path automatically collected and stored address book information even if the user did not select the “Find Friends from Contacts” feature

• Collected name, address, phone numbers, email addresses, Facebook and Twitter user names and date of birth (if in the address book)

• Accepted registrations from children under 13


Path social networking

FTC Settlement

• Revised COPPA Rules – July 1, 2013

• Need verifiable consent

• Consent form

• Credit card for each transaction

• Telephone or video conference

• Government ID

• Other methods (you can get prior approval from FTC)

• New industry in designing verifiable consent methods and safe harbor seals

• Settled with FTC for $800,000 for: • making deceptive representations

regarding the automatic collection of personal information

• collected information from minors in violation of Children’s Online Privacy Protection Act (COPPA)

• Plus variety of monitoring and assessment orders


New COPPA Rules

Behavioural advertising

• Online behavioural or interest-based advertising (“OBA”) is advertising that is placed by an advertising service based on multiple unrelated Internet-based activities, geolocation data and other sources

• Apps are the medium

• Influencing your purchasing decision is the message

• Your personal information is valuable for delivering the right message at the right time


Mobile Apps are not free

Is it personal information?

Canada• MAC address / IP address, website

history, search terms, app activities and transactions, coarse location

• OPC says given the context and the purpose of OBA, the information collected will be treated as personal information and it is up to organizations to prove otherwise

EU• Different issue because Article 5(3) of

the ePrivacy Directive applies to any information stored in the terminal equipment of the user

• Also takes the position that personal data is data related to individual who is directly (such as by name) or indirectly identifiable to the controller or to a third party.


US• FTC attempts to avoid issue

• California – seems similar to Canada

Is it reasonable?


• Canada and the EU focus on reasonableness

• Consent is a necessary but not sufficient condition

• PIPEDA, s. 5(3)• An organization may collect, use or disclose personal information only for

purposes that a reasonable person would consider are appropriate in the circumstances.

• OBA can be a reasonable purpose but not a condition of service for accessing and using the Internet generally (OPC’s OBA Guidance)

• US focus is whether user would find the collection and use “surprising”

• Unclear what the legislative authority is in the US

Is it surprising?

What type of consent is required?

• Opt-Out if:• User has clear notice • User is able to opt-out without difficulty• Notice is given before collection

• Consent should be contextual (“just in time”)

• Information should not be “sensitive” information

• Information should be destroyed “as soon as possible” or effectively de-identified

• No tracking children (in U.S., get verifiable parental consent)

• Warning: Advertising to children in Québec


Geolocation

• Location awareness

• The mobile device is a voluntary tracker

• GPS is a small part

• Includes position in relation to cell phone tower

• Includes wifi mapping

• Where you are and where you aren’t is information about you

• Mobile devices are personal devices

• Location information is, therefore, likely to be information about an identifiable individual because the location of the device correlates with the individual’s location


Viewed as highly sensitive

Moving OBA into the real world


Presence ORB Technologyhttp://vimeo.com/66074106

Also recognized as tool of government surveillance


Malte Spitz: Your phone company is watchinghttp://www.ted.com/talks/malte_spitz_your_phone_company_is_watching.html

Private and public sector regulatory concern

Geolocation

EU• Separately ask for consent

• Consent limited to purpose of the app

• Consent to use for advertising or other purposes must be asked for separately

Canada• Evolving … but, hint …

• Legitimate security objective does not automatically justify the use of a surveillance technology.

• Four-part test• Is the use of the technology

demonstrably necessary to meet a specific need?

• Is the use of the technology likely to be effective in meeting that need?

• Is the loss of privacy proportional to the benefit gained?

• Is there a less privacy-invasive way of achieving the same end?


US• FTC calls for mobile do-not-track

Summing up - ongoing and emerging issues

• Emerging gatekeeper role for App Stores• Desired by FTC

• Concerns regarding layering and symbols• Solving one problem and creating another• “Gotcha” problem with transparency and misleading representations

• Leakage• The opaque nature of analytics companies

• Unlawful Use• Consumer Reporting / Credit Reporting• FTC settlement against two mobile Apps offering job applicant screening tools

(Filiquarian Publishing, LLC and Choice Level, LLC)


Safeguard challenges

35January 2014

Canada’s Anti-Spam Legislation

Dentons Canada LLP

Consent requirements

Installation• Express consent required to install an

app

• Consent deemed for • a cookie, HTML code, Java Scripts• an operating system• any other program that is executable

only through the use of another computer program whose installation or use the person has previously expressly consented to

• solely to correct a failure(but only if reasonable inference can be made from conduct)

Transmission data• Express consent to required to alter

transmission data in an electronic message to have it sent elsewhere or to an additional place


Special functions requiring disclosure


The following functions (among others) require additional disclosure in prescribed form:

• collecting personal information stored on the mobile device

• interfering with the owner’s or an authorized user’s control of the mobile device

• changing or interfering with settings, preferences or commands already installed or stored on the mobile device

• changing or interfering with data stored on the mobile device

• causing the mobile device to communicate with another computer system without the authorization

• installing a computer program that may be activated by a third party without knowledge of the owner

BYOD Security

Device

Digital Certificates & Tokens

Mobile Device Management Software Encryption

User Authentication

Anti-Virus / Endpoint Defence

Assumes Network-Side is Secure


Device Security Techniques

• Mobile Device Management• Control configurations• Apply authentication policies• May permit viewing of App

installations• May permit logging of activities• May separate personal and

corporate data

• Encryption • Secure encrypted containers for

corporate data

• Anti-Virus Endpoint Defence• Protection at the device end

• Controls on User ID and Passphrase characteristics• Authenticate the person (What You

Know)

• Use of Digital Certificates• Authenticate the device (What You

Have)

• Use of Tokens for Sensitive Databases• Double authentication (What You

Have)


Thank you

40

Timothy M BanksPartnerDentons Canada LLP

[email protected]

www.privacyanddatasecuritylaw.com

(formerly: www.datagovernancelaw.com)

Follow: @TM_Banks

© 2013 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.

http://www.privacyanddatasecuritylaw.com/

http://www.privacyanddatasecuritylaw.com/

http://www.dentons.com/en/timothy-banks

https://twitter.com/TM_Banks

The preceding presentation contains examples of the kinds of issues companies dealing with Privacy and Security could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.

Dentons Canada LLP

http://www.dentons.com/

Business

Mobile Apps Privacy & Security: What the regulators want to see