Privacy Monitoring Activity at the Federal Trade Commission
There is much going on at the Federal Trade Commission (FTC) these days, particularly in the privacy arena. In addition to the settlements discussed below, today the White House confirmed that President Obama will nominate Edith Ramirez as Chair of the FTC, replacing outgoing Chairman Jon Leibowitz.
Path, a social networking app, agreed to settle charges that it violated children’s privacy and deceived users by collecting personal information from their mobile address books.
The FTC complaint charged Path with three counts of violating the FTC Act. The first and second counts stem from the “Add Friends” feature provided on the app. This feature gives users the option to add friends from their mobile address book, Facebook account or to invite them by e-mail. In reality, if the information was available, the app always collected and stored personal information from the user’s mobile contact list, including name, address, telephone number, e-mail address and date of birth, regardless of what option the user chose.
The third count addressed children’s privacy and Path’s violation of COPPA. When users registered for the site, they were required to provide email address, first name, last name and optionally, they could provide gender, date of birth and phone number. If the user told Path that they were under 13 Path did not contact parents and obtain consent prior to collecting personal information, as required by COPPA. Approximately 3,000 children identified as being under 13 and were using app, which allowed them to keep and share a personal journal and pictures with up to 150 friends.
Path explained on its blog that prior to the FTC charges they had updated their systems to automatically reject users under 13 and had suspended under age accounts that had been created.
In the settlement, Path agreed to pay an $800,000 fine and to undergo biennial privacy assessments for 20 years. In addition, they agreed to “clearly and prominently disclose…the categories of information from the user’s mobile device that will be accessed and/or collected” and to establish and maintain a comprehensive privacy program.
More recently, HTC America, a Taiwanese manufacturer of Android and Windows mobile devices, agreed to settle charges with the Federal Trade Commission (find the settlement here) in the first case against a mobile device manufacturer. The agreement requires HTC to take actions that include implementing patches to fix security vulnerabilities on millions of mobile devices.
According to the FTC, HTC engaged in unfair practices and failed to provide “reasonable and appropriate” security in the design of the software used on their mobile devices. The FTC alleged in the complaint that HTC’s overall practices, including security training, program development and implementation, software testing and risk assessment procedures were inadequate, resulting in serious vulnerabilities being introduced to over 18 million devices. These major issues arose from customizations made by HTC that allowed third-party applications to access large amounts of sensitive data from consumers without the consumers’ knowledge. How did this happen?
(1) Permission re-delegation. This happens when an application that has not received permission to access data piggybacks off the user permission provided to another application (in other words, you give application A the key to your data and they hand that key off to application B without your knowledge). The FTC alleges that apps were surreptitiously tracking users and committing text-message toll fraud (hacker uses the phone to send text messages to a number that charges the user for delivery of the message).
(2) Application installation vulnerability. HTC pre-installed a custom application on the Android devices that could download and install apps without users’ knowledge. According to the FTC this vulnerability “undermine[d] all protections provided by Android’s permission-based security model.”
(3) Insecure communications. This is a big one. Since 2010, HTC has installed customer support and trouble-shooting loggers on about 12.5 million devices. These loggers collected sensitive information such as, contents of text messages, phone numbers of contacts, GPS location data and web browsing history. This information should be sent using secure communications mechanisms (such as the Android inter-process communications mechanism), but HTC failed to do so, which allowed any third-party app with access to the internet to communicate with the logger and access the sensitive information.
(4) Debug code. Developers use this code to test the functionality of applications. HTC used the debug code to record whether the interface on the mobile devices was properly sending information requested by the network operator. Generally, there is nothing wrong with this practice, but HTC failed to deactivate the code before shipping the devices off for sale. As a result, all the information was written to the Android system log and was accessible to any third-party apps that had permission to read the system log. Users may give third-parties permission to read the log in certain situations (e.g. to trouble-shoot application crashes), but those applications should never have had access to the plethora of sensitive information that was collected.
These security failures exposed consumers to risks such as having malware placed on their devices that could record and transmit information entered into the device (e.g. financial account numbers and passwords, medical information, text messages and photos).
The settlement with HTC requires the company to provide patches to consumers to fix the security issues, accurately represent their security practices to users (i.e. don’t tell users you provide protections that you don’t actually provide), develop a comprehensive security plan and submit to biannual program audits for next 20 years.
What the HTC Settlement Means for Your Business
What does this settlement mean for you? Well, the FTC Business Blog has outlined key takeaways that include:
(1) Data security. Data security. Data security. Businesses need to understand and focus on data security. Now is the perfect time to conduct risk assessments and determine the strength and weaknesses of your network and physical security measures. Have you implemented and maintained reasonable data security measures such as using secure transmission mechanisms when sending sensitive data? Please remember, providing adequate security is an on-going process and you need to continue to review and make improvements to address the challenges you face.
(3) Glitches happen, so be prepared to provide patch updates when necessary.
(4) Do your homework and listen to researchers, marketers and savvy users if they report issues concerning your product or service. The FTC said that if HTC listened to those sources it could have moved faster to solve the reported problems.
Although the FTC has targeted mobile privacy issues over the last year, (see Path settlement, FTC’s guidance on mobile privacy disclosures and the upcoming public forum on threats to mobile devices) these issues go far beyond mobile devices—software security (or lack there of) can put any business at risk.