• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Mobile Apps Privacy & Security: What the regulators want to see
 

Mobile Apps Privacy & Security: What the regulators want to see

on

  • 2,302 views

In this presentation, Dentons’ Timothy Banks discusses Mobile Apps Privacy & Security: What the regulators want to see, topics include: ...

In this presentation, Dentons’ Timothy Banks discusses Mobile Apps Privacy & Security: What the regulators want to see, topics include:

• Who is regulating privacy and security?
• Why are mobile apps different for regulators?
• What are some common themes for regulators?
• Are there any differences in regulator focus?
• What are the implications of some special areas of focus?
• Next stop? CASL and ah, BYOD … what to do?

Statistics

Views

Total Views
2,302
Views on SlideShare
599
Embed Views
1,703

Actions

Likes
0
Downloads
21
Comments
0

11 Embeds 1,703

http://www.privacyanddatasecuritylaw.com 1488
http://www.mondaq.com 153
http://feeds.feedburner.com 26
http://www.kashifali.ca 23
http://feedly.com 6
http://www.feedspot.com 2
http://newsblur.com 1
https://www.google.ca 1
http://ranksit.com 1
http://translate.googleusercontent.com 1
http://www.google.ca 1
More...

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mobile Apps Privacy & Security: What the regulators want to see Mobile Apps Privacy & Security: What the regulators want to see Presentation Transcript

    • Dentons Canada LLP Mobile Apps Privacy & Security What the regulators want to see Timothy M. Banks Partner Dentons Canada LLP T: 416.863.4424 E: timothy.banks@dentons.com t: @TM_Banks January 2014
    • Mobile Apps Privacy & Security What the regulators want to see  Who is regulating privacy and security?  Why are mobile apps different for regulators?  What are some common themes for regulators?  Are there any differences in regulator focus?  What are the implications of some special areas of focus?  Next stop? CASL and ah, BYOD … what to do? January 2014 Dentons Canada LLP 2
    • Regulatory landscape A continuing evolution January 2014 Dentons Canada LLP 3
    • Who is regulating privacy and security? Out of the gate Emerging Data protection authorities Telecommunications authorities • Office of the Privacy Commissioner of Canada • Canadian Radio-television Telecommunications Commission (via CASL) • UK Information and Privacy Commissioner • Dutch Data Protection Authority Consumer protection authorities • US Federal Trade Commission • California Attorney General • US Federal Communications Commission Voluntary codes (US examples) • National Telecommunications and Information Administration (NTIA) • Network Advertising Initiative (NAI) • Digital Advertising Alliance (DAA) January 2014 Dentons Canada LLP 4
    • Recent privacy guidance directed to mobile apps • UK Information Commissioner’s Office, “Privacy in mobile apps: guidance for developers” (December 2013) • Article 29 Data Protection Working Party, “Opinion 02/2013 on apps on smart devices” (February 2013) • Federal Trade Commission Staff Report, “Mobile privacy disclosures: building trust through transparency” (February 2013) • Kamala D. Harris, California Attorney General, “Privacy on the go: recommendations for the mobile ecosystem” (January 2013) • Office of the Privacy Commissioner of Canada, Alberta Information and Privacy Commission, British Columbia Information and Privacy Commission, “Seizing opportunity: good privacy practices for developing mobile apps” (October 2012) January 2014 Dentons Canada LLP 5
    • Other relevant recent privacy guidance • Office of the Privacy Commissioner of Canada, “Gaming consoles and personal information: playing with privacy” (November 2012) • Federal Trade Commission, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” (October 2012) • Office of the Privacy Commissioner of Canada, “Policy Position on Online Behavioural Advertising” (June 2012) • Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change” (March 2012) • Office of the Privacy Commissioner of Canada “Data at Your Fingertips: Biometrics and the Challenges to Privacy” (February 2011) January 2014 Dentons Canada LLP 6
    • Why mobile? Opportunities and challenges January 2014 Dentons Canada LLP 7
    • Elements of the mobile challenge Portable and Personal Lots of User Data The potential to chronicle individual lives exceeds anything previous in human history January 2014 Dentons Canada LLP Security The datafication of our lives involves a large ecosystem of participants, including ourselves Lots of Device Data Opaque Functions 8
    • App ecosystem Advertising Network App Developer App User Device Manufacturer Analytics OS Developer January 2014 Dentons Canada LLP App Store 9
    • Why are mobile apps different for regulators? Potentially greater use of PI Accountability challenges • Close interaction with operating system permitting collection of sensor and other information from device • More complicated ecosystem • Geolocation tracking • Address book use • Combining text, email and phone • Less “real estate” for notice and choice • Uncertainty regarding limits of scope of what constitutes PI • Limits of regulatory authority to create and control gate keepers *Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (adopted February 27, 2013) January 2014 Dentons Canada LLP 10
    • Common themes Differences in focus January 2014 Dentons Canada LLP 11
    • Risks cited as requiring intervention • Fragmentation of the app ecosystem • Many small players and start-ups without knowledge of privacy laws • App use of PI is not transparent • Consent is not free and informed • Purposes are overbroad • Collection is overbroad • Security measures are inadequate to volume and sensitivity of data January 2014 Dentons Canada LLP 12
    • Regulatory responses – key messages Personal Information Behavioural Tracking • Expansive view, includes device information • Implied consent / opt-out permitted only if clear notice, and non-sensitive information • High standard for de-identification • Even de-identified (hashed and salted) values might be PI • Move to encryption Notice & Consent • Just-in-time, contextual, simple notices + detailed policy • Do-Not-Track must be an option • High standard for de-identification • Opt-in for tracking and other “invasive” uses is the future • Generally the default should be no collection of information from children • Specific and limited – watch function creep in new versions January 2014 Dentons Canada LLP 13
    • Gatekeepers App store Device & OS Manufacturers • Test apps before entry • Granular consent routines when app seeks to access personal information • Disclose information on checks • Review disclosures to ensure there are privacy policies and minimum disclosures • Audit trail functionality to see what apps using what resources • Dashboards • Make privacy policy links and basic information conspicuous • Reputation management by allowing users to report apps January 2014 Dentons Canada LLP 14
    • Notice & Consent • Layered • Use of icons, images, alerts • Just-in-time notices for certain types of access – e.g. geolocation “app developers excel in programming and designing complex interfaces for small screens, and he Working Party calls on the industry to use this creative talent to deliver more innovative solutions to effectively inform users on mobile devices” • EU - granular consent for: • Location • UDID, • User activity history for telephone, text, social networks, browser • Name • Social network credentials • Phone number • Biometrics • Contacts • Credit card and payment data January 2014 Dentons Canada LLP 15
    • Best Consent Practices • Just-in-time consent and graphics • Layering information • Main points up-front • Details click through • Note: Worries in the U.S. regarding misleading representations • Privacy dashboards allowing users to customize settings
    • Some differences in the focus of the guidance United States Canada / EU • Focused on “notice” and “choice” • Limited reasonable purposes • More neutral with respect to uses • More concerned with surprises • Although California: “Avoid or minimize the collection of personally identifiable data for uses not related to your app’s basic functionality …” United States / EU • Children – legal processing COPPA January 2014 Dentons Canada LLP “If the purpose of the data processing is excessive and/or disproportionate, even if the user has consented, the app developer will not have a valid legal ground and would likely be in violation of the Data Protection Directive.” • Consent must be freely given, informed and specific (EU for sure) • UDIDs should not be used for advertising (GMSA also agrees) • User control over retention period (EU) 17
    • New IAPP resource – helpful! www.privacyassociation.org/ January 2014 Dentons Canada LLP 18
    • Great guidelines www.gsma.com January 2014 Dentons Canada LLP 19
    • Special areas of focus Address books Behavioural advertising Geolocation January 2014 Dentons Canada LLP 20
    • Address books WhatsApp • Joint investigation by Dutch DPA and Canadian OPC • Messenger application allowing individuals to exchange messages on mobile devices through the Internet rather than SMS • User registers and provides: • Country of residence • Mobile phone number • Acceptance of terms of service • Double verification through SMS response • Collection of: • Device identifier • Mobile Subscriber ID • Mobile Country code • Mobile Network code January 2014 Dentons Canada LLP 21
    • Address Book Collection • According to the Findings, WhatsApp populated the “All Contacts” list by: • Accessing address book up to 2 x per day • Collecting only mobile numbers • Transmitting by Secure Socket Layer or Transport Layer Security • Matching against mobile numbers of other users • Hashing non-matches January 2014 Dentons Canada LLP 22
    • Findings • Users should have the ability to manually add and manage contacts rather than being compelled to provide complete access. • Allegedly violates the condition of service rule • Did not require the out-of-network mobile numbers. • Allegedly violates the limited collection rules • Rejected idea that it was no longer personal information • Because not truly anonymous if you got access to the salt value. • Did findings go too far? • Do we need to revisit OPC approach to de-identification? • Is it truly unreasonable to store hashed values as part of providing user with service of letting user know when new user joins? January 2014 Dentons Canada LLP 23
    • Address books and children Path social networking • FTC Investigation • Private messaging (1 to 1 and 1 to many) service • Posts to other social networks • Path automatically collected and stored address book information even if the user did not select the “Find Friends from Contacts” feature • Collected name, address, phone numbers, email addresses, Facebook and Twitter user names and date of birth (if in the address book) • Accepted registrations from children under 13 January 2014 Dentons Canada LLP 24
    • FTC Settlement New COPPA Rules • Settled with FTC for $800,000 for: • making deceptive representations regarding the automatic collection of personal information • collected information from minors in violation of Children’s Online Privacy Protection Act (COPPA) • Plus variety of monitoring and assessment orders • Revised COPPA Rules – July 1, 2013 • Need verifiable consent • Consent form • Credit card for each transaction • Telephone or video conference • Government ID • Other methods (you can get prior approval from FTC) • New industry in designing verifiable consent methods and safe harbor seals January 2014 Dentons Canada LLP 25
    • Behavioural advertising Mobile Apps are not free • Online behavioural or interest-based advertising (“OBA”) is advertising that is placed by an advertising service based on multiple unrelated Internet-based activities, geolocation data and other sources January 2014 Dentons Canada LLP • Apps are the medium • Influencing your purchasing decision is the message • Your personal information is valuable for delivering the right message at the right time 26
    • Is it personal information? Canada EU • MAC address / IP address, website history, search terms, app activities and transactions, coarse location • Different issue because Article 5(3) of the ePrivacy Directive applies to any information stored in the terminal equipment of the user • OPC says given the context and the purpose of OBA, the information collected will be treated as personal information and it is up to organizations to prove otherwise • Also takes the position that personal data is data related to individual who is directly (such as by name) or indirectly identifiable to the controller or to a third party. US • FTC attempts to avoid issue • California – seems similar to Canada January 2014 Dentons Canada LLP 27
    • Is it reasonable? Is it surprising? • Canada and the EU focus on reasonableness • Consent is a necessary but not sufficient condition • PIPEDA, s. 5(3) • An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. • OBA can be a reasonable purpose but not a condition of service for accessing and using the Internet generally (OPC’s OBA Guidance) • US focus is whether user would find the collection and use “surprising” • Unclear what the legislative authority is in the US January 2014 Dentons Canada LLP 28
    • What type of consent is required? • Opt-Out if: • User has clear notice • User is able to opt-out without difficulty • Notice is given before collection • Consent should be contextual (“just in time”) • Information should not be “sensitive” information • Information should be destroyed “as soon as possible” or effectively deidentified • No tracking children (in U.S., get verifiable parental consent) • Warning: Advertising to children in Québec January 2014 Dentons Canada LLP 29
    • Geolocation Viewed as highly sensitive • Location awareness • The mobile device is a voluntary tracker • GPS is a small part • Includes position in relation to cell phone tower • Includes wifi mapping January 2014 Dentons Canada LLP • Where you are and where you aren’t is information about you • Mobile devices are personal devices • Location information is, therefore, likely to be information about an identifiable individual because the location of the device correlates with the individual’s location 30
    • Moving OBA into the real world Presence ORB Technology http://vimeo.com/66074106 January 2014 Dentons Canada LLP 31
    • Also recognized as tool of government surveillance Private and public sector regulatory concern Malte Spitz: Your phone company is watching http://www.ted.com/talks/malte_spitz_your_phone_company_is_watching.html January 2014 Dentons Canada LLP 32
    • Geolocation EU Canada • Separately ask for consent • Evolving … but, hint … • Consent limited to purpose of the app • Legitimate security objective does not automatically justify the use of a surveillance technology. • Consent to use for advertising or other purposes must be asked for separately • Four-part test US • Is the use of the technology demonstrably necessary to meet a specific need? • FTC calls for mobile do-not-track • Is the use of the technology likely to be effective in meeting that need? • Is the loss of privacy proportional to the benefit gained? • Is there a less privacy-invasive way of achieving the same end? January 2014 Dentons Canada LLP 33
    • Summing up - ongoing and emerging issues • Emerging gatekeeper role for App Stores • Desired by FTC • Concerns regarding layering and symbols • Solving one problem and creating another • “Gotcha” problem with transparency and misleading representations • Leakage • The opaque nature of analytics companies • Unlawful Use • Consumer Reporting / Credit Reporting • FTC settlement against two mobile Apps offering job applicant screening tools (Filiquarian Publishing, LLC and Choice Level, LLC) January 2014 Dentons Canada LLP 34
    • Safeguard challenges Canada’s Anti-Spam Legislation January 2014 Dentons Canada LLP 35
    • Consent requirements Installation Transmission data • Express consent required to install an app • Express consent to required to alter transmission data in an electronic message to have it sent elsewhere or to an additional place • Consent deemed for • a cookie, HTML code, Java Scripts • an operating system • any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to • solely to correct a failure (but only if reasonable inference can be made from conduct) January 2014 Dentons Canada LLP 36
    • Special functions requiring disclosure The following functions (among others) require additional disclosure in prescribed form: • collecting personal information stored on the mobile device • interfering with the owner’s or an authorized user’s control of the mobile device • changing or interfering with settings, preferences or commands already installed or stored on the mobile device • changing or interfering with data stored on the mobile device • causing the mobile device to communicate with another computer system without the authorization • installing a computer program that may be activated by a third party without knowledge of the owner January 2014 Dentons Canada LLP 37
    • BYOD Security Assumes Network-Side is Secure Device User Authentication Digital Certificates & Tokens January 2014 Dentons Canada LLP Anti-Virus / Endpoint Defence Mobile Device Management Software Encryption 38
    • Device Security Techniques • Mobile Device Management • Control configurations • Apply authentication policies • May permit viewing of App installations • May permit logging of activities • May separate personal and corporate data • Encryption • Secure encrypted containers for corporate data • Controls on User ID and Passphrase characteristics • Authenticate the person (What You Know) • Use of Digital Certificates • Authenticate the device (What You Have) • Use of Tokens for Sensitive Databases • Double authentication (What You Have) • Anti-Virus Endpoint Defence • Protection at the device end January 2014 Dentons Canada LLP 39
    • Thank you Timothy M Banks Partner Dentons Canada LLP 416.863.4424 timothy.banks@dentons.com www.privacyanddatasecuritylaw.com (formerly: www.datagovernancelaw.com) Follow: @TM_Banks © 2013 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices. 40
    • Dentons Canada LLP The preceding presentation contains examples of the kinds of issues companies dealing with Privacy and Security could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.