Dentons Canada LLP

Mobile Apps Privacy & Security
What the regulators want to see
Timothy M. Banks
Partner
Dentons Canada...
Mobile Apps Privacy & Security
What the regulators want to see
 Who is regulating privacy and security?
 Why are mobile ...
Regulatory landscape
A continuing evolution

January 2014

Dentons Canada LLP

3
Who is regulating privacy and security?

Out of the gate

Emerging

Data protection authorities

Telecommunications author...
Recent privacy guidance directed to mobile apps

• UK Information Commissioner’s Office, “Privacy in mobile apps:
guidance...
Other relevant recent privacy guidance

• Office of the Privacy Commissioner of Canada, “Gaming consoles and
personal info...
Why mobile?
Opportunities and challenges

January 2014

Dentons Canada LLP

7
Elements of the mobile challenge
Portable
and
Personal

Lots of
User Data

The potential to
chronicle individual
lives exc...
App ecosystem

Advertising
Network

App
Developer

App User

Device
Manufacturer

Analytics
OS
Developer

January 2014

De...
Why are mobile apps different for regulators?

Potentially greater use of PI

Accountability challenges

• Close interacti...
Common themes
Differences in focus

January 2014

Dentons Canada LLP

11
Risks cited as requiring intervention

• Fragmentation of the app ecosystem
• Many small players and start-ups without kno...
Regulatory responses – key messages

Personal Information

Behavioural Tracking

• Expansive view, includes device
informa...
Gatekeepers

App store

Device & OS Manufacturers

• Test apps before entry

• Granular consent routines when app
seeks to...
Notice & Consent

• Layered
• Use of icons, images, alerts
• Just-in-time notices for certain types of access – e.g. geolo...
Best Consent Practices

• Just-in-time consent and graphics
• Layering information
• Main points up-front
• Details click ...
Some differences in the focus of the guidance

United States

Canada / EU

• Focused on “notice” and “choice”

• Limited r...
New IAPP resource – helpful!

www.privacyassociation.org/
January 2014

Dentons Canada LLP

18
Great guidelines

www.gsma.com

January 2014

Dentons Canada LLP

19
Special areas of focus
Address books
Behavioural advertising
Geolocation

January 2014

Dentons Canada LLP

20
Address books
WhatsApp
• Joint investigation by Dutch DPA and
Canadian OPC
• Messenger application allowing
individuals to...
Address Book Collection

• According to the Findings, WhatsApp populated the “All Contacts” list by:
• Accessing address b...
Findings

• Users should have the ability to manually add and manage contacts
rather than being compelled to provide compl...
Address books and children
Path social networking
• FTC Investigation
• Private messaging (1 to 1 and 1 to
many) service
•...
FTC Settlement
New COPPA Rules
• Settled with FTC for $800,000 for:
• making deceptive representations
regarding the autom...
Behavioural advertising
Mobile Apps are not free
• Online behavioural or interest-based
advertising (“OBA”) is advertising...
Is it personal information?

Canada

EU

• MAC address / IP address, website
history, search terms, app activities
and tra...
Is it reasonable?
Is it surprising?
• Canada and the EU focus on reasonableness
• Consent is a necessary but not sufficien...
What type of consent is required?

• Opt-Out if:
• User has clear notice
• User is able to opt-out without difficulty
• No...
Geolocation
Viewed as highly sensitive
• Location awareness
• The mobile device is a voluntary
tracker
• GPS is a small pa...
Moving OBA into the real world

Presence ORB Technology
http://vimeo.com/66074106

January 2014

Dentons Canada LLP

31
Also recognized as tool of government surveillance
Private and public sector regulatory concern
Malte Spitz: Your phone co...
Geolocation

EU

Canada

• Separately ask for consent

• Evolving … but, hint …

• Consent limited to purpose of the app

...
Summing up - ongoing and emerging issues

• Emerging gatekeeper role for App Stores
• Desired by FTC

• Concerns regarding...
Safeguard challenges
Canada’s Anti-Spam Legislation

January 2014

Dentons Canada LLP

35
Consent requirements

Installation

Transmission data

• Express consent required to install an
app

• Express consent to ...
Special functions requiring disclosure

The following functions (among others) require additional disclosure in
prescribed...
BYOD Security

Assumes
Network-Side
is Secure

Device

User
Authentication

Digital Certificates
& Tokens

January 2014

D...
Device Security Techniques

• Mobile Device Management
• Control configurations
• Apply authentication policies
• May perm...
Thank you

Timothy M Banks
Partner
Dentons Canada LLP
416.863.4424
timothy.banks@dentons.com

www.privacyanddatasecurityla...
Dentons Canada LLP

The preceding presentation
contains examples of the kinds
of issues companies dealing
with Privacy and...
Upcoming SlideShare
Loading in …5
×

Mobile Apps Privacy & Security: What the regulators want to see

3,549 views

Published on

In this presentation, Dentons’ Timothy Banks discusses Mobile Apps Privacy & Security: What the regulators want to see, topics include:

• Who is regulating privacy and security?
• Why are mobile apps different for regulators?
• What are some common themes for regulators?
• Are there any differences in regulator focus?
• What are the implications of some special areas of focus?
• Next stop? CASL and ah, BYOD … what to do?

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,549
On SlideShare
0
From Embeds
0
Number of Embeds
2,158
Actions
Shares
0
Downloads
56
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mobile Apps Privacy & Security: What the regulators want to see

  1. 1. Dentons Canada LLP Mobile Apps Privacy & Security What the regulators want to see Timothy M. Banks Partner Dentons Canada LLP T: 416.863.4424 E: timothy.banks@dentons.com t: @TM_Banks January 2014
  2. 2. Mobile Apps Privacy & Security What the regulators want to see  Who is regulating privacy and security?  Why are mobile apps different for regulators?  What are some common themes for regulators?  Are there any differences in regulator focus?  What are the implications of some special areas of focus?  Next stop? CASL and ah, BYOD … what to do? January 2014 Dentons Canada LLP 2
  3. 3. Regulatory landscape A continuing evolution January 2014 Dentons Canada LLP 3
  4. 4. Who is regulating privacy and security? Out of the gate Emerging Data protection authorities Telecommunications authorities • Office of the Privacy Commissioner of Canada • Canadian Radio-television Telecommunications Commission (via CASL) • UK Information and Privacy Commissioner • Dutch Data Protection Authority Consumer protection authorities • US Federal Trade Commission • California Attorney General • US Federal Communications Commission Voluntary codes (US examples) • National Telecommunications and Information Administration (NTIA) • Network Advertising Initiative (NAI) • Digital Advertising Alliance (DAA) January 2014 Dentons Canada LLP 4
  5. 5. Recent privacy guidance directed to mobile apps • UK Information Commissioner’s Office, “Privacy in mobile apps: guidance for developers” (December 2013) • Article 29 Data Protection Working Party, “Opinion 02/2013 on apps on smart devices” (February 2013) • Federal Trade Commission Staff Report, “Mobile privacy disclosures: building trust through transparency” (February 2013) • Kamala D. Harris, California Attorney General, “Privacy on the go: recommendations for the mobile ecosystem” (January 2013) • Office of the Privacy Commissioner of Canada, Alberta Information and Privacy Commission, British Columbia Information and Privacy Commission, “Seizing opportunity: good privacy practices for developing mobile apps” (October 2012) January 2014 Dentons Canada LLP 5
  6. 6. Other relevant recent privacy guidance • Office of the Privacy Commissioner of Canada, “Gaming consoles and personal information: playing with privacy” (November 2012) • Federal Trade Commission, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” (October 2012) • Office of the Privacy Commissioner of Canada, “Policy Position on Online Behavioural Advertising” (June 2012) • Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change” (March 2012) • Office of the Privacy Commissioner of Canada “Data at Your Fingertips: Biometrics and the Challenges to Privacy” (February 2011) January 2014 Dentons Canada LLP 6
  7. 7. Why mobile? Opportunities and challenges January 2014 Dentons Canada LLP 7
  8. 8. Elements of the mobile challenge Portable and Personal Lots of User Data The potential to chronicle individual lives exceeds anything previous in human history January 2014 Dentons Canada LLP Security The datafication of our lives involves a large ecosystem of participants, including ourselves Lots of Device Data Opaque Functions 8
  9. 9. App ecosystem Advertising Network App Developer App User Device Manufacturer Analytics OS Developer January 2014 Dentons Canada LLP App Store 9
  10. 10. Why are mobile apps different for regulators? Potentially greater use of PI Accountability challenges • Close interaction with operating system permitting collection of sensor and other information from device • More complicated ecosystem • Geolocation tracking • Address book use • Combining text, email and phone • Less “real estate” for notice and choice • Uncertainty regarding limits of scope of what constitutes PI • Limits of regulatory authority to create and control gate keepers *Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (adopted February 27, 2013) January 2014 Dentons Canada LLP 10
  11. 11. Common themes Differences in focus January 2014 Dentons Canada LLP 11
  12. 12. Risks cited as requiring intervention • Fragmentation of the app ecosystem • Many small players and start-ups without knowledge of privacy laws • App use of PI is not transparent • Consent is not free and informed • Purposes are overbroad • Collection is overbroad • Security measures are inadequate to volume and sensitivity of data January 2014 Dentons Canada LLP 12
  13. 13. Regulatory responses – key messages Personal Information Behavioural Tracking • Expansive view, includes device information • Implied consent / opt-out permitted only if clear notice, and non-sensitive information • High standard for de-identification • Even de-identified (hashed and salted) values might be PI • Move to encryption Notice & Consent • Just-in-time, contextual, simple notices + detailed policy • Do-Not-Track must be an option • High standard for de-identification • Opt-in for tracking and other “invasive” uses is the future • Generally the default should be no collection of information from children • Specific and limited – watch function creep in new versions January 2014 Dentons Canada LLP 13
  14. 14. Gatekeepers App store Device & OS Manufacturers • Test apps before entry • Granular consent routines when app seeks to access personal information • Disclose information on checks • Review disclosures to ensure there are privacy policies and minimum disclosures • Audit trail functionality to see what apps using what resources • Dashboards • Make privacy policy links and basic information conspicuous • Reputation management by allowing users to report apps January 2014 Dentons Canada LLP 14
  15. 15. Notice & Consent • Layered • Use of icons, images, alerts • Just-in-time notices for certain types of access – e.g. geolocation “app developers excel in programming and designing complex interfaces for small screens, and he Working Party calls on the industry to use this creative talent to deliver more innovative solutions to effectively inform users on mobile devices” • EU - granular consent for: • Location • UDID, • User activity history for telephone, text, social networks, browser • Name • Social network credentials • Phone number • Biometrics • Contacts • Credit card and payment data January 2014 Dentons Canada LLP 15
  16. 16. Best Consent Practices • Just-in-time consent and graphics • Layering information • Main points up-front • Details click through • Note: Worries in the U.S. regarding misleading representations • Privacy dashboards allowing users to customize settings
  17. 17. Some differences in the focus of the guidance United States Canada / EU • Focused on “notice” and “choice” • Limited reasonable purposes • More neutral with respect to uses • More concerned with surprises • Although California: “Avoid or minimize the collection of personally identifiable data for uses not related to your app’s basic functionality …” United States / EU • Children – legal processing COPPA January 2014 Dentons Canada LLP “If the purpose of the data processing is excessive and/or disproportionate, even if the user has consented, the app developer will not have a valid legal ground and would likely be in violation of the Data Protection Directive.” • Consent must be freely given, informed and specific (EU for sure) • UDIDs should not be used for advertising (GMSA also agrees) • User control over retention period (EU) 17
  18. 18. New IAPP resource – helpful! www.privacyassociation.org/ January 2014 Dentons Canada LLP 18
  19. 19. Great guidelines www.gsma.com January 2014 Dentons Canada LLP 19
  20. 20. Special areas of focus Address books Behavioural advertising Geolocation January 2014 Dentons Canada LLP 20
  21. 21. Address books WhatsApp • Joint investigation by Dutch DPA and Canadian OPC • Messenger application allowing individuals to exchange messages on mobile devices through the Internet rather than SMS • User registers and provides: • Country of residence • Mobile phone number • Acceptance of terms of service • Double verification through SMS response • Collection of: • Device identifier • Mobile Subscriber ID • Mobile Country code • Mobile Network code January 2014 Dentons Canada LLP 21
  22. 22. Address Book Collection • According to the Findings, WhatsApp populated the “All Contacts” list by: • Accessing address book up to 2 x per day • Collecting only mobile numbers • Transmitting by Secure Socket Layer or Transport Layer Security • Matching against mobile numbers of other users • Hashing non-matches January 2014 Dentons Canada LLP 22
  23. 23. Findings • Users should have the ability to manually add and manage contacts rather than being compelled to provide complete access. • Allegedly violates the condition of service rule • Did not require the out-of-network mobile numbers. • Allegedly violates the limited collection rules • Rejected idea that it was no longer personal information • Because not truly anonymous if you got access to the salt value. • Did findings go too far? • Do we need to revisit OPC approach to de-identification? • Is it truly unreasonable to store hashed values as part of providing user with service of letting user know when new user joins? January 2014 Dentons Canada LLP 23
  24. 24. Address books and children Path social networking • FTC Investigation • Private messaging (1 to 1 and 1 to many) service • Posts to other social networks • Path automatically collected and stored address book information even if the user did not select the “Find Friends from Contacts” feature • Collected name, address, phone numbers, email addresses, Facebook and Twitter user names and date of birth (if in the address book) • Accepted registrations from children under 13 January 2014 Dentons Canada LLP 24
  25. 25. FTC Settlement New COPPA Rules • Settled with FTC for $800,000 for: • making deceptive representations regarding the automatic collection of personal information • collected information from minors in violation of Children’s Online Privacy Protection Act (COPPA) • Plus variety of monitoring and assessment orders • Revised COPPA Rules – July 1, 2013 • Need verifiable consent • Consent form • Credit card for each transaction • Telephone or video conference • Government ID • Other methods (you can get prior approval from FTC) • New industry in designing verifiable consent methods and safe harbor seals January 2014 Dentons Canada LLP 25
  26. 26. Behavioural advertising Mobile Apps are not free • Online behavioural or interest-based advertising (“OBA”) is advertising that is placed by an advertising service based on multiple unrelated Internet-based activities, geolocation data and other sources January 2014 Dentons Canada LLP • Apps are the medium • Influencing your purchasing decision is the message • Your personal information is valuable for delivering the right message at the right time 26
  27. 27. Is it personal information? Canada EU • MAC address / IP address, website history, search terms, app activities and transactions, coarse location • Different issue because Article 5(3) of the ePrivacy Directive applies to any information stored in the terminal equipment of the user • OPC says given the context and the purpose of OBA, the information collected will be treated as personal information and it is up to organizations to prove otherwise • Also takes the position that personal data is data related to individual who is directly (such as by name) or indirectly identifiable to the controller or to a third party. US • FTC attempts to avoid issue • California – seems similar to Canada January 2014 Dentons Canada LLP 27
  28. 28. Is it reasonable? Is it surprising? • Canada and the EU focus on reasonableness • Consent is a necessary but not sufficient condition • PIPEDA, s. 5(3) • An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. • OBA can be a reasonable purpose but not a condition of service for accessing and using the Internet generally (OPC’s OBA Guidance) • US focus is whether user would find the collection and use “surprising” • Unclear what the legislative authority is in the US January 2014 Dentons Canada LLP 28
  29. 29. What type of consent is required? • Opt-Out if: • User has clear notice • User is able to opt-out without difficulty • Notice is given before collection • Consent should be contextual (“just in time”) • Information should not be “sensitive” information • Information should be destroyed “as soon as possible” or effectively deidentified • No tracking children (in U.S., get verifiable parental consent) • Warning: Advertising to children in Québec January 2014 Dentons Canada LLP 29
  30. 30. Geolocation Viewed as highly sensitive • Location awareness • The mobile device is a voluntary tracker • GPS is a small part • Includes position in relation to cell phone tower • Includes wifi mapping January 2014 Dentons Canada LLP • Where you are and where you aren’t is information about you • Mobile devices are personal devices • Location information is, therefore, likely to be information about an identifiable individual because the location of the device correlates with the individual’s location 30
  31. 31. Moving OBA into the real world Presence ORB Technology http://vimeo.com/66074106 January 2014 Dentons Canada LLP 31
  32. 32. Also recognized as tool of government surveillance Private and public sector regulatory concern Malte Spitz: Your phone company is watching http://www.ted.com/talks/malte_spitz_your_phone_company_is_watching.html January 2014 Dentons Canada LLP 32
  33. 33. Geolocation EU Canada • Separately ask for consent • Evolving … but, hint … • Consent limited to purpose of the app • Legitimate security objective does not automatically justify the use of a surveillance technology. • Consent to use for advertising or other purposes must be asked for separately • Four-part test US • Is the use of the technology demonstrably necessary to meet a specific need? • FTC calls for mobile do-not-track • Is the use of the technology likely to be effective in meeting that need? • Is the loss of privacy proportional to the benefit gained? • Is there a less privacy-invasive way of achieving the same end? January 2014 Dentons Canada LLP 33
  34. 34. Summing up - ongoing and emerging issues • Emerging gatekeeper role for App Stores • Desired by FTC • Concerns regarding layering and symbols • Solving one problem and creating another • “Gotcha” problem with transparency and misleading representations • Leakage • The opaque nature of analytics companies • Unlawful Use • Consumer Reporting / Credit Reporting • FTC settlement against two mobile Apps offering job applicant screening tools (Filiquarian Publishing, LLC and Choice Level, LLC) January 2014 Dentons Canada LLP 34
  35. 35. Safeguard challenges Canada’s Anti-Spam Legislation January 2014 Dentons Canada LLP 35
  36. 36. Consent requirements Installation Transmission data • Express consent required to install an app • Express consent to required to alter transmission data in an electronic message to have it sent elsewhere or to an additional place • Consent deemed for • a cookie, HTML code, Java Scripts • an operating system • any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to • solely to correct a failure (but only if reasonable inference can be made from conduct) January 2014 Dentons Canada LLP 36
  37. 37. Special functions requiring disclosure The following functions (among others) require additional disclosure in prescribed form: • collecting personal information stored on the mobile device • interfering with the owner’s or an authorized user’s control of the mobile device • changing or interfering with settings, preferences or commands already installed or stored on the mobile device • changing or interfering with data stored on the mobile device • causing the mobile device to communicate with another computer system without the authorization • installing a computer program that may be activated by a third party without knowledge of the owner January 2014 Dentons Canada LLP 37
  38. 38. BYOD Security Assumes Network-Side is Secure Device User Authentication Digital Certificates & Tokens January 2014 Dentons Canada LLP Anti-Virus / Endpoint Defence Mobile Device Management Software Encryption 38
  39. 39. Device Security Techniques • Mobile Device Management • Control configurations • Apply authentication policies • May permit viewing of App installations • May permit logging of activities • May separate personal and corporate data • Encryption • Secure encrypted containers for corporate data • Controls on User ID and Passphrase characteristics • Authenticate the person (What You Know) • Use of Digital Certificates • Authenticate the device (What You Have) • Use of Tokens for Sensitive Databases • Double authentication (What You Have) • Anti-Virus Endpoint Defence • Protection at the device end January 2014 Dentons Canada LLP 39
  40. 40. Thank you Timothy M Banks Partner Dentons Canada LLP 416.863.4424 timothy.banks@dentons.com www.privacyanddatasecuritylaw.com (formerly: www.datagovernancelaw.com) Follow: @TM_Banks © 2013 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices. 40
  41. 41. Dentons Canada LLP The preceding presentation contains examples of the kinds of issues companies dealing with Privacy and Security could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.

×