Where You Are Is Who You Are: Legal Trends in Geolocation Data Privacy & Security
•Download as PPTX, PDF•
1 like•305 views
From healthcare apps, to mobile devices, to utilities, services are collecting and aggregating customer data across many different types of connected devices. As more everyday objects connect to the Internet to send and receive data, the FTC, legislators, privacy advocates, and others have identified location information as a particularly sensitive category of data because the types of data collected and real risks to people, systems and privacy. This presentation covers the latest issues in location and security, privacy laws and regulations, with an eye toward developers and IT managers. RSAC 2016
Recommended
Recommended
More Related Content
Viewers also liked
Similar to Where You Are Is Who You Are: Legal Trends in Geolocation Data Privacy & Security
Similar to Where You Are Is Who You Are: Legal Trends in Geolocation Data Privacy & Security (20)
More from Adler Law Group
More from Adler Law Group (10)
Recently uploaded
Recently uploaded (20)
Where You Are Is Who You Are: Legal Trends in Geolocation Data Privacy & Security
- 1. SESSION ID: #RSAC Davi M. Adler Where You Are Is Who You Are: Legal Trends in Geolocation Privacy & Security LAW-T11 Attorney/Founder Adler Law Group @adlerlaw
- 2. Adler Law Group #RSAC Introduction 2 Does sharing geolocation info protect us? What? Who? Why? Risk avoidance = Reviewing/updating Policies & Contracts & Training U.S. v. Global Laws
- 3. Adler Law Group #RSAC Internet use is changing! 3 40% Gov’t Services 43% Job info 18% Submit Job App 44% Real Estate 57% Online Banking 62% Research Health Condition Mobile Devices & Major Life Events/Experiences
- 4. Adler Law Group #RSAC How Smartphone Owners Share Location 4 0% 20% 40% 60% 80% 67% Get Directions Public Transport Post Location "Check in" Taxi Serivce Location Relevant Data Percentage of Users
- 5. Adler Law Group #RSAC Location info is gathered many ways 5 User Cell Tower WiFi Hotspot Crowd- sourcing GPS
- 6. Adler Law Group #RSAC Use v. Trust 6 USE TRUST
- 7. Adler Law Group #RSAC Location Data = Sensitive Data 7 Sensitive Data Legal Duty to Protect Use Increasing Disclosures Opaque 06/04/14 FTC Dir. Rich Testifies before Congress: “Geolocation information divulges intimately personal details of an Individual”
- 8. Adler Law Group #RSAC Complicated & Confusing 8 US: No uniform privacy laws. Enforcement is “ad-hoc.” FTC: enforcing privacy policies & security procedures. Sensitive Info: Employment, Medical, Sexual Orientation, Financial. Trend: Greater State & Federal Legislative & Regulatory Involvement
- 9. Adler Law Group #RSAC Trends: Federal Legislation 9 White House Privacy Bill of Rights Act of 2015 Federal Geolocation Privacy Legislation Consolidated Appropriation s Act, 2015 Enacted (Sec. 417 of Div. K) GPS Act (S. 237) (H.R. 491) Online Communications & Geolocation Protection Act (H.R. 983) Location Privacy Protection Act of 2014 (S. 2171)
- 10. Adler Law Group #RSAC Trends: State Location Privacy Initiatives 10 Legislation CA Senate Bill 576 State AGs CA: State AG sued Delta over failure to post Privacy Policy in Mobile App (CalOPPA)
- 11. Adler Law Group #RSAC Trends: Regulatory Enforcement 11 FTC Retail In-store Tracking (NOMI) Geolocation Sharing (Snapchat) Address Book Access/ Sharing (Path) Flashlight (Goldenshores) FCC AT&T: April 8, 2015 call center data data breach Net Neutrality: New rule-making authority over internet access
- 12. Adler Law Group #RSAC Nest Steps: Risk Mitigation & Avoidance 12 Identify & Locate Review & Revise Update Policies & Contracts Train Employees
- 13. Adler Law Group #RSAC Nest Steps: Risk Mitigation & Avoidance 13 Update Policies & Contracts: Notice & Meaningful Choice Transparency 3d Party Access to Location Info?
- 14. Adler Law Group #RSAC Thank You! 14 David M. Adler | Adler Law Group Safeguarding Ideas, Relationships & Talent ® 300 Saunders Road, Suite 100 Riverwoods, Illinois 60015 Direct: (866) 734-2568 Email: David@Adler-Law.com Web: www.adler-law.com Blog: Adlerlaw.wordpress.com Twitter: @adlerlaw LinkedIn: https://www.linkedin.com/in/adlerlaw Ping® Newsletter
Editor's Notes
- Intro: My background: I’m a lawyer, but not YOUR lawyer If you are running out of this room calling your lawyer the minute I’m finished, I haven’t done my job. J/K…
- Collecting and Aggregating Location Data Use of Location Information has opportunities and challenges for consumer Privacy. What, Who, Why? -Healthcare Apps, Mobile Devices, & Utilities -FTC, Legislators, Privacy advocates say location information “particularly sensitive category of data.” -Real threats to people, systems & privacy when Misused The mobile marketplace is the fastest growing segment of commerce. Mobile digital media time in the US is now significantly higher at 51% v desktop (42%). http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/ Innovative services rely on a consumer’s location information. High-quality customer engagement. Increasing number of state & federal legal and regulatory requirements. RISK AVOIDANCE: we will discuss tips and best practices US LAW only: not talking about EU/Safe Harbor
- Mobile Devices Are Used to Navigate Major Life Events/Experiences Pew Internet Study: U.S. Smartphone Use in 2015 BY AARON SMITH (APRIL 1, 2015) http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015/ Mobile Phone key entry point lower income and “smartphone-dependent” users are especially likely to use for job /employment
- 67% use phone for turn-by-turn, 31% do this “frequently.” 25% use phone public transit information 11% use phone reserve a taxi or car service Location tracking of mobile device users can compromise security. Most companies have information they don't want publicly available. In addition to proprietary data on processes and production, companies keep a lot of basic information confidential. Examples are the identities of bidders on a project, sources of key materials and customer lists. When it's easy to track the movements of employees, the security of such information may be compromised.
- 3d Parties are gathering way more through basic device operations: >WiFi Hotspots: range is limited to a 100 meters >Cell tower triangulation yields results within 50 meters >GPS: compile the precise locations of these signals into large databases >Crowdsourcing: cell tower + Wi-Fi access point data = precise locations - compiled & then licensed to 3d parties. >Foursquare knows building and Floor Surprisingly Rich sources of Info available to ALL Apps: Keyboard Cache SIM Card Serial # IMSI ID (Cell phone equivalent of email address; can tell a service if an App is installed reinstalled) Phone # Email account settings WiFI Network history & Time stamps
- USE: Employers: 62% of employers track employees using GPS, according to a 2012 study Law Enforcement: 1) 1.3M Requests according to 2012 congressional inquiry, 2) Both GPS devices & Cell phones TRUST: 20% of mobile phone users have turned off location services 80% of shoppers say they do not want in-store movements tracked GPS technology is making it easier for companies with just a few dozen employees to roll out such tracking. A 2012 study by technology research firm Aberdeen Group found that 62 percent of companies with so-called "field employees” https://www.washingtonpost.com/news/the-switch/wp/2015/05/14/some-companies-are-tracking-workers-with-smartphone-apps-what-could-possibly-go-wrong/
- Sensitive Data Location Data increasingly subject to legal duty to protect Use of Location Info by Apps, Devices & Platforms Increasing Consumer Disclosures Increasingly Opaque Legislators & Privacy Advocates Increasingly Vocal
- Consolidated and Further Continuing Appropriations Act, 2015: language applicable to the Department of Transportation – No $ for GPS tracking in private vehicles w/o full consideration of privacy concerns GPS Act: 1) Legal Framework for Access/Use of Location Info, 2) Consent required for disclosure of Location Info to 3d Parties Online Comms & Geolocation Protection Act: Same as GPS but + safeguards for online communications Location Privacy Protection Act of 2014: 1) Prohibits collection/disclosure of Location info from an electronic communications device w/o consent, 2) exceptions for parents, emergency services, law enforcement, and 3) prohibit development and distribution of "stalking apps,"
- CA Senate Bill 576: Requires that consumers get: Clear notice explaining how location information will be used and shared when App installed. Ensures App users give express consent before geolocation data can be collected and shared.
- FTC NOMI: Retail In-store Tracking & Opt-out (04/23/15) Snapchat: Transmission of Geolocation Path: Address Book info Goldenshores: Flashlight App (Location) FCC AT&T: April 8, 2015 - paid $25M to settle charges that It failed to properly protect confidentiality of ~280k customers in connection with call center data breaches; employees sold info to 3d party
- I&L: Identify & Locate: 1) data collected, 2) by whom, 3) how stored, and 4) how shared Biggest risk to companies: don’t know what they have, where it is, or who controls. R&R: Review & Revise Privacy Policies & Contracts w/ Vendors & Service Providers Update Policies & Contracts: Notice & Transparency Meaningful Choice 3d Party Access to Location Info? MC: challenge of ensuring opportunity to exercise meaningful choice with respect to the collection and use “choice=tell a company what it can and cannot do “opt-out,” or “opt-in,” challenge of “tension between granularity and simplicity” —meaningful real-time and seamless user experience (Result ignored) 3d Party: Once an application has access to a user’s data, there are usually no rules governing its disclosure, and no controls available to consumers to regain control of it.
- N&T: One of the most important aspects of companies’ approaches to privacy is that they provide transparent notice to consumers regarding the company’s privacy practices, informing the consumer as to what the company is doing with the personal information it collects. Such notice to consumers should be clear, concise, and an accurate reflection of the privacy practices of the company. providing accurate notice and transparency of privacy practices to customers remains an important challenge limited real estate” on mobile phones, and thus they are not receptive to long, involved privacy notices MC: challenge of ensuring opportunity to exercise meaningful choice with respect to the collection and use “choice=tell a company what it can and cannot do “opt-out,” or “opt-in,” challenge of “tension between granularity and simplicity” —meaningful real-time and seamless user experience (Result ignored) TP Once an application has access to a user’s data, there are usually no rules governing its disclosure, and no controls available to consumers to regain control of it.