The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

FTC Seeks Comments on “Dot Com Disclosures” Guide

The FTC has announced that it is seeking input from businesses on its guidance document regarding online advertising, "Dot Com Disclosures: Information About Online Advertising." 

The guide was originally published in 2000, and given the changing landscape of the online world, the FTC is seeking comment about how the guide should be modified to reflect these changes such as the use of mobile marketing, social media, and apps.  The Commission is interested in both the technical and legal issues marketers, consumer advocates and others want to be addressed.

The FTC will take comments until July 11, 2011.  Electronic comments can be submitted here.  Paper comments can be mailed or delivered to:  Federal Trade Commission, Office of the Secretary, Room H-113 (Annex I), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.


Leave a comment

“Consumer Privacy and Protection in the Mobile Marketplace” Hearing

“Consumer Privacy and Protection in the Mobile Marketplace” Hearing

The U.S. Senate Committee on Commerce, Science, and Transportation held yesterday a subcommittee hearing about “Consumer Privacy and Protection in the Mobile Marketplace.”

Chairman John D. (Jay) Rockefeller (D-WV) noted in his opening statement that “[t]he issue of mobile online privacy is an issue that affects nearly every American—young and old.”

Mr. David Vladeck, Director of the bureau of consumer protection of the Federal Trade Commission, remarked in his written testimony that “a single mobile device can facilitate data collection and sharing among many entities, including wireless providers, mobile operating system providers, handset manufacturers, app developers, analytics companies, and advertisers” (Vladeck testimony p. 11).

Do Not Track

A January 2010 FTC roundtable panel focused on the privacy implications of mobile technology. The FTC Staff Report, published in December 2010, proposed a new privacy framework which also applies to mobile technology. The Staff Report asked whether the implementation of a “Do Not Track” mechanism should “be extended beyond online behavioral advertising and include (…) behavioral advertising for mobile applications” (Staff Report p.98).  Mr. Vladeck noted that the “FTC staff is currently examining the technology involved in a Do Not Track mechanism for mobile apps” (Vladeck testimony p. 18).  Chairman Rockefeller introduced last week a bill, S.913, the Do-Not-Track Online Act of 2011, which would direct the FTC to establish standards by which consumers can inform online companies, including mobile applications, that they do not want their information collected.

Testimonies from Major Industry Players

Apple, Google and Facebook, representing the major players in the online mobile marketplace industry were invited to testify.

Mr. Bret Taylor, Chief Technology Officer of Facebook testified that Facebook users may also access the site via mobile devices, whether on the Internet or using an application. Facebook Platform, launched in 2007, allows third-parties to develop applications. Facebook also introduced Facebook Places last year, which allows users to share their real time location using their mobile devices, and “[w]ith an individual’s express permission, third-party developers can access location data” (Taylor testimony p. 12). Mr. Taylor pointed out that, in June 2010, Facebook “became the first provider to require developers to obtain “granular data permissions” before accessing individuals’ information” and that Facebook also offers its users a way to opt out entirely of the Platform and thus prevent their information from being shared with applications or websites (Taylor testimony p. 13).

Ms. Catherine A. Novelli , Vice President of Worldwide Government Affairs for Apple, explained how iPhone customers can turn off all location-based service capabilities of their mobile device, and pointed out that “Apple requires express customer consent when any application requests location based information for the first time” (Novelli Testimony p. 4). Ms. Novelli also explained the Apple “crowd-sourced database.” This secure database contains information about “known locations of cell towers and Wi-Fi access points – also referred to as Wi-Fi hotspots ” (Novelli Testimony p. 5). However, the database “does not reveal personal information about any customer” (Novelli Testimony p. 6).

Mr. Alan Davidson, Google’s Director of Public Policy testified that “[l]ocation-based services provide tremendous consumer benefit” (Davidson Testimony p. 1), and that “[m]obile location data can even save lives” (Davidson Testimony p. 3). Google’s Android phone features opt-in location controls, and Google “[does not] collect any location information — any at all — through [its] location services on Android devices unless the user specifically chooses to share this information with Google”(Davidson Testimony p. 5).

COPPA

The FTC is currently reviewing the COPPA Rule, and is asking for comment on whether the Rule should be changed because of technological changes in the online environment, including the broad usage of mobile phones by teenagers. Indeed, Chairman Rockefeller noted that seventy five percent of teenagers own a cell phone. Ms. Novelli pointed out that Apple developed parental controls allowing parents to set restriction on the use of Mac products, and that, “on Apple’s iOS mobile devices, parents can use the Restrictions settings to prevent their children from accessing specific device features, including Location Services” (Novelli Testimony p. 2).

The general public is becoming more aware that smart mobile devices and applications may be able to track them, following an article published by the Wall Street Journal last month revealing that both iPhones and Androids regularly transmit their locations to Apple and Google, respectively. Twitter, which can be used on mobile devices, announced on Tuesday that it now gives its users more control over which information they wish to share with third party applications. The Federal Communication Commission has announced a public forum on smart phone location tracking systems. We mentioned earlier this week on this blog that the European Union is also concerned about this issue. We can probably expect more legislative and industry initiatives in the near future.


Leave a comment

Article 29 Working Party Adopts Opinion on Geolocation Services on Smart Mobile Devices

The Article 29 Working Party (Article 29 WP), an independent European advisory body on data protection and privacy, adopted on May 16 its “opinion 13/2011 on Geolocation services on smart mobile devices” to clarify the legal framework applicable to the three main different geolocation infrastructures, GPS, GSM base stations (antennas) , and WiFi. The opinion provides short, but clear explanations of these three technologies.

How personal data stored on smart mobile devices can be collected

The explanation on what is WiFi is particularly interesting to read, as it explains why WiFi access points can be used as a source of geolocation, and how their location can be calculated. That technology is not without privacy risks, as the MAC address (unique identifier) of a WiFi access point can be collected by broadly recording all WiFi frames transmitted by access points, “which can lead to the collection of data exchanged between access points and the devices connected to them” (p. 6).

Behavioral patterns

Geolocation service providers may be able “to gain an intimate overview of habits and patterns” of the owner of a smart mobile device, such as sleep patterns (when user does not use device), where user works (he drives every day around 9:00AM to the Acme Inc. building), health issues (all these visits to the hospital!), religious affiliation (regular visits to a place of worship), or even sex life (regular visitor of a certain pink store at the edge of town). Such pattern can then be made into profiles, which are of great interest for companies. Indeed, the Article 29 WP points out in the introduction of the document that, “[i]n general, the value of information increases when it is connected to a location,” and that all kinds of information may be connected to a location, including health or financial data (p.3).

European Legal Framework

The relevant legal framework is the Directive 95/46/EC, the data protection directive, because of its broad scope, that is, every case where personal data is being processed. Its article 2(a) defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The Article 29 WP points out that there many available means to identify an individual, as people disclose more and more personal location data, whether it is done voluntarily or not, and thus it is easier now to “link a location or behavioural pattern to a specific individual” (p.10).

However, even if identification of an individual by combining the MAC address of a WIFi access point with its calculated location would require “unreasonable effort,” it does not preclude concluding that such data is personal. Therefore, “the data controller should treat all data about WiFi routers as personal data” (p.11). Looking beyond geolocation issues for a moment, could that mean that the WP29 would consider anonymized data as personal, even if de-anonymizing it would require “unreasonable effort”?

Directive 2002/58/EC, the e-privacy Directive, only applies to processing of base station data by telecom operators (p. 8). Indeed, its article 2(c) provides a definition of “location data” as “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”

If a company provides “location services and applications based on a combination of base station, GPS and WiFi data,” it is an information society service company. Such company is explicitly excluded from the scope of the e-privacy directive, and“[t]he e-Privacy directive does not apply to the processing of location data by information society services, even when such processing is performed via a public electronic communication network” (p. 9).

Even though this opinion does not assess web 2.0 geotagging technology (p.4), networking sites “enabling the (further) processing of location data” have the “important responsibility” to decide which default settings they offer to their users.

User consent

Telecom operators need to obtain prior consent of the user before using base station data, and the user must be informed about the terms of data processing (p.14). Also, because of the sensitivity of location data, information society services companies also must obtain prior consent from their customers before processing such data, which must be given “freely” pursuant to article 2(h) of the data protection Directive. However, a default setting allowing such processing “should not be mistaken for freely given consent” (p.14).

Data subject rights

Data subjects have the right not only to access their location data, but also the profile based on this data:

Data subjects have a right to obtain from the different controllers access to the location data they have collected from their smart mobile devices, as well as information on the purposes of the processing and the recipients or categories of recipients to whom the data are disclosed. The information must be provided in a human readable format, that is, in geographical locations, instead of abstract numbers of for example base stations.

Data subjects also have a right to access possible profiles based on these location data. If location information is stored, users should be allowed to update, rectify or erase this information.(p.18)


Leave a comment

Virtual World Operator’s COPPA Violations Result in a $3 Million Settlement with the FTC

The Federal Trade Commission announced a proposed settlement today with Playdom, Inc., a developer of online virtual world multi-player games, and an executive of the company. The $3 million settlement is the largest civil penalty imposed under the FTC’s COPPA Rule.

Continue reading


Leave a comment

The UK Information Commissioner’s Office Issues Guidance on New Cookie Regulation

The UK’s Information Commissioner’s Office  (“ICO”) published guidance today regarding complying with the amended regulations in the UK on the use of cookies.  The UK regulations were amended last week to comply with the 2009 amendments to the EU’s Privacy and Electronic Communications Directive (Directive 2009/136/EC),and go into effect on May 26, 2011. 

Continue reading


Leave a comment

FTC Settlements Demonstrate Need to Protect Employees’ Sensitive Information

Two recent settlements from companies that the FTC alleged failed to protect employees’ and business customers’ sensitive information highlights the FTC’s ongoing efforts to ensure that entities reasonably and appropriately protect sensitive information. According to the FTC, the entities involved in the recent settlement agreements claimed that they could provide other businesses with methods to protect and secure employees’ sensitive information.

For example, one of the entities—Ceridian Corporation—claimed that its security programs provided “Worry-free Safety and Reliability” and were designed in accordance with industry standards and best practices, and federal, state, and local requirements. Despite these promises, however, the FTC alleged that Ceridian did not adequately protect information from reasonably foreseeable attacks and stored personal information in an unsecured, unencrypted manner without a legitimate business need. According to the FTC, these lapses lead to a security breach that comprised approximately 28,000 employees of Ceridian’s business customers.

The other entity, Lookout Service, Inc., claimed that its security systems would keep data “reasonably secure from unauthorized access,” but did not take adequate measures to provide the promised security. The FTC’s complaint alleged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. Lookout experienced a data breach affecting the sensitive date, including Social Security numbers, of approximately 37,000 consumers.

The settlements require the companies to enact comprehensive information security programs and to obtain independent audits of the programs every other year for 20 years.