The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FTC Brings Data Security Case Against Mobile Device Maker

The Federal Trade Commission announced today that it has settled charges that HTC America – a leading mobile hardware developer – failed to take appropriate steps to secure software it developed and installed on mobile devices running the Android and Windows operating systems.

The 8-page FTC complaint sets out a number of allegations regarding HTC’s security practices.  According to the FTC, much of the conduct relates to HTC’s business decision to tweak or customize the operating systems installed in its devices.  While this customization allowed HTC to differentiate itself from its rivals, it also created security vulnerabilities for consumers. The FTC alleges, among other things, that as consequence of HTC’s actions millions of devices were left open to malware attacks, “all without the user’s knowledge or consent.”   The complaint ultimately concludes that because of the “potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm.”

The consent order entered into by HTC requires the company to develop and implement a comprehensive data security program, and prohibits it from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices going forward.  HTC is also ordered to develop and ship software patches to affected consumers to fix software vulnerabilities – a cutting edge remedy.

Also today, the FTC announced a public forum to take place on June 4th to discuss the consumer protection aspects of malware, viruses, and similar threats facing mobile device users.

Leave a comment

In Step Towards Broader Self-Regulation, Facebook to Allow AdChoices Icon in Ads

Facebook has closed a major gap in the industry compliance puzzle by announcing that it will now adhere to a widespread notice-and-choice program for its advertising platform. The site will be adopting the Digital Advertising Alliance’s AdChoices program, meaning it will place the program’s blue-triangled icons onto ads served by its FBX ad exchange.  The move will provide more transparency and an opt-out function to ads on the world’s most popular social networking site.

Transparency and uniformity in behaviorally targeted ads are what the Digital Advertising Alliance had in mind with its self-regulatory program.  The program is intended in part to prove to the government that the advertising industry can be proactive about sharing the consumer information that online advertisers store and use to target ads, and allow them to opt out on their own. Users can click on the “AdChoices” icon and its ubiquitous blue triangle, which takes users directly to the ad partner’s site, where they can see what information is being used to target ads and opt out.

The AdChoices program has two main advantages: broad-based industry usage and consistency from ad to ad and site to site.  However, one industry publication described Facebook’s choice to go its own way as a “gaping hole” in the voluntary industry program. Facebook is the #2 most trafficked site on the web, and the No. 1 publisher of display ads in the U.S. Due to the data is possesses about its users, it has a unique ability to behaviorally target ads. Prior to adoption, Facebook’s interface took more steps than the DAA’s to get more information and an opt-out button, including several clicks before being referred to the ad server’s site.

It should be noted that the AdChoices icon will not be displayed universally or in the fashion seen on other sites. The option will only appear on behaviorally based ads served through Facebook’s FBX platform.  Clicking the “x” on other ads will lead to Facebook’s own information and opt-out screens. FBX partners who participate in the AdChoices program will be able to display the icon- but it will only show up once a user’s cursor hovers over the ad.

This announcement has several potential impacts for Facebook and voluntary industry privacy programs. Facebook’s adoption of the icon and program should increase the visibility of the icon and the program- even if it not displayed as prominently on Facebook ads.  It will also subject Facebook to increased accountability, in the form of compliance reviews and complaint resolution procedures by the Council of Better Business Bureaus and the Direct Marketing Association, which oversee the program. Finally, it should provide increased legitimacy to industry privacy programs by bringing one of the whales of online advertising in tune with the FTC’s privacy framework.  In its final privacy report, the FTC mentioned the DAA’s program as a creative and practical consumer choice mechanism and part of significant industry progress towards its goal of a Do-Not-Track mechanism.


Leave a comment

White House Administration Issues Highly Anticipated Cybersecurity Executive Order

As announced in his State of the Union address on February 12, 2013, President Obama issued an executive order directing federal departments and agencies to use their existing authorities to strengthen cybersecurity defenses. This follows months of congressional stalemate over cybersecurity legislation and recommendations from a number of politicians, including Senate Intelligence Chairwoman Dianne Feinstein, that the President circumvent Congress altogether to protect the country’s critical infrastructure.

Among its numerous provisions, the executive order directs the National Institute of Standards and Technology (NIST) to coordinate the development of a cybersecurity framework that includes a set of standards and procedures to address cyber risks. The order requires that voluntary consensus standards and industry best practices be incorporated to the extent possible. The White House anticipates the framework to be technology neutral and allow for critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards developed to address cyber risks.

Further, the order requires that the Department of Homeland Security (DHS) establish a voluntary critical infrastructure program to support the adoption of the cybersecurity framework by owners and operators of critical infrastructure. It tasks DHS, the Department of Treasury, and the Commerce Department to make recommendations separately to the White House Administration on incentives that could be provided to owners and operators of critical infrastructure under existing laws and authorities, and a cost-benefit analysis on incentives that would require new legislation.

To accomplish these objectives, the executive order establishes the following deadlines:

DHS has 150 days to identify critical infrastructure at the greatest cyber risk. The order makes clear that commercial IT products cannot be designated as critical infrastructure at the greatest risk, which is an exception that industry members had sought in legislation.

NIST will have 240 days to publish a preliminary version of the cybersecurity framework and one year to publish a final version. In coordinating the development of the final cybersecurity framework, the order requires that NIST conduct an open public review and comment process and consult relevant federal agencies, owners and operators of critical infrastructure, and other stakeholders.

Within 90 days of the publication of the preliminary framework, designated federal agencies shall submit a report to the Administration that determines whether or not they have clear authority under current law to implement the framework in a way that would sufficiently address cyber risk, and whether additional authority would be required. If current regulatory requirements are deemed insufficient, the agencies shall propose further action to mitigate cyber risk.

In addition to this directive, President Obama underscored the urgency of comprehensive cybersecurity legislation in his State of the Union address:

“Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy . . . [n]ow Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”

Leave a comment

FTC Issues Mobile Privacy Staff Report

On February 1, the FTC released a 36-page staff report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.”  The report followed a one-day FTC public workshop held last May to discuss mobile privacy issues.   The staff report makes several policy recommendations.  Many of these recommendations are consistent with the Commission’s policy regarding online privacy generally, such as offering a Do Not Track (DNT) mechanism for smartphone users.  Other recommendations are more tailored to the mobile ecosystem.  For example, the report discusses the privacy challenges of geolocation technology, as well as small screen privacy notices.  

The report identifies platforms such as Apple and Google as well as smartphone app developers as the major players in mobile privacy, and directs many of its key recommendations toward them.  Platforms are encouraged to use their gatekeeper role between the consumer and an app developer to “provide just-in-time disclosures to consumers and obtain affirmative express consent before allowing apps to access sensitive content like geolocation.”  Another recommendation calls for platforms to consider a “privacy dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded.  App developers are encouraged to adopt privacy policies that are easily accessible through the relevant platform’s app store.

In prepared remarks, FTC Chairman Leibowitz described the report as a useful input into an ongoing effort to address the privacy issues raised by the mobile revolution.  In this context, he applauded the ongoing efforts of some platforms and app developer trade associations to self-regulate, and also referenced the Department of Commerce led multi-stakeholder process “to develop a code of conduct on mobile transparency.”

Reps. Barton and Markey – who co-chair the bi-partisan House Privacy Caucus – welcomed the FTC report in a joint release.  The release states “[t]he FTC is correct to point out that more must be done to protect the privacy of mobile device users.”  Rep. Markey introduced the Mobile Device Privacy Act in the last Congress. 

The Association for Competitive Technology (ACT), which represents smaller app developers, also welcomed the FTC report – with two wrinkles.  According to the ACT, the FTC recommendation that platforms take on a gatekeeper role for app privacy “could actually backfire” since “stores may opt to do less or no privacy scanning of apps if they perceive a liability risk created by this report.” “Additionally,” according to the ACT, “the report relies on a technology snapshot and may not represent where the industry appears to be headed: offering better consumer controls and data isolation.”