The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False

“Before u send any photo, msg or video, consider how u would feel if it reached a broader audience than you intend”, the FTC tweeted today after announcing a settlement with Snapchat, a popular messaging app that promised its users that their messages disappeared once expired.  Users are able to take photos, record videos, add text and drawings, known as snaps, and send them to a controlled list of recipients. Users also set a time limit for how long recipients can view their snaps (up to 10 seconds), and Snapchat claimed that after the time limit expired, the snaps would “disappear”.  However, the Commission alleged the snaps can be saved in several ways, such as using a third-party app or taking screenshots of snaps, without detection.

The FTC also alleged that Snapchat misled consumers about how much personal information was collected and the security measures in place to protect such information through its Find Friends feature.  For example, the app transmitted users’ location information and collected data like address book contacts, despite stating that it did not collect such information.  Further, the Commission charged that Snapchat’s failure to secure this feature resulted in a security breach that allowed hackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

According to the New York Times, in response to the announcement the company stated “While we were focused on building, some things didn’t get the attention they could have,” and added: “Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications. And we continue to invest heavily in security and countermeasures to prevent abuse.”

The settlement prohibits Snapchat from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.  Snapchat is also required to implement and maintain a comprehensive privacy program for the next 20 years.  The Commission stated that the settlement with Snapchat is part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.

Leave a comment

PCI Council Releases Version 3.0

Last week, the PCI Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS).  This most recent version is intended to help “make payment security part of their business-as-usual activities” by introducing more flexibility.  Proposed changes for version 3.0 were released in August.

Overall updates to the standards include recommendations for making PCI DSS part of every day business processes, best practices for maintaining PCI DSS compliance, additional guidance built into the standard, and enhanced testing procedures.  Several new requirements were added as well, including:

  • 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected
  • 8.2.3 – combine minimum password complexity and strength requirements into one
  • 8.6 – where other authentication mechanisms like tokens, smart cards, certificates, etc., are used, these mechanisms must be linked to an individual account and ensure only the intended user can gain access
  • 9.3 – control physical access to sensitive areas for onsite personnel
  • 11.5.1 – implement a process to respond to alerts generated by the change-detection mechanism
  • 12.8.5 – maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity

Best practices were also added, which will become requirements on July 1, 2015:

  • 8.5.1 – use unique authentication credentials for each customer for service providers with remote access to customer premises
  • 9.9 – protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
  • 11.3 and 11.3.4 – implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
  • 12.9 – for service providers, provide the written, agreement or acknowledgment to their customers as specified by 12.8.2.

Revisions to the PA-DSS include new requirements that payment application developers to verify the integrity of source code during the development process, that vendors incorporate risk assessment techniques into their software development process, and that applicable vendor personnel receive information security training at least annually.

Version 3.0 becomes effective January 1, 2014.  Version 2.0 remain in use until the end of 2014 to give organizations time to make the transition to the revised standards.

1 Comment

PCI Council Highlights Changes to PCI DSS and PA-DSS

The PCI Council has announced expected changes to the PCI DSS and PA-DSS standards for the upcoming 3.0 release in November.  Key focus areas include the lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; and inconsistency in assessments.

While the updates are still under review by the PCI community, proposed updates include:

  • Recommendations on making PCI DSS business-as-usual and best practices for maintaining PCI DSS compliance
  • Security policy and operational procedures built into each requirement
  • Guidance for all requirements with content from the Navigating PCI DSS Guide
  • Flexibility and education regarding password strength and complexity
  • Requirements for point-of-sale terminal security
  • Requirements for penetration testing and validating segmentation
  • Considerations for cardholder data contained in memory
  • Enhanced testing procedures to clarify the level of validation expected
  • Expanded software development lifecycle security requirements for PA-DSS vendors, including threat modeling.

Final changes to the standards will be determined after PCI Community Meetings and published in November.  Registration for the 2013 Community Meetings is available here.  Additionally, the Council will host a webinar series to outline the proposed changes; registration available here.  PCI DSS and PA-DSS 3.0 will become effective on January 1, 2014.

Leave a comment

FTC Calls for Comments on COPPA Parental Consent Verification Method

Yesterday the Federal Trade Commission issued a call for public comment on a proposed method of verification of parental consent submitted by AssertID.  The revised COPPA rule recently went into effect on July 1, and invited companies to submit new methods of verifying parental consent for FTC approval.  The FTC in particular is looking for comments regarding whether the proposed verification mechanism is already covered by the existing methods in the rule and whether it meets the rule’s requirements that the method be reasonably calculated to ensure that the person providing consent is actually the child’s parent.  The comment period will last until September 20, 2013.

The Federal Register Notice can be found here.

Leave a comment

FTC Settles First FCRA Charges with Mobile App Developer

On January 10, the Federal Trade Commission (FTC) announced a settlement with app developer Filiquarian Publishing, LLC, that compiled and sold criminal records.  The FTC alleged that the developer operated as a consumer reporting agency without complying with the consumer protection measures required under the Fair Credit Reporting Act (FCRA).  This settlement was the first FCRA enforcement action against a mobile app developer.

According to the FTC’s blog post, even though the developer included disclaimers on its website that the background screening reports weren’t to be considered screening products for insurance, employment, loans, and credit applications, and that they weren’t FCRA-compliant, these disclaimers didn’t mean much to the FTC since the developer’s ads expressly urged consumers to use the app to screen potential employees.  “Just saying that the info can’t be used for FCRA purposes doesn’t absolve a company from liability”.

The blog post also notes that a warning letter was previously sent to 6 app developers last year, warning them that if they suspected their reports were being used for employment purposes, then they needed to comply with the FCRA.  “This is true even if you have a disclaimer on your website indicating that your reports should not be used for employment or other FCRA purposes.”

So what’s the take away?  According to the blog post, it’s that regardless of the technology involved, if a company offers background reports for employment or other FCRA purposes, then they must comply with the FCRA.  Another takeaway: “It’s wise to pay attention to what the FTC says in warning letters to other companies.”

Leave a comment

Apps Privacy Act Proposed

Yesterday, Rep. Hank Johnson (D-GA) released a discussion draft of the Application Privacy, Protection and Security Act of 2013, or the APPS Act.  The Apps Act would require apps to give consumers prior notice about what data it collects and how it will be used, stored and shared, as well as obtain consent to such collection terms. It would also require the app to allow users to opt out of the service and delete personal data collected by the app.  Violations of the Apps Act would be enforced by the Federal Trade Commission.

Public input is sought on the bill via, a Web-based legislative project launched last year to solicit ideas from the public for ways the federal government could better protect app users’ rights.

As this article notes, privacy policies can be difficult to address on mobile devices given the small screen and the limited amount of time users typically are willing to spend to figure them out.  Interestingly, the Department of Commerce’s National Telecommunications & Information Administration (NTIA) also held its first Multistakeholder Meeting to Develop Consumer Data Privacy Code of Conduct Concerning Mobile Application Transparency yesterday.   The goal of these meetings is “an open, transparent, consensus-driven process to develop a code of conduct regarding mobile application transparency.”  The next of these meetings is scheduled for January 31, 2013.

Leave a comment

FTC Releases Report on Use of Facial Recognition Technology

On October 22, the FTC released its report regarding best practices in using facial recognition technology.  The report, entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies,” is intended to address privacy concerns associated with the growing use of facial recognition technology, by helping companies that use and develop these technologies protect consumers’ privacy as they create and market new products and services.  The report was developed after the FTC hosted a workshop in December of 2011 on facial recognition technology and received public comments on the issue.

The report recommends that companies using facial recognition technologies (1) design the products or services with privacy in mind; (2) develop reasonable security protections for the information collected through the use of such technologies, and maintain procedures for determining when to keep collected information or destroy it; and (3) keep the sensitivity of the information collected in mind when developing facial recognition technologies.  For example, the FTC noted that digital signs using such technology should not be used in places where children gather.

The report also recommends that companies provide clear notice of the use of facial recognition technologies when consumers come into contact with them, both on and offline, and give consumers a choice as to whether data is collected about them.  For example, in the social networking space, the report recommends that the site give consumers clear notice of the use of facial recognition technologies (outside of a privacy policy), and provide users the ability to turn off the facial recognition feature at any time and have their biometric data collection from previous photos and videos permanently deleted.

Finally, the report recommends that companies obtain affirmative consent from consumers before collecting or using biometric data in at least two instances – first, before using consumers’ images or biometric data in a manner different than what the company previously represented to such consumers, and second, before identifying anonymous images of a person to a third part who could not have otherwise identified such person without their consent, such as identifying users to other users who are not their “friends” on a social networking site.

Interestingly, Commissioner J. Thomas Rosch issued a dissenting statement with the report, stating that the report “goes too far, too soon.”  The FTC voted 4-1 to release the report.

Leave a comment

California Legislature Passes Location Privacy Act

Yesterday, the California legislature passed the Location Privacy Act of 2012 (SB-1434) (the "Act).  The Act requires law enforcement to obtain search warrants before gathering GPS or other location-related data from a suspect’s cell phone that it may be transmitting.  The Act is now waiting signature by Governor Jerry Brown; however, he vetoed similar legislation last year.

The Act was sponsored by Sen. Leno (D-San Francisco), and supported by the ACLU of California and the Electronic Frontier Foundation.  The subject of warrantless GPS tracking continues to be a hot topic nationally.  Last week, the Sixth Circuit ruled that law enforcement can track the GPS signal coming from a suspect’s prepaid cell phone without a warrant in United States v. Skinner, No. 09-6497 (6th Cir. Aug. 14, 2012) .  In issuing the decision, the Court stated that "[t]here is no Fourth Amendment violation because Skinner did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cell phone."

The California Senate also passed another privacy related bill earlier this week, which would prohibit colleges and universities from requiring access to students’ social media accounts.  The bill also moves to the Governor’s desk for signature.  A similar bill pending in the Assembly would provide similar protection to employees and job applicants as well.

Leave a comment

CFPB Announces Supervision of Credit Reporting Agencies

Monday, the Consumer Financial Protection Bureau ("CFPB") announced that it would begin to supervise credit reporting agencies.  According to the CFPB, this is the first time the consumer reporting agencies will be subject to a federal supervision program.  Formal supervision will start September 30, and on-site examinations will begin after that date.

According to the New York Times, the CFPB will oversee and make rules to cover about 30 credit reporting companies, which represent 94% of the $4 billion credit reporting market.  The CFPB’s supervision and rules will not only apply to the "big three" credit reporting agencies, Experian, Equifax, and TransUnion, but also to those with more than $7 million in annual revenue.

The CFPB also posted a list of consumer reporting agencies, which consists of companies that have identified themselves as consumer reporting companies or provide consumers access to their credit reports.  The CFPB made the announcement as part of it attempts to define the "larger participants" among consumer financial companies as part of its Dodd-Frank supervision authority.

Director Cordray’s full remarks are available here.  The CFPB also released a consumer advisory on checking credit scores.

Leave a comment

House Passes CISPA

Last week, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA).  CISPA would authorize Internet service providers and other companies to share customer communications and other personal information with governmental agencies.  The intent of the bill is to enhance information sharing for data security purposes, however, many organizations such as the Center for Democracy and Technology and the ACLU strongly oppose the bill, and President Obama has threatened to veto it.

Critics of CISPA state that the bill is overbroad and does not contain appropriate privacy, confidentiality or civil liberties safeguards.  According to the White House’s statement, "the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information."  For example, CISPA could allow companies to give email communications to the government with no judicial oversight if the emails contained cyber threat information.  Supporters argue that this information sharing is necessary in order to prevent cyber attacks.  Initially internet companies appeared to have supported the bill, although this week Mozilla announced its opposition to the bill and Microsoft has expressed concern over the bill’s impact on personal privacy.

In addition to privacy concerns, an interesting article on Slate had another take on CISPA – that it will effectively overwhelm the government with more data than it can handle, noting that "analyzing the world’s data to identify potential cyberthreats has gone from difficult to impossible.  The volume of digital information has become far too large." 

CISPA now moves to the Senate for consideration, where it will compete with at least two other cyber security bills.