Apple, Facebook, Twitter: Mobile App Development Leads to Hacking?

wateringholeStock_000006594898XSmall spearStock_000004731498XSmall

Watering Holes and Spear Phishing

From AllThingsD:

“A ‘watering hole’ attack, in that it’s launched from a centralized, popular location that many people visit across multiple industries.”

Twitter reports at least 250,000 accounts affected.  Attack reportedly originated in Eastern Europe:

Executive Order – Improving Critical Infrastructure Cybersecurity

The White House issued a press release on February 12, 2013 that included the President’s Executive Order on cybersecurity.  The Order is the administration’s initiative to work “in partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement
risk-based standards.”

Digital Globe

This Executive Order fills something of a void left by orphaned Congressional proposals.  Earlier legislative proposals were criticized as  not going far enough to protect consumer’s privacy interests (data collection issues); other proposals were criticized as being too heavy-handed on the so-called critical infrastructure entities (requiring utilities, transportation/shipping to share data).  The Order specifically cites “Critical infrastructure,” without specifically defining what/who is included in that group. Commentators believe the initiative will affect a great deal of economic activity, not to mention the broadest possible spectrum of relevant technologies.  The Order also incorporates the FIPPs – Fair Information Privacy Principles, which are a set of eight principles rooted in the tenets of the Privacy Act of 1974.

The National Institute of Standards and Technology have already instituted a new cybersecurity framework in conjunction with the Order.  This is a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that NIST says are vital to the nation’s economy, security and daily life.

For further comments, see:

And, see renewed Congressional effort: The President’s Executive “order allows the sharing of government data with the private sector, the data sharing doesn’t flow back the other way. That means the order, unlike CISPA, doesn’t raise the hackles of privacy groups that have protested that CISPA could grant immunity to private sector firms who want to share their user’s personal information with the government.”  CISPA is Cyber Intelligence Sharing and Protection Act; the legislation passed the House last year but did not reach a vote in the Senate.

For further details:

See also:,2817,2415413,00.asp

California Supreme Court Finds That Apple Is Not Prohibited From Obtaining Personal Identification Information for Online Purchases

iStock_000000162568SmallCourt Makes a Distinction between Brick-and-Mortar Transactions

by Peggy Reetz

 On February 4, 2013, the Supreme Court of California issued its decision in the Apple v. Krescent case.  In June 2011, David Krescent (the original plaintiff) sued Apple on behalf of himself and a putative class, alleging violations of California’s credit card act (The Song-Beverly Credit Card Act).  The Act prohibits retailers from requesting or requiring as a condition to accepting credit card as payment that the cardholder write any personal identification information upon the credit card transaction form; and, the Act prohibits retailers from writing the personal information on the transaction form.

Krescent alleged that he purchased media downloads from Apple on various occasions and that, as a condition of receiving these downloads, he was required to provide his telephone number and address.  Krescent also alleged that Apple records each customer’s personal information but Apple is not required to collect a customer’s telephone number or address in order to complete the credit card transaction.  Even if a credit card processing company requires a valid billing address, under no circumstances would a customer’s telephone number be required to complete the transaction, Mr. Krescent argued.

Apple filed a demurrer arguing that the Credit Card Act does not apply to online transactions and also argued that a decision otherwise would undermine identity theft and fraud prevention measures.  The trial court overruled the demurrer – “the Act itself is silent on exempting online credit card transactions… [the Court is] not prepared, at the pleading stage, to read the [Credit Card] Act as completely exempting online credit transactions…”

The Supreme Court reviewed various exceptions to the prohibition on collecting personal data: cash advances, contractual obligations, in order to prevent fraud/theft by collecting zip codes at a self-serve gas station, special purposes like shipping, installation.  The Court noted that the Act does not prohibit requiring a cardholder to show a reasonable form of ID, as a condition to accepting credit card payments.

The Court noted that the Act makes no reference to online transactions, or even the Internet (having been enacted as of 1990).  The Court stated that the text of the Act alone is not decisive.   At the time the language was enacted, the Legislature did not contemplate commercial transactions over the Internet.  The Court reviewed California appellate cases that dealt with whether shield laws apply to digital media; or whether an electronic signature was appropriate for an initiative petition.  But, rather than analogizing too closely to the “new media” versus “old media” cases, the Court returned to the history/purpose of the Credit Card Act.

While the Act is intended to protect consumer privacy, the Legislature did not intend to achieve privacy goals without regard to risks for fraud.  The Court reasoned that the fraud safeguards available to a brick-and-mortar retailer are not available to an online retailer (the shopkeeper can inspect the signature, photo ID, etc.)   The Court ruled that the key antifraud provision in the Act has no practical application to online transactions involving electronically downloadable products.  Krescent conceded that Apple may need a valid billing address, if not a telephone number, to verify the credit card.  The Court believed the Legislature expressly authorized retailers to request additional information—a driver’s license, state ID card, or other form of photo ID- in order to combat fraud.

In that regard, the Court found it appropriate for Apple to collect such information to combat fraud (disagreeing with one of the dissenting justices, the majority found that the legislative history addresses the concern that there be some mechanism for verifying a cardholder’s identity).  Ultimately, the majority found that the Act did not apply to online transactions.  The Court was forced to reconcile these findings with its earlier decision in Pineda v. Williams-Sonoma, which decision found ZIP codes constitute personal identification information.  The Court noted the legislature subsequently carved out exceptions to the collection of ZIP codes, if used for fraud prevention purposes (pay-at-the-pump transactions, for instance).

Finally, the Court noted that the California Legislature has weighed the goals of regulating online privacy with concerns unique to online commerce.  COPPA, the California Online Privacy Protection Act of 2003, requires online services or Web site operators to post privacy policies and for those policies to address which categories of information  the operator may collect.  The Court also cited to the TCPA, stating that federal law likewise is supposed to protect the privacy interests of consumers (do-not-call registry and the like).  The Court closed the decision with a recitation of how significant e-commerce has become since the enactment of these statutes and invited the Legislature to revisit the issue of consumer privacy and fraud prevention in online transactions (just as the Legislature did in response to the Pineda decision).

The decision is at:


FTC Issues Report on Ways to Improve Mobile App Disclosures

smartphonelThe report, issued February 1st,  provides recommendations for the mobile marketplace, including operating system providers such as Amazon, Apple, BlackBerry, Google and Microsoft.  The report also addresses application developers, advertising networks, analytics companies and app developer trade associations.  The report describes that in the fourth quarter of 2012, consumers worldwide bought approximately 217 million smartphones.  Given such widespread use of the technology, the FTC staff notes that unprecedented amounts of data are being collected.  The FTC offers several suggestions for the “major participants” to improve mobile privacy disclosures.  The report recommends that mobile platforms should:

-Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;

-Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;

-Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;

-Consider developing icons to depict the transmission of user data;

-Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;

-Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and

-Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

-Have a privacy policy and make sure it is easily accessible through the app stores;

-Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);

-Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used.

-Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

-Communicate with app developers so that the developers can provide truthful disclosures to consumers;

-Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

-Develop short form disclosures for app developers;

-Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;

-Educate app developers on privacy issues.

The FTC also introduces Mobile App Developers: Start with Security, a new business guide that encourages developers to aim for reasonable data security, evaluate the app ecosystem before development, and includes tips such as making someone responsible for data security and taking stock of the data collected and maintained.

The FTC also announced a settlement with the operator of the Path social networking app.  The FTC alleged that the app deceived users by collecting personal information from their mobile device address books without their knowledge or consent.  The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.  The company also agreed to pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

See update from NYT — loophole allows Path to share location data even when a user has turned off location: