Class Action Filed Against Chrysler Following “Hack” of Jeep Cherokee

 Connected Cars Present Safety, Security and Privacy Challenges

The Connected Car
The Connected Car

On August 4, 2015, Plaintiffs filed a class action against Chrysler and Harmon International following a recent story in Wired Magazine that detailed how researchers were able to take control of a Jeep Cherokee via the vehicle’s uConnect system.  The suit essentially argues that there is a design defect in these vehicles as programs are pre-loaded onto the vehicle, which have been shown to be insecure and create security and safety vulnerabilities to owners and passengers.  Plaintiffs Brian Flynn and George and Kelly Brown filed suit, in the U.S. District Court for the Southern District of Illinois, on behalf of themselves and a putative class (Case 3:15-cv-00855).  The complaint alleges violations of the federal statute on warranties for consumer products (Magnuson-Moss), breach of implied warranty of merchantability, fraud, negligence, unjust enrichment, violations of the Illinois deceptive business practices act, fraudulent concealment/fraud by omission, and violations of the Missouri merchandising practices act.  Plaintiffs allege that because the uConnect system is always connected to the Internet (via 3G cellular data), even if a vehicle owner chooses not to use any Internet related services, there is no way to disable the cellular connectivity.  Plaintiffs argue that the vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system.  Plaintiffs allege “malicious hackers could broadcast harmful signals over radio waves causing a security and safety related crisis as a large number of vehicles all fail simultaneously.”  The system allegedly is also accessible through the vehicles’ USB port, allowing anyone with access to the vehicle to load malicious software onto the system, which would spread to critical functions.  Plaintiffs argue that the uConnect system should be segregated from the other critical systems.  Plaintiffs argue that software updates are only remedial fixes as now that the capability to affect powertrain and safety functionality has been shown, hackers will find new vulnerabilities to exploit.  Plaintiffs argue that a recall is deficient as the vehicles designed this way will never be safe or secure.

The plaintiffs have not alleged that any of them have actually experienced a “system” failure or intercept.  The plaintiffs seek damages, of course, but not tied specifically to any statutory violation.  Also, plaintiffs seek a court order to monitor any recall program or remedial measure.

Plaintiffs appear to be trying to get out in front of potential arguments that a particular car manufacturer may make and that Tesla, for instance, is trying to address.  In Tesla’s case, it would likely argue that because Tesla is so “wired,” to borrow a phrase, the over-the-air updates are meant to identify and patch any vulnerabilities. Every three months every Tesla car receives automated software upgrades.

[See story at:

http://www.npr.org/sections/alltechconsidered/2015/08/06/429907506/tesla-model-s-can-be-hacked-and-fixed-which-is-the-real-news ]

However, Congress is likely to cast another critical eye on these issues.  Senators Ed Markey and Richard Blumenthal have introduced the Security and Privacy in Your Car Act (“SPY Act”) which would require automobile manufacturers to build IT security standards into connected cars.  Blumenthal has commented that the “same kind of advances in technology that can bring enormous benefits of wireless connections can also guarantee our privacy and security.”  If the bill were to become law, it would instruct the National Highway Traffic Safety Administration and the Federal Trade Commission to create IT security and privacy standards for vehicle electronics and associated in-vehicle networks.  Part of the effort, as illustrated by the Flynn allegations above, is to require that critical navigation systems would need to be isolated from access points and attempt to stop hacking incidents in “real-time.”  Another feature of the proposed legislation, which is not something the Flynn plaintiffs highlighted or alleged, are the privacy issues.  The legislators are focusing on the collection of data associated with these systems.  The legislation would prevent driving data from being used for advertising or marketing purposes (unless the owner “opts-in” for such use).

connected car 2

Not-So-Cyber Monday

shutterstock_102061732

Or, is it just a mobile smoothing?

Retailers are reporting that the Black Friday shopping events and the historic Cyber Monday follow up event may be on the decline.  This does not necessarily signal an overall decline in holiday season shopping trends but a shift in the habits and tools utilized by shoppers.  A retail consulting firm is publishing fresh results from the 2014 holiday shopping “opening weekend:”

Online shopping was up almost 20% in Thanksgiving 2014 compared to Thanksgiving 2013, driven by mobile shopping and promotions.
Despite this growth, Thanksgiving – contrary to some predictions – is nowhere near Black Friday or Cyber Monday in terms of online shopping. Revenue on Black Friday 2013 was almost 2.5X higher than Thanksgiving 2014, and revenue on Cyber Monday was three times as high.

http://blog.custora.com/2014/11/turkey-football-and-online-shopping-the-stars-of-thanksgiving-2014/

http://www.siliconbeat.com/2014/12/01/cyber-monday-may-be-fading/

Krebs On Security advises to be wary of on-line phantom stores.  He warns that it is not uncommon for bargain basement, phantom Web sites to materialize during the holiday season.  https://krebsonsecurity.com/2014/11/black-friday-cyber-monday-for-crooks-too/

Meanwhile, the cyber event reporting from the weekend so far is that the Syrian Electronic Army “hacked” some pop-up ads for retailers over the Thanksgiving weekend but no consumer account or personally identifiable information was affected – instead of seeing ads, the SEA logo was substituted on Web sites for Forbes, The Chicago Tribune, CNBC, PC World, the NHL and Canadian broadcaster CBC.  It’s believed that the SEA’s route of attack was through the popular commenting platform Gigya.

Read more: http://www.digitaltrends.com/web/syrian-electronic-army-celebrates-thanksgiving-widespread-ad-hack/#ixzz3Kg7VCSLb
Follow us: @digitaltrends on Twitter | digitaltrendsftw on Facebook

http://www.digitaltrends.com/web/syrian-electronic-army-celebrates-thanksgiving-widespread-ad-hack/

Once Again, California…on Privacy, Do Not Track

AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures

calstampiStock_000016159030Medium

In  a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law.  Key recommendations include:

  • Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
  • Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
  • Are third parties collecting personally identifiable information?  If yes, say so
  • Explain uses of personally identifiable information
  • Describe what you collect, how you use it, how long you retain it
  • Describe choices the consumer has regarding use/sharing of PII
  • Use plain language – use graphics/icons

The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency).  And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance.    The guide is called, Making Your Privacy Practices Public  and you can see it at:

https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

calcubeiStock_000013476441Large

Data and Security – Balancing Use and Oversight

Using Anonymous Patient Data 

patient recordsiStock_000011715450Small (1)

The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute.  This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act.  The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry.  The PCORI network is supposed to identify patients who could be invited to join clinical trials.  The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations.  Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.

Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html


The FTC Can Seek to Enjoin

Hotel

In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers.  In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents.  The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.”  The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.”  Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices.  Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court.  The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.”  Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco).  Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.

Wyndham also challenged the FTC’s deception claim.  The FTC cited the Defendants’ privacy policy and alleged that the Defendants did not implement reasonable and appropriate measures to protect personal information from unauthorized access.  The FTC argued that the privacy policy representations therefore were false or misleading and constituted deceptive practices.  Wyndham argued that the FTC failed to meet a higher burden when alleging unlawful deception.  The Court rejected Wyndham’s arguments finding that a reasonable customer would have understood that the policy makes statements about data-security practices at the hotels, to the extent that the hotels control personally identifiable information.

There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches.  The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises.  However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring  additional enforcement actions.  More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.

See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14

Copy of case at: http://image.exct.net/lib/fefd167774640c/d/1/4.8%20Alert%20Wyndham%20Opinion.pdf

 

    ftc_logo_430-centennial

FTC Logo

Report on Healthcare – Increase in Threats

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image

Reports of ‘Safe Harbor’ Demise are Premature?

Brill addresses Issues at IAPP Data Protection Congress in Brussels
HiRes

FTC Commissioner Julie Brill delivered remarks at the IAPP Data Protection Congress in Brussels today along with one the EU’s Commissioners, Constantijn van Orange-Nassau.  Commissioner Brill acknowledged some of the criticism being leveled at the U.S.-EU Safe Harbor Data Protection process in light of revelations from the Edward Snowden-NSA so-called spying scandal.  Snowden’s disclosures included copies of PowerPoint presentation slides identifying the NSA’s PRISM program, which program reportedly allowed the NSA to gain access to the private communications of users of nine popular Internet services (including Google, Yahoo!, Facebook, Microsoft and others).  The Safe Harbor framework is supposed to allow for the transfer of such personal data in compliance with the EU Data Protection Directive.  The FTC is responsible for compliance enforcement, once an entity self-reports to the U.S. Department of Commerce.

As a result of the revelations, certain EU principals began to question the efficacy of the terms of transferring data between U.S. and EU entities, via the Safe Harbor program.  See remarks from Vice President Reding as of July 2013:

http://europa.eu/rapid/press-release_MEMO-13-710_en.htm

–“PRISM has been a wake-up call. The data protection reform is Europe’s answer.”

–“The Safe Harbour agreement may not be so safe after all.”

Now, Commissioner Brill acknowledges the issue and responds, in part:

–“[Safe Harbor is a] very effective tool for protecting the privacy of EU consumers … the FTC has vigorously enforced the Safe Harbor.”

–“We’ve taken the initiative to look for Safe Harbor violations in every single privacy and data security investigation we conduct. That’s how we discovered the Safe Harbor violations of Facebook, Google and Myspace.”

–“[Safe Harbor has]received its share of criticism in large part due to revelations about government surveillance. There’s no doubt that has created tensions in the transatlantic partnership.”

Commissioner Brill likewise took to Twitter to drive home the point:  “Safe Harbor is strong – can help make it strong; increase transparency; make ADR more affordable; strengthen accountability #dpcongress”

BrillTweetsreEU

BrillSafeHarborttweets


See article at:

https://www.privacyassociation.org/publications/eu_u.s._officials_indicate_potential_privacy_agreement_at_data_protection_c

Her EU colleague took the opportunity to outline what should be the focus for these cross-Atlantic partnerships: 1) a standard commitment to Privacy by Design; 2) any Big Data applications that might put fundamental rights at risk should have a privacy impact assessment required; 3) consent is a cornerstone of data protection; and, 4) there needs to be a commitment to de-identification.

euflagth4P2UWF78

Brill, for her part, Tweeted a photo of the two privacy regulators engaged in conversation; apparently, doing some one-on-one diplomacy to try to calm these choppy waters!
brilltweets

blue anchor

DNTK – Do Not Track Kids – Proposed Legislation

No real eraser button?
No real eraser button?

Senator Ed Markey (D-Mass.) has introduced a bill to amend the Children’s Online Privacy Protection Act of 1998 to “extend, enhance, and revise the provisions relating to the collection, use and disclosure of personal information of children, to establish certain other protections for personal information of children and minors, and for other purposes.”  In the Findings included in the Bill, the proponents note that a Wall Street Journal study (2010) found that websites directed to children and teens were more likely to use cookies and other tracking tools than sites directed to a general audience.  The legislation is aimed at prohibiting “operators” (including mobile apps) from collecting personal information, including location data, from children ages fifteen and younger without that person’s permission (guardian permission already required under COPPA for minors 12 and under).

A Republican sponsor, Rep. Joe Barton (R-Tex.) says that “It is important that our teenagers receive protections.  They are prone to mistakes; we need to make sure those mistakes aren’t exploited online.”

http://www.markey.senate.gov/documents/2013-11-14_Markey_DNTK.pd

Meanwhile, California also just passed the online “eraser” law.  California SB 568 requires “the operator of an Internet Web site, online service, online application, or mobile application to permit a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted”.  The law kicks in on January 1st.   It also prohibits websites from targeting minors with products like e-cigarettes and tattoos.

Despite the DNTK proposal, it remains that state legislatures and attorneys general continue to take the lead in privacy legislation and enforcement.  See, http://www.nytimes.com/2013/10/31/technology/no-us-action-so-states-move-on-privacy-law.html

See also, State AGs Chuckle at Idea of Federal Breach Law:   https://www.privacyassociation.org/publications/amidst_u.s._govt_shutdown_state_ags_chuckle_at_idea_of_federal_breach_law

calstreetsigniStock_000015398858Small

And, in other California news, California also enacted AB370, its own “Do Not Track” law.  The legislation requires owners of commercial websites and online service providers (again, “operators”) to conspicuously post a privacy policy, which policy must disclose the categories of personally identifiable information the operator collects and with whom the operator shares such information. The law also addresses Do-Not-Track (“DNT”) signals sent from browsers, in that it requires operators of websites and online services to notify users about how they handle DNT signals.

“Operators” include website operators, and per the CA AG, that would be software operators and mobile apps that transmit and collect PII online.  The law does not prohibit commercial websites or online services from tracking and gathering personal information from its users – just addresses notice policies and procedures.  In that regard it does not prompt an “opt in” option on the operator’s website or app – which would require a consumer/customer to affirmatively allow the operator to share PII.  It is an update to CalOPPA (“California Online Privacy Protection Act of 2003”).

http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370

And see also: The FTC has denied an application seeking approval of a proposed verifiable parental consent method submitted by AssertID, Inc., under COPPA.

In a letter to AssertID, the Commission noted that the company’s proposal failed to provide sufficient evidence that its method would meet the requirements set out under the rule. Specifically, the Commission noted that there was not yet adequate research or market testing to show the effectiveness of the AssertID “social-graph verification” method.

Executive Order – Improving Critical Infrastructure Cybersecurity

The White House issued a press release on February 12, 2013 that included the President’s Executive Order on cybersecurity.  The Order is the administration’s initiative to work “in partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement
risk-based standards.”

Digital Globe

This Executive Order fills something of a void left by orphaned Congressional proposals.  Earlier legislative proposals were criticized as  not going far enough to protect consumer’s privacy interests (data collection issues); other proposals were criticized as being too heavy-handed on the so-called critical infrastructure entities (requiring utilities, transportation/shipping to share data).  The Order specifically cites “Critical infrastructure,” without specifically defining what/who is included in that group. Commentators believe the initiative will affect a great deal of economic activity, not to mention the broadest possible spectrum of relevant technologies.  The Order also incorporates the FIPPs – Fair Information Privacy Principles, which are a set of eight principles rooted in the tenets of the Privacy Act of 1974.

 http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

The National Institute of Standards and Technology have already instituted a new cybersecurity framework in conjunction with the Order.  This is a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that NIST says are vital to the nation’s economy, security and daily life.   http://www.commerce.gov/news/press-releases/2013/02/13/national-institute-standards-and-technology-initiates-development-new

For further comments, see:

http://www.nationaljournal.com/tech/why-some-privacy-advocates-are-grinning-over-obama-s-cybersecurity-order-20130213?print=true

And, see renewed Congressional effort: The President’s Executive “order allows the sharing of government data with the private sector, the data sharing doesn’t flow back the other way. That means the order, unlike CISPA, doesn’t raise the hackles of privacy groups that have protested that CISPA could grant immunity to private sector firms who want to share their user’s personal information with the government.”  CISPA is Cyber Intelligence Sharing and Protection Act; the legislation passed the House last year but did not reach a vote in the Senate.

For further details:

http://www.forbes.com/sites/andygreenberg/2013/02/12/president-obamas-cybersecurity-executive-order-scores-much-better-than-cispa-on-privacy/

See also: http://www.pcmag.com/article2/0,2817,2415413,00.asp

FTC Issues Report on Ways to Improve Mobile App Disclosures

smartphonelThe report, issued February 1st,  provides recommendations for the mobile marketplace, including operating system providers such as Amazon, Apple, BlackBerry, Google and Microsoft.  The report also addresses application developers, advertising networks, analytics companies and app developer trade associations.  The report describes that in the fourth quarter of 2012, consumers worldwide bought approximately 217 million smartphones.  Given such widespread use of the technology, the FTC staff notes that unprecedented amounts of data are being collected.  The FTC offers several suggestions for the “major participants” to improve mobile privacy disclosures.  The report recommends that mobile platforms should:

-Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;

-Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;

-Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;

-Consider developing icons to depict the transmission of user data;

-Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;

-Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and

-Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

-Have a privacy policy and make sure it is easily accessible through the app stores;

-Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);

-Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used.

-Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

-Communicate with app developers so that the developers can provide truthful disclosures to consumers;

-Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

-Develop short form disclosures for app developers;

-Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;

-Educate app developers on privacy issues.

The FTC also introduces Mobile App Developers: Start with Security, a new business guide that encourages developers to aim for reasonable data security, evaluate the app ecosystem before development, and includes tips such as making someone responsible for data security and taking stock of the data collected and maintained.

The FTC also announced a settlement with the operator of the Path social networking app.  The FTC alleged that the app deceived users by collecting personal information from their mobile device address books without their knowledge or consent.  The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.  The company also agreed to pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

See update from NYT — loophole allows Path to share location data even when a user has turned off location: http://bits.blogs.nytimes.com/2013/02/01/path-photos-location-loophole/