Archives: Mobile Privacy

Subscribe to Mobile Privacy

The National Institute of Standards and Technology (NIST) has issued guidelines to help federal agencies manage and secure mobile devices used by their employees for government business. A valuable resource on enterprise mobile device security for all businesses, not just federal agencies, the guidelines are designed to be used by CIOs, CISOs, and other information security professionals as best practices when designing, implementing, and maintaining enterprise-level mobile device security. A Mintz Levin client alert summarizes the key recommendations in NIST’s Guidelines for Managing the Security of Mobile Devices in the Enterprise.   Read more here.

 

 

Written by Ernie Cooper 

Aiming to “address the real privacy and security risks that consumers face when telecommunications carriers use their control of customers’ mobile devices to collect information about their customers’ use of the network,” the Federal Communications Commission (FCC) has adopted a Declaratory Ruling holding that the existing rules requiring carriers to protect customer proprietary network information (CPNI) apply to CPNI collected by mobile devices when such collection is undertaken at the carrier’s direction and the carrier has access to or control over that information. The FCC further clarified that this obligation applies even while the CPNI resides on the handset prior to transmission to the carrier’s servers.  The Declaratory Ruling does not restrict carriers’ ability to collect CPNI using customer handsets, but holds that if the carrier chooses to do so, it must protect the CPNI it collects.

The Declaratory Ruling applies only to the providers of common carrier and interconnected VoIP services covered by the CPNI rules, although the ruling could raise expectations that other wireless broadband providers engaged in device-based data collection will also protect that data against unauthorized disclosure and use.

Following is a summary of the main points of the Declaratory Ruling.

Many Data Elements Collected by Mobile Devices Fit the Definition of CPNI.  The statutory definition of CPNI is “information that [1] relates to the quantity, technical configuration, type, destination, location, and amount of use of a [customer’s] telecommunications service . . . [2] that is made available to the carrier by the customer [3] solely by virtue of the carrier-customer relationship.”  The FCC concluded that this type of information, even when collected or stored on a mobile device, falls within the definition of CPNI and is therefore subject to the rules governing such information.  Using the 2011 controversy over certain carriers’ use of the Carrier IQ diagnostic software as an example, the FCC explained that when software installed on a handset to collect this information for carriers is not properly secured, other entities or applications may access the CPNI, resulting in the potential disclosure of location and other data.

The Declaratory Ruling acknowledges that some information collected by Carrier IQ-type network diagnostic software, such as information on access to the carrier’s data network or URLs visited by a handset’s browser, may fall outside of the definition of CPNI.  According to the FCC, however, that fact does invalidate the principle that data that does meet the definition of CPNI must be protected as such.

The FCC explained that CPNI collected by a handset at the carrier’s direction is “made available” to the carrier even while it is stored on the handset prior to transmission to the carrier’s own servers.  Even if the information has not yet been transmitted, the configuration of the device puts the data “under the carrier’s control for all practical purposes,” and therefore “made available” to the carrier.  Thus the CPNI must be protected while resident on the customer’s handset, as well as during transmission and while on the carrier’s own servers.

CPNI collected on handsets is also “made available to the carrier by the customer solely by virtue of the carrier-customer relationship” because the carrier “is in a unique position with respect to its customers when it configures a mobile device to collect the information before the device is sold to a customer.”  The same is not true for information collected and stored on the handset by third-party applications installed on the handset by the consumer – even when the data might otherwise fit the definition of CPNI – because in that case the information is not under the carrier’s control and not intended to be transmitted to the carrier.

Carriers Must Take Reasonable Precautions to Prevent Unauthorized Disclosure of CPNI Collected on Handsets.  Obligations carriers have under FCC rules to protect and prevent misuse of their customers’ CPNI applies equally to CPNI collected on customer handsets.

Thus, if a carrier chooses to collect or store CPNI on a handset, the carrier must take reasonable precautions to prevent unauthorized access and disclosure, including access that might be obtained by third-party applications the customer may have installed on the handset.  The Commission recognizes, however, that given the openness of modern smartphones it cannot require carriers to protect customers against “all possible privacy and security risks . . . , including risks created by third-party applications.”

As with other CPNI a carrier may have access to, carriers are free to use CPNI collected from handsets to “assess and improve the performance of its network and to provide information to customer-support representatives without the customer’s specific approval.”  Similarly, as with CPNI collected by other means, carriers are not restricted in using CPNI collected from handsets if the data has been aggregated, with individual customer identities and characteristics removed.

Consistency with Other Privacy Laws and Initiatives.  In response to an argument raised by CTIA,  the nonprofit organization that represents the wireless industry, the FCC explained that the clarifications made in the Declaratory Ruling are consistent with the Stored Communications Act.  Further, while noting that mobile privacy issues are also being addressed through industry best practice development efforts by standards-development organization ATIS, and in the NTIA-led multistakeholder process to develop a privacy code of conduct for mobile apps, the FCC concluded that neither of these initiatives is a substitute for the FCC’s obligation to fulfill its statutory role” to ensure appropriate protection of CPNI.

Time flies when it comes to compliance deadlines   As we have blogged here, the Amended COPPA Rule compliance deadline is approaching.   And if you haven’t addressed your compliance issues by Monday, you will be late.

Effective July 1, 2013, regulations issued in the December 2012 amendment to the Children’s Online Privacy Protection Act (COPPA) will be subject to enforcement by the FTC. Operators of commercial web sites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13 need to be aware of how the amended COPPA rule will affect their business practices, and what is required to stay in compliance. We have prepared a comprehensive guide to the specifics of the rule, including new requirements related to personal information that was collected prior to the rule being implemented, as well as tracking, and responsibility for third-party use of information.

Link here for a copy of the Mintz Levin Guide to COPPA.

 

By Cynthia Larose, Evan Nadel, and Jake Romero

California Attorney General Kamala Harris’ attempt to bring an enforcement action against Delta Air Lines, Inc. won’t be leaving the runway. California Superior Court Judge Marla J. Miller has dismissed a data privacy complaint against Delta brought by Attorney General Harris. The development comes as an unexpected bump in the road for the Attorney General’s office, which has made enforcement of state privacy regulations a top priority. Judge Miller agreed with Delta’s argument that the claim should be dismissed on federal preemption grounds.

See our Mintz Levin Privacy client advisory here for more information.

Written by Amy Malone

U.S. Rep. Hank Johnson, a Democrat from Georgia, has introduced a mobile privacy bill that if passed will require mobile application developers to maintain privacy policies, obtain consent from consumers before collecting data, and securely maintain the data they collect.

The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,” also requires app developers to establish a data retention policy and allows users to request app developers to stop collecting their data and delete any stored information about the user.  App developers are charged with taking “reasonable and appropriate” measures to prevent unauthorized access to personally indefinable and de-identified information collected by the app.

Over the last year, the public was able to express their concerns and suggestions regarding mobile privacy through a web-based project called  AppRights started by Rep. Johnson.  In a press release Rep. Johnson said that more than 80% of AppRights participants wanted Congress to protect consumers’ privacy on mobile devices by imposing regulations that require app developers to tell users what information is being collected and how it is being used, to secure user information and to make controls easy to implement on mobile devices.

Under the APPS Act, enforcement will be provided by the Federal Trade Commission and state attorneys general can bring civil actions on behalf of residents to enforce the regulation and obtain damages.  There is also a safe harbor provision that allows app developers to satisfy the requirements of the Act by adopting and following a code of conduct for privacy that is established using a multistakeholder process facilitated by the National Telecommunications and Information Administration.

Written by Amy Malone

After rounds of comments and public workshops, the FTC has finally released an update to its digital advertising disclosure guidelines (here).  The FTC first released guidance on digital advertising in 2000 (see those guidelines here) and last May the FTC requested comments on how the guidelines could be updated.  The FTC points out on the first page that “consumer protection laws that apply to commercial activities in other media apply online, including activities in the mobile marketplace.”

Extending the same rules across media poses issues due to the space available (compare your phone screen to your laptop screen, and you get the idea).  How can you ensure your disclosures are up to snuff?  Well, the FTC focuses on providing disclosures that meet the “clear and conspicuous” standard and provides an appendix full of examples that include pictures of mobile screens displaying both acceptable and unacceptable disclosures.  The FTC also touched upon using endorsements and testimonials in advertisement (for more information on the guidelines the FTC released in 2010 see our blog post here).

Factors to consider in ensuring your ads meet the “clear and conspicuous” standard

  •  Proximity and Placement.  Disclosures are most effective when placed near the claim it qualifies.  Close proximity increases the likelihood that consumers will see the disclosure and realize it relates to the claim or product.  On a mobile device it may be difficult, if not impossible, to include the disclosure on the same screen as the product or claim.  In those cases the advertisers are encouraged to provide “text prompts” that indicate to the consumer that more information is available (e.g. “see below for important information on restocking fees” alerts the customer to scroll and look for the information).  If you decide to use a hyperlink, make sure it’s obvious that the link provides a disclosure and use language that is clear; this point harkens back to our “see below for important information on restocking fees” example which could also be used as a hyperlink.  Advertisers should steer away from using hyperlinks that contain general statements like “important information.”

 

  •  Prominence.  It’s your responsibility to draw attention to required disclosures.  Consider size, color and graphics that will affect the disclosure’s prominence and increase the likelihood that the consumer will associate the disclosure with the claim or product.

 

  • Distracting Factors in Ads.  The FTC warns that graphics, sound, text and links that lead to other screens may entice the consumer away from the original screen and the disclosure.  You’d be wise to ensure that whatever graphics/sounds/text you have on a page are not so flashy as to draw the consumer away before reading the disclosure.

 

  • Repetition.  Disclosing information more than once makes it more likely that a consumer will notice and understand the disclosure, but there is a fine line between helping the consumer and annoying them to the point that they ignore the disclosure.  Repetition is probably necessary if consumers can access and/or navigate the website or application in different ways.  Placing the disclosure in multiple places will help assure that the consumer sees it.

 

  • Multimedia Messages and Campaigns.  Ads may contain audio messages, videos or animation that require disclosures.  If providing disclosures in a multimedia platform weigh factors such as: if it’s audio is the volume sufficient for a reasonable consumer to hear and understand it?  If you are using video, are the visual disclosures appearing for duration sufficient for consumers to notice, read and understand them?   The FTC points out that fleeting online disclosures are not likely to be deemed sufficient.

 

  • Understandable Language.  Consumers need to be able to understand the disclosure.  Use clear language and avoid technical jargon and legalese.

 

Over the last year, the FTC has been on a mobile rampage, releasing guidelines on mobile app development, mobile app payment issues and bringing actions against mobile app and mobile device developers (see our blog posts here, here, here, and here).  Last week, the FTC released a video with additional tips for mobile app developers. Anyone working in the mobile sphere needs to be vigilant and aware of the regulatory focus.