FTC: App Took Unauthorized User Data
When it comes to BYOD, BYOA is never far apart, so when apps unknowingly gather personal information, business contacts, emails and other sensitive corporate data can be gathered as well.
Such was the case when the Federal Trade Commission (FTC) brought charges against Path, a social networking app, for collecting personal info from mobile device address books without users' knowledge and consent.
In its complaint, the FTC charged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information.
In version 2.0 of its app for iOS, Path offered an "Add Friends" feature to help users add new connections to their networks. The feature provided users with three options: "Find friends from your contacts;" "Find friends from Facebook;" or "Invite friends to join Path by email or SMS."
However, Path automatically collected and stored personal information from the user's mobile device address book even if the user had not selected the "Find friends from your contacts" option.
For each contact in the address book, the app automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
Path, Inc. has agreed to settle. The company will institute a comprehensive privacy program and will obtain independent privacy assessments every other year for the next 20 years. In addition, the company will also pay $800,000 to settle charges that it illegally collected personal information from children without their parents' consent.
New FTC App Guidelines
To address this and similar cases, the FTC issued the report:
“Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report
,” and introduced a guide: “Mobile App Developers: Start with Security
The report makes recommendations for critical players in the mobile marketplace: mobile platforms (OS providers, such as Amazon, Apple, BlackBerry, Google and Microsoft), application (app) developers, advertising networks and analytics companies and app developer trade associations. Most of the recommendations involve making sure that user get timely, easy-to-understand disclosures about what data they collect and how the data is used.
The guide urges developers to aim for reasonable data security and evaluate the app ecosystem before development. It includes tips such as making someone responsible for data security and taking stock of the data collected and maintained.
Most of the recommendations involve ensuring that users receive timely, easy-to-understand disclosures about what data they collect and how the data is used. FTC Chairman Jon Leibowitz said, “These best practices will help to safeguard consumer privacy and build trust in the mobile marketplace, ensuring that the market can continue to thrive.”
Highlights of the recommendations include:
For mobile platforms:
- Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation and for other content that would be considered sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content
- Consider developing a one-stop “dashboard” approach to allow users to review the types of content accessed by the apps they have downloaded
- Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.
For app developers:
- Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers.
- Consider participating in self-regulatory programs
Perhaps what the report does not take into consideration is increased end user education. As it’s often unregulated, hacked versions of apps are the greater danger to the user and the business.