by ·0 Comments

Digital privacy versus national security. That’s how scores of articles have framed the controversy over Apple Inc.’s refusal to cooperate with the FBI in bypassing the security features of an iPhone used by Syed Farook, one of the deceased shooters in the San Bernardino terrorist attack. Largely overlooked is the fact that Farook’s employer could’ve prevented the whole controversy had it installed common software on the phone.

Syed worked for the County of San Bernardino as a health inspector. The county issued the iPhone in question to Farook to help him do his job. Farook signed an agreement giving the county the right to search the contents of the phone, but the county did not take measures to ensure its could enforce that right. Employers who allow their employees to use mobile devices for work typically install mobile device management (MDM) software on the device. MDM allows the employer to unlock a mobile device phone remotely, wipe the contents of the device, push software updates, and track the device’s location. According to an AP report, the county had a contract with a MDM provider, but it never installed the MDM software on Farook’s phone. The MDM service costs $4 per month per phone.

There are HR and IT lessons to be learned from this incident. One lesson is that employees should be required to grant their employers access to their mobile devices as a condition of using them for work-related purposes. Specifically, management should obtain an employee’s signed written agreement authorizing the company to access the contents of a mobile device that is connected to the company network. The County of San Bernardino did it at least obtain this kind of authorization.

A second lesson is that the right to access an mobile device is useless if you have no practical way of gaining access. This is where technology like MDM software is useful. Installation of MDM controls should be standard operating procedure in any Bring Your Own Device program. MDM software doesn’t have to be expensive either. Popular email server platforms like Microsoft Exchange have MDM controls built in. For more robust functionality, consider investing in specialized MDM solutions.

It shouldn’t take the prospect of a terrorist attack to highlight the importance of taking these lessons seriously.

Related articles

by ·0 Comments

The FTC released two guides on the privacy and security issues related to the Internet of Things.  The first is a staff report based on discussions in an FTC-hosted workshop on the subject held on November 19, 2013.  In addition to summarizing the workshop discussions, the report contains staff’s recommendations in the IoT space.  This prompted a FTC Commissioner (Joshua Wright) to dissent from the decision to issue the report.  In Commissioner Wright’s view, it is premature to publish staff recommendations in this area without further research, data, and analysis.  The dissenting statement can be found here.

The report discusses the benefits of IoT as well as three risks:

  1. enabling unauthorized access and misuse of personal information;
  2. facilitating attacks on other systems; and
  3. creating risks to personal safety

The report also discusses Fair Information Practice Principles including security, data minimization, notice, and choice.  Click here to read the full report.

Along with the staff report, the FTC issued a guide called “Careful Connections” that provides recommendations on building security into IoT applications.  Download the guide here.

Related articles

by ·0 Comments

The Federal Trade Commission (FTC) just announced that Snapchat agreed to settle charges that it deceived consumers about how its popular mobile message app worked and what personal user data it collected.  (Read the FTC’s press release here). Part of Snapchat’s appeal was a feature enabling users to control how long a message could be seen by the recipient. After the designated time limit expires, the message is destroyed, much like the mission briefings in Mission Impossible. At least that’s what Snapchat told users. According to the FTC, Snapchat misled consumers because the app didn’t exactly work the way it said it did. The FTC’s complaint against Snapchat (read it here) included these allegations:

  • Recipients of a “snap” (a Snapchat message) could save the snap using tools outside of the app. Snapchat apparently stored video snaps in a location on the recipient’s mobile device outside of the app’s secure “sandbox.” This enabled recipients to find and save video snaps by connecting their mobile device to a computer and using simple file browsing tools. Another way to bypass the deletion feature was to use apps that connected to Snapchat’s API to download and save snaps.
  • Snapchat told users that if a message recipient took a snapshot of the snap, the sender would be notified. In fact, the screenshot detection mention could be bypassed.
  • Snapchat collected geolocation data of users when it said it would not.
  • Snapchat told users to enter their mobile number to find friends who also use the app, implying that the user’s mobile phone number was the only information it collected. Without the user’s knowledge, Snapchat also collected the names and phone numbers of all contacts in the address book on the user’s phone.

So what’s the significance of the settlement? Here are a few quick takeaways.

  • Descriptions of mobile apps in an app marketplace like iTunes App Store or Google Play are product descriptions that could be the basis for false advertising claims.
  • Including boilerplate language in an app description, terms of use, or privacy policy is a bad idea if you don’t know what it means or can’t verify its accuracy. Snapchat’s privacy policy told users that it “did not ask for, track, or access any location-specific information.” A lot of apps say that. The problem was that Snapchat integrated an analytics tracking service in the Android version of the app that did collect location information.
  • Take into account exploits and workarounds when drafting privacy policies and product descriptions. This includes software that uses the app’s API.
  • The FTC is getting more active in pursuing false advertising claims against mobile app makers. In December of last year, the FTC settled charges that the developer of the “Brightest Flashlight Free” app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. The FTC’s interest in suing companies that allow a data breach to occur is also a growing concern, especially after the New Jersey federal district court’s decision in FTC v. Wyndham Worldwide Corp., recognizing the FTC’s authority to prosecute cases where a company is alleged to have failed to maintain “reasonable and appropriate data security for consumers’ sensitive personal information.”
  • Information transmitted over the Internet is rarely, if ever, gone forever. Somehow, somewhere, electronic data can be retrieved.
Related articles
Enhanced by Zemanta