Mobile Data Protection - The Call for Privacy and Security for Wireless PII

Size: px

Start display at page:

Download "Mobile Data Protection - The Call for Privacy and Security for Wireless PII"

Jasper Hood
8 years ago
Views:

1 Mobile Data Protection - The Call for Privacy and Security for Wireless PII

2 Agenda moderated by Chris Cwalina The Wireless Ecosystem and Privacy Considerations from an Industry Perspective Kathy Zanowic An overview of the issues most critical and unique to providing reasonable security for mobile applications Mark Paulding Mobile Privacy and Security from a Regulator s perspective Chris Olsen

3 The Wireless/Smartphone Ecosystem Kathy Zanowic

What a Cell Phone Used to Be Closed System, Managed by Carrier Apps limited to those available from carrier User generally unaware of types of Operating Systems Carrier Services

4 What a Cell Phone Used to Be Closed System, Managed by Carrier Apps limited to those available from carrier User generally unaware of types of Operating Systems Carrier Services User Data Operating System Minimal private data e.g. phone contact list, IM contacts Application downloads managed by carrier Hardware generally managed by carrier Camera GPS 2G/3G Radio

Open System only partly managed by Carrier Apps & Web Services Apps Web Browser User

5 Today s Smartphone Ecosystem Examples: Significant user data location, pictures, contacts passwords, etc. Open System only partly managed by Carrier Apps & Web Services Apps Web Browser User Data Carrier Services Operating System Operating System Hardware Device Accessories GPS Camera Storage Wi-Fi LTE/3G Radio Multiple ways to download apps

6 Smartphone Data Flows Device, Operating Systems, App Stores, Web Sites Data Flow Applications Service Provider Customer Advertisers, Ad Agencies, Ad Networks

7 Smartphone Information Availability Example Using Location Data Before Start-Up, Device is invisible to all. User turns smartphone ON : -Firmware initiates device and Operating System boot up- Operating System can know GPS location. -Cell tower/wi-fi hotspot registration- Carrier can know location; Wifi hotspots can know hardware ID -Components (camera, radio, etc.) and Apps start automatically or by customer - Apps can know location, can access camera, etc. -Browser started by customer - Browser apps can now know location, can access camera, etc.

8 Mobile Data Flow Key Points Mobile devices and software can obtain information from many sources: For example, location data can come from: standalone GPS, wireless carriers, independent cell tower info, Wi-Fi mapping, and user input. All participants in the mobile environment-carriers, device manufacturers, Operating System providers, application developers, advertising entities- share responsibility for informing customers about the data that is collected, how it is used and shared, privacy choices, and data protection policies. Consumers also bear responsibility for educating themselves and making privacy choices aligned with their preferences.

9 Privacy Considerations Transparency Collection, Use and Sharing of Data Types of Notice Consumer Controls Choice Options Mechanisms Use Limitations Data Protection Controls

10 Privacy Notice/Choice - Example of Verizon Wireless App Users of the VZ Navigator application receive the following disclosure and consent screens before location information may be used by Navigator services:

11 Location Gathering Disclosures for Android Operating System (1)

12 Location Gathering Disclosures for Android Operating System (2) estors-remain-engaged-focused-long-term-goals-economic

13 An overview of the issues most critical and unique to providing reasonable security for mobile applications Marc Paulding

14 Legal and Regulatory Standards The law is ill-defined Existing laws are designed for traditional PCs Mobile specific provisions focus on encryption Massachusetts regulations require encryption of stored data HIPAA Security Rule guidance recommends encryption of stored data

15 Mobile Technology and Cybercrime Criminals are already targeting mobile technology Criminal attacks can result in brand damage and regulatory action Malicious software is distributed in many ways Malicious apps Poisoned apps Malvertising Phishing Businesses should anticipate attempts to coopt their technology

16 Mobile Security Priorities Most commonly-accepted security standards apply to mobile technology Three security topics are of particular importance Secure system development Supply chain security User education

17 Secure System Development Do not make the mistake of assuming that small applications do not require robust security System development safeguards should include Data inventory Security requirements analysis Security controls definition and testing Security training and awareness Secure development and configuration procedures

18 Secure System Development Example: Defining Zones of Trust Permission should be based on trustworthiness Trust should be earned, not assumed First party activity may be trusted User activity has to be trusted Third party activity should be trusted only after verification Trust should be limited by need Users/processes should only be trusted to take actions they need to take Well-defined zones of trust reduce the number of ways systems can be exploited

19 Secure System Development Example: Transmission Security Publicly-accessible communications are easily intercepted Internet Wireless networks Assume that anything that can be intercepted will be intercepted Transmission of sensitive information should be limited by need Sensitive information transmitted over any public communication system should be encrypted in accordance with industry standards

20 Secure System Development Example: Local Storage Local storage security technology is limited (to date) Mobile devices are easily accessed, lost, or stolen Local storage should be limited based on need Centralized storage (directly controlled by the application/service publisher) mitigates risks of lost/stolen mobile devices

21 Supply Chain Security Relationships with third party developers and service providers may introduce unique security risks Companies may be exposed to flaws in third party security programs when Using third party developer provided technology or Permitting direct communication with app developer systems

22 Supply Chain Security Data protection allegations against third party developers may be imputed to their trading partners Third party developers may be accused of collecting/using data in ways that may not have been disclosed to their trading partners This can be an issue for trading partners even if the allegations against a developer prove to be inaccurate Risks include the black market Distribution of poisoned apps may tarnish brand reputation

23 Supply Chain Security Supply chain safeguards Contracts Reasonable security requirement Notice of security incidents and cooperation during investigations Product/service evaluation Evaluate third party developer systems prior to use/distribution Zones of trust Direct connections to third party developer systems should be isolated Trade dress protection Monitor known marketplaces for illicit copies of apps

24 User Education Careful users benefit businesses Reduce incidence and cost of fraud Maintain consumer goodwill User education should focus on Strong password practices Passphrases are memorable and robust without excess complexity Caution when interacting with the Internet Understanding the relative value of trust

25 Mobile Privacy and Security The views expressed are those of the speaker and not necessarily those of the FTC or any other person. Christopher N. Olsen Federal Trade Commission

26 FTC Focused on Mobile Mobile Team Environment Law enforcement actions Policy initiatives: Proposed Framework for Businesses and Policy Makers

27 FTC Mobile Team Dedicated staff Technologist assistance Testing capabilities

28 Law Enforcement -- FTC Act Fundamentals Section 5 of the Federal Trade Commission Act broadly prohibits unfair or deceptive acts or practices in or affecting commerce. Deception a material representation or omission that is likely to mislead consumers acting reasonably under the circumstances Unfairness practices that cause or are likely to cause substantial injury to consumers that are not outweighed by countervailing benefits to consumers or competition and are not reasonably avoidable by consumers. Flexible law that can be applied to many different situations, entities, and technologies.

29 Key Cases W3 Innovations Frostwire Google Facebook Mobile background screeners

30 Data security principles apply Brought over 30 cases alleging deceptive or unfair security practices by companies handling personal data Same date security principles apply to mobile environment

31 FTC PRIVACY AND DATA SECURITY CASES

32 Policy Considerations Complex ecosystem Telecom carriers Operating system providers Ad networks Application developers Handset manufacturers Service providers

33 Key Features to consider Small screen Multiple channels: texting, mobile Web, mobile Apps On the go use Additional hardware capabilities camera, microphone, gyroscope GPS & location features Easy sharing of user information Personal to one user

34 Key Questions Who collects what information? How is it used? With whom is it shared? Are consumers being adequately informed? Do they have a choice?

35 Proposed Privacy Framework Issued Proposed Framework For Businesses and Policy Makers in December 2010, following a series of public roundtables. Key elements: Privacy by Design, Simplified Choice, and Greater Transparency. Application to Mobile environment.

36 Kids Apps Survey Reviewed 200 kids apps on Android and 200 on Apple Looked for disclosures available in App stores or by developers Very little information disclosed prior to download Recommendation app stores, developers and other ecosystem participants need to improve disclosures re data practices

37 Other Recent Developments Final Privacy Report? Workshops? Other?

38 QUESTIONS?

39 Presenters Christopher Cwalina Christopher Olson Kathleen Zanowic Mark Paulding

3/17/2015. Overview HIPAA. Who s Covered? Who s Not Covered? PRIVACY & SECURITY. Regulatory Patchwork: Mobile Health

3/17/2015. Overview HIPAA. Who s Covered? Who s Not Covered? PRIVACY & SECURITY. Regulatory Patchwork: Mobile Health PRIVACY & SECURITY Regulatory Patchwork: Mobile Health Anna Watterson, Davis Wright Tremaine, LLP Overview When HIPAA applies to mobile apps When FTC has jurisdiction over mobile apps Other considerations: