California's mobile privacy crackdown praised

California's top prosecutor has sent warnings to scores of mobile app developers that have allegedly violated the state's privacy laws, a crackdown that security experts applaud as good for the industry.

Attorney General Kamala D. Harris started notifying businesses this week that their apps did not have easily accessible privacy policies, as required by the state's Online Privacy Protection Act. The warnings affect as many as 100 apps.

The companies have 30 days to correct the problem. Besides being conspicuous, privacy policies must also inform users what personal information is gathered and how it is used. Violators face fines of $2,500 for each downloaded app.

"We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California's privacy laws," Harris said in a statement.

Among the businesses receiving warnings were airlines United Continental and Delta and restaurant reservation scheduler OpenTable, Bloomberg BusinessWeek reports. The latter two companies did not respond to a request for comment, but United confirmed receiving the warning.

[See also: Mobile data privacy is terra incognita to users, developers]

"We are taking all steps necessary and appropriate to ensure compliance with California law as it relates to our mobile app," United spokeswoman Mary Clark said in an email.

Mobile security experts and vendors said the crackdown was good for the industry, because it would boost California consumers' confidence. California is one of the most aggressive states in the nation on privacy protection.

"In the long run, this will be good for the mobile app industry," said Xuxian Jiang, an assistant professor at North Carolina State University who has done research on mobile privacy.

Because people often use their mobile devices for work, the law also provides some protection to employers as well.

"Businesses may not be aware of the risks to data leakage from these apps," said Chester Wisniewski, a senior security adviser for Sophos. "Imagine a situation where employees are loading some application that is sending your corporate address book to some third party without your knowledge."

Studies have shown that many smartphone game developers have partnered with advertisers that gather personal information without permission. This has become a serious problem on devices running Google's Android operating system, because anyone can sell apps for the platform. All apps for Apple devices are sold and vetted by the company.

"Smartphones are in my opinion the greatest threat to loss of intellectual property and concern about privacy," said Darren Hayes, an assistant professor and expert in computer forensics at Pace University. "There are mobile apps that are masked as legitimate games which compromise other data on your phone. More aggressive privacy laws may mitigate some of the risk."

App developers caught in California's privacy net may have difficulty meeting the state's 30-day window for fixing the problem, Jiang said. "Lots of apps would have to be updated to include the privacy notice, so this is a seriously short time for the app developer."

Nevertheless, Lee Cocking, vice president of corporate strategy at Fixmo, said he would like to see California go even further. "What's really needed is clear and concise information for an end user and business that clearly states something like, 'This application has access to the following: camera, contact list, SMS messages.'"

Harris created this year a Privacy Enforcement and Protection Unit dedicated to enforcing the state's privacy laws. A number of tech companies have formally agreed to improve privacy protections, including Amazon, Apple, Google, Hewlett-Packard, Microsoft, Facebook and Research In Motion (RIM).

Despite California's efforts, privacy remains a serious problem on mobile apps. In a recent analysis of 1.7 million apps on the Google Play market, Juniper Networks found that free apps were four times more likely than paid apps to track the user's location, three times more likely to access address books and two-and-a-half times more likely to access the device camera.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Online Privacy Protection Actapplicationssecuritymobile securitysoftwareData Protection | Wirelessdata protectionBloombergmobile privacy

More about Amazon Web ServicesAppleBloombergDeltaFacebookGoogleHayesHewlett-Packard AustraliaJuniperJuniperMicrosoftMotionOpenTableResearch In MotionResearch In MotionSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place