Search The Web's Nooks And Crannies To Find Connected Devices

Most people believe that when they use one of the popular search engines (e.g., Bing, Google, Yahoo, DuckDuckGo), that they have effectively searched the entire Internet. That belief is erroneous for a couple reasons.

CNN Money has a good report about the Shodan search engine, which was developed specifically to search what I call the nooks and crannies of the Internet. Shodan users can find devices connected to the Internet that other search engines don't necessarily focus upon:

"... servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet... traffic lights, security cameras, home automation devices and heating systems... control systems for a water park, a gas station, a hotel wine cooler and a crematorium... command and control systems for nuclear power plants and a particle-accelerating cyclotron..."

If it isn't obvious to you, these search results have huge privacy and identity theft implications for a variety of reasons. Many users connect devices to the Internet which they shouldn't connect. Or don't properly secure their Internet-connected devices with firewall software. You can bet that since the good guys already know about and use Shodan, then the bad guys will, too, and hack into unprotected devices, steal identity information, and/or cause havoc.

The second reason: many consumers are trapped in the search Filter Bubble, and don't know it.

ACLU Files FTC Complaint Against Mobile Carriers About Smartphone Security Failures

The American Civil Liberties Union (ACLU) has filed a complaint via the U.S. Federal Trade Commission (FTC) against several mobile carriers for:

"... failing to warn their customers about unpatched security flaws in the software running on their phones... running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks."

The mobile carriers named in the complaint include AT&T Inc., Verizon Wireless, Sprint Nextel Corp., and T-Mobile USA. In its announcement, the ACLU also said:

"Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path... Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners."

Download the ACLU complaint (Adobe PDF, 438k bytes).

Survey: Consumer Usage And Perceptions About Mobile Banking

Late last month, the Federal Reserve Board (FRB) released the results of its latest survey of mobile usage by consumers for online banking. Key findings:

• 87% of the U.S. adult population has mobile phones
• 52% of mobile phones are smartphones (Internet-enabled)
• 87% of smartphone users accessed their devices to access the Internet during the past week
• 28% of all mobile phone owners used their devices for mobile banking during the past 12 months, up from 21% in December 2011
• 48% of smartphone owners used their devices for mobile banking during the past 12 months, up from 42% in December 2011
• 10% of mobile phone users who don't perform mobile banking expect to do so within the next 12 months

The specific mobile banking tasks consumers said they perform:

• 87% check account balances
• 53% transferr money between accounts
• 21% deposit checks
• 24% of smartphone users made mobile payments during the past 12 months,
• 42% made an online bill payment, down from 47% in 2011
• 6% of smartphone users made a retail point-of-sale payment during the past 12 months, up from 1% in December 2011. 22% want to use their mobile devices for retail purchases

Perceptions about the technology:

• 54% of mobile phone users said the primary reason they do not use their device for mobile banking is that their banking needs were already being met without the use of mobile banking. This is down from 58% in 2011
• 38% said concerns about the security were the primary reason for not us mobile banking. This is down from 42% in 2011
• 49% said security was the second most common reason given for not using mobile banking. This is up from 48% in 2011
• More than a third of mobile phone users who do not use mobile payments don’t see any benefit
  from doing so, and find it easier to pay with another methods (e.g., cash, credit, debit, prepaid)

Other tasks respondents said they use their smartphones for:

• 42% comparison shop while in retail stores
• 32% scan a product’s barcode to find the best price for the item
• 64% percent of those who comparison shop have changed where they purchased the product based on the information found
• 44% browse product reviews or get product information while shopping at a retail store
• 70% of those who browse product reviews have changed the item purchased based on the information found
• 64% of mobile banking users checked their account balance before making a large purchase
  in the past 12 months. About half of them did not purchase an item as a result of their account balance or credit limit

Who uses mobile phones:

• 10% are unbanked (neither they nor their spouse have a checking, savings, or money market account)
• 10% are underbanked (have a bank account, but also use a payroll card, payday lender, check cashier, or auto title loan)
• 59% of the unbanked have access to a mobile phone, half of which are smartphones
• 90% of the underbanked have access to a mobile phone, 56% of which are smartphones
• 49% of the underbanked said they used mobile banking during the past 12 months

The terms "unbanked" and "underbanked" are labels used within the banking industry. The FRB defines mobile banking as using a mobile phone to access a bank account, credit card account, or other financial bank account. So, mobile banking includes using the mobile phone's web browse, text messaging, or application features.

The reasons unbanked consumers gave for why they don't have a checking, savings, or money market account:

How consumers said they use the money from payday loans:

The reasons consumers said for why they don't use mobile banking services:

The reasons consumers said for why they don't use mobile payments:

Consumers' perceptions of the security of mobile phones and mobile banking:

Regarding mobile payments, the report found:

"Despite the increasing availability of phones equipped with near field communication (NFC) chips for use with NFC-based payment services, retailers and consumers appear to be trending toward adoption of non-NFC-based payment services. Indeed, consumers making mobile payments were nearly twice as likely to have used a mobile app or barcode to make their payment as to have made a payment by waving or tapping their phone."

How consumers with checking, savings, or money market accounts do their banking:

• 85% of banked consumers said they had visited a branch and spoke with a teller in the past 12 months
• 74% said they used an ATM machine
• 74% said they used online banking
• 34% said they used telephone banking
• 29% said they used mobile banking

The report's authors concluded:

"The two factors limiting consumer adoption of mobile banking and payments are concerns about the security of the technology and a sense that they don’t offer any real benefits to the user over existing methods for banking or making payments. With regards to security, consumers have actually become more likely in the past year to report that they simply don’t know how safe it is to use mobile banking, suggesting that consumers need to be provided with reliable and accurate information on the level of security associated with the various means of accessing mobile banking. In terms of the value proposition to consumers, the significant number of mobile users who reported an interest in using their phones to receive discounts, coupons, and promotions or to track rewards and loyalty points suggests that tying these services to a mobile payment service would increase the attractiveness of mobile phones as a means of payment."

The FRB's Consumer Research Section sponsored the survey and developed the report. GfK (formerly Knowledge Networks), an online consumer research firm. administered the survey from November 16 to 27, 2012. Nearly 2,600 respondents ages 18 or older completed the survey. The FRB conducted its first mobile survey in December, 2011.

Download the FBR "March 2013 - Survey of Consumers' Use of Mobile Financial Services" report (Adobe PDF, 941 kbytes).

9 Things Consumers Should Do About A Lost Or Stolen Tablet

Forbes recently published a fairly good article listing nine things consumers should do before and while travel to avoid having their tablet computer lost or stolen. Perhaps, you've already lost a tablet while rush during business travel. Maybe you left it in a taxi-cab or on an airplane.

hile the article was written with a focus for information technology professionals, the list of items includes good good security habits for consumers (or employees) who use a company-provided tablet or who use their personal tablet for business:

1. Password lock your tablet, especially when traveling
2. Use identification tags or stickers to make it easy for people, who find and want to return the tablet, to contact you (or your company)
3. When traveling, don't pack all of your gadgets iin one bag

Follow the link above to read the entire list. These tips help ensure that after a table loss or theft, a person can't use the tablet and access any sensitive information on it.

I consider the article "fairly good" because it unnecessarily focused on a single brand of tablet computers, when it easily could have been written more broadly to be relevant to all tablet users. The list of tips are not specific to any specific tablet brand.

5 Ways Retail Stores Spy On Their Shoppers

If you haven't read it, there is a good article at Consumer Reports which lists the ways retail stores spy on consumers while shopping. Not the online stores but the physical, brick-and-mortar store locations. Some of the ways stores spy on shoppers:

1. Spy cameras: armed with facial recognition software, these cameras record and track both your movements in the store, the items you look at, and for how long. Some stores use mannequins that contain spy cameras, to distribute cameras thought store areas. Stores often merge these recordings with data from your purchases: amount, payment method (e.g., cash, credit, debit), store sections (e.g., clothing, shoes, housewares, etc.), and items browsed (e.g., pants, dresses, cookware, etc.). Outside cameras record your auto data (e.g., license number, make, model) which is also merged with interior recordings.
2. Smart phone tracking: retailers record the geo-location data from your phone to map/track which departments you visit, in what order, and how long you stay in each department.
3. Interactive digital ads: many contain tiny cameras to record the shoppers that view the ads.
4. RFID technology: merchandise with radio frequency identification tags (RFID) can trigger nearby interactive digital ads, to then serve up targeted, personal ads based on the specific merchandise you are carrying
5. Product returns: many stores demand photo identification to process product returns. Stores claim that the reasons for this are to prevent fraud, but the data collection includes shoppers who do not commit fraud.

What is worse is that the stores do no disclose any warning to shoppers or parents, except that most states require stores to post product return policies visibly in stores.

What's your opinion of the tracking/spying?

The Top 5 Places You Should Never Use Your Smart Phone

Social Times recently listed the top five places consumers should not use their smart phone. The top two places:

1. Business meetings with clients
2. In-person job interviews

Gee, you'd think that people would know better. Places I would add to the list: 6) in school, especially during an exam; 7) during wakes and funeral services; and 8) your doctor's office (especially when they post signs telling patients to turn off their mobile devices). There's just too much sensitive equipment nearby.

Follow the above link to read the entire list. What places do you believe consumers should turn off their mobile devices?

Payment Processors: A New I've Been Mugged Topic

When consumers purchase a product or service with some form of plastic (e.g., credit cards, debit cards, prepaid cards) and their mobile device, usually several companies are involved in completing that transaction: getting the money to the retailer (online or brick-and-mortar). While many consumers may believe that only their bank is involved in processing the transaction, the reality is that more companies are often involved.

One type of company involved are payment processors, companies that process these financial transactions. Sometimes these payment processor companies experience data breaches where sensitive customer information is lost or stolen. With recent events in the banking industry, and the spread of prepaid debit cards, this new topic can help you more easily read about and understand what is happening within the banking and retail industries.

I have tagged this new topic retroactively to archived blog posts, so you read and understand the types of information available. See the new "Payment Processors" topic. I hope that you find it useful.

The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

	Payment Method
Company Type	Cash	Credit Card	Debit Card	Retailer's Prepaid Card (1)	Bank Prepaid Card (2)	Prepaid Card: FSA (3)	Smart Phone
Brick-&-mortar retail store	No	Yes	Yes	Yes	Yes	Yes	Yes
Online retail website	n/a	Yes	Yes	Yes	Yes	Yes	n/a
Retailer's partners &/or affiliates (4)	n/a	Yes	Yes	Yes	Yes	Yes	Yes
Your bank	n/a	Yes	Yes	n/a	Yes	Yes	Yes
Retailer's bank	n/a	Yes	Yes	Yes	Yes	Yes	Yes
Payments Processor (5)	No	Yes	Yes	Yes	Yes (6)	Yes	Yes
Your Employer	n/a	n/a	n/a	n/a	Yes	Yes	Yes
Healthcare Vendor (7)	n/a	n/a	n/a	n/a	No	Yes	n/a
Wireless Provider	n/a	n/a	n/a	n/a	n/a	n/a	Yes
Mobile Device Manufacturer	n/a	n/a	n/a	n/a	n/a	n/a	Yes
Mobile Device Operating System Developer (8)	n/a	n/a	n/a	n/a	n/a	n/a	Yes
Mobile App Developer (8)	n/a	n/a	n/a	n/a	n/a	n/a	Yes
App Store	n/a	n/a	n/a	n/a	n/a	n/a	Yes

Footnotes:

1. Includes gift cards offered by retailers that are good only at that retailer's stores.
2. Includes general-purpose prepaid cards usually offered by banks
3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
5. The bank and/or company that processes the debit/credit card transactions
6. Applies to employers that pay employees via a payroll debit cards
7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
8. The company that develops and maintains this software mobile devices

What do you think about the above chart?

Asurion Expands Service Offering With Malware Protection For Smart Phones

Asurion, a provider of mobile device insurance services, announced yesterday that it will provide Walmart MobileCarePlus customers with free Asurion Mobile Security software. The Asurion security software is available in the respective app stores for Android and Blackberry smart phone users. According to the announcement:

"The Asurion Mobile Security solution regularly scans messages, pictures, installed applications and files on a customer's phone to identify and eliminate the latest viruses and malware, many of which can access private information and harm the mobile device itself. Safe browsing alerts users before visiting web sites which may compromise their phone's security and in the event a protected phone is misplaced, locate features can trigger an audible alarm, making recovery much easier... During the last two years, 48 percent of high school and college age students required a replacement device due to loss or damage."

For lost or stolen smart phones, the security service also includes a remote wipe feature to prevent thieves from accessing sensitive data and contacts on your smart phone.

This blog has warned mobile device users to add anti-malware software to their devices. Security software is available from a variety of vendors. If you are considering insurance for your mobile device, then read this first to help decide what's best for you.

Google Shares Personal Data Of App Purchasers With App Developers

Over at his Internet Hughbox blog, Dan Nolan raised a startling and huge privacy issue for Google Play users. After developing an Android app, Nolan found that Google had shared with him the sensitive personal information of purchasers of his app:

"I jumped over to the ‘merchant account’ section to see the orders and realised one absolutely insane thing. If you bought the app on Google Play (even if you cancelled the order) I have your email address, your suburb, and in many instances your full name. Each Google Play order is treated as a Google wallet transaction and as such software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical."

While the personal data shared includes a flag whether or not the consumers wants to receive marketing offers via email, Nolan wonders how many app developers will comply with that. The implications of this detailed data sharing:

"... I could track down and harass users who left negative reviews or refunded the app purchase... This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it..."

Google Play is a cloud-based service offering. According to the MediaPost blog:

"... the data-sharing was intentional. Google designed its platform so that people who purchase apps do so from the developer. That model differs from the iTunes platform, where people purchase apps from Apple."

And, the Chicago Tribune reported:

"... Joel Reidenberg, Director of the Center on Law and Information Policy at Fordham University School of Law, said Google and other online and mobile services needed to be more transparent about what personal information was being shared with third-party firms."

Well said Mr. Nolan. Users should always be in control, with programs asking users to opt-in. Too many websites do the opposite: automatically include users and force users to opt-out.

Some app developers may use this personal information responsibly to provide product support and service, while others may not. Already, there are problems with consumers getting harassed about negative reviews posted online. Some physicians already try to stifle online discussion by forcing their patients to sign a "Mutual Agreement To Maintain Privacy" contract, which prohibits patients from posting negative comments on social networking websites.

Positive and negative reviews are part of a healthy, functioning marketplace, that helps users make informed choices. A 2011 survey found that 89% of consumers said they found online reviews trustworthy.

Facebook Hacked. Site Says User Data Not Compromised

In case you were away for the long weekend and missed it, on Friday Facebook.com announced via its website that it had been hacked:

"Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues... We have found no evidence that Facebook user data was compromised."

This means that the old saying still applies: a chain is only as strong as its weakest link. In this case, your sensitive personal information on a social networking site is only as secure as the weakest (mobile or website) app developer.

Path Inc. Settles With FTC For COPPA And Privacy Violations With Its Mobile Apps

This morning, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with mobile app developer Path for COPPA and privacy violations where users' entire address books were uploaded and stored without notice nor consent. The terms of the settlement require Path Inc. to:

"... establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent."

The Path mobile app enables consumers to create and share journals with up to 150 friends. The app also enables users to upload, store, and share photos, notes, songs they are listening to, and their geolocation. At registration, users share their gender, phone number, and date of birth. The lawsuit filed by the FTC (Adobe PDF, 918 kbytes) alleged that Path:

"Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of lnternet websites or online services... In version 2.0 of the Path App for iOS, regardless of whether the user elected to "Add Friends," Defendant automatically collected personal information from users' mobile device contacts (also known as the user's "address book") and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. The automatic collection and storage of personal information from the user's mobile device contacts occurred the first time the user launched version 2.0 of the Path App and, if the user signed out of the service, each time the user signed in again. This practice continued until February 8, 2012."

The complaint also alleged:

"From November 14, 2010, through May 4, 2012, Defendant accepted registrations from users who entered a date of birth indicating that the user was under the age of 13. As a result, Defendant knowingly collected email address, first name, last name, date of birth, and if provided, gender and phone number, from approximately 3,000 children under age 13... From November 29, 2011, through February 8, 2012, Defendant also knowingly collected from these children the following personal information for each contact in the child's mobile device address book, if available: first name, last name, address, phone numbers, email addresses, and date of birth... Defendant did not provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information. Defendant did not obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information."

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. Kudos to the FTC for this settlement, although I wish the fine was far more.

However, Path Inc. faces other legal challenges including a class-action lawsuit about similar privacy violations. The class-action suit included more allegations that Path collected and shared more data with other companies, and tracked users with geo-tags.

To learn more, read about the COPPA Rule in the 2013 U.S. Federal Register (Adobe PDF, 590 kbytes).

Publishers Consider Ways To Further Use Data Collected By E-Readers

While listening to National Public Radio (NPR) in my car on Monday, I heard a very interesting report about how publishers are considering how to further use the data collected by e-readers (e.g., Amazon Kindle, Barnes & Noble Nook). Specifically, publishers are considering ways to use the data collected to give more detailed feedback to authors.

First some background for those who don't use e-readers, or who use them and haven't read the associated privacy policies. E-readers and e-books are increasing in popularity. Pew Research found:

"One-fifth of American adults (21%) report that they have read an e-book in the past year... 88% of those who read e-books in the past 12 months also read printed books... The average reader of e-books says she has read 24 books (the mean number) in the past 12 months, compared with an average of 15 books by a non-e-book consumer... 30% of those who read e-content say they now spend more time reading, and owners of tablets and e-book readers particularly stand out as reading more ... 72% of American adults had read a printed book and 11% listened to an audiobook in the previous year, compared with the 17% of adults who had read an e-book... E-book reading happens across an array of devices, including smartphones...."

About e-books and public libraries, Pew Research found:

"Some 12% of Americans ages 16 and older who read e-books say they have borrowed an e-book from a library in the past year... E-book borrowers say they read an average of 29 books in the past year, compared with 23 books for readers who do not borrow e-books from a library... more than three-quarters of the nation’s public libraries lend e-books... 58% of all library card holders say they do not know if their library provides e-book lending services... 46% of those who do not currently borrow e-books from libraries say they would be “very” or “somewhat” likely to borrow an e-reading device that came loaded with a book they wanted to read... 58% of Americans have a library card..."

Both surveys include plenty more results, but it is clear that consumers would read more e-books if they knew that their public library provided them. The benefits of e-readers are clear:

• Convenient: can carry with you several books without the heavy weight,
• Books don't take up shelf space in your home, and
• E-reader providers can learn your reading habits and recommend similar books.

In 2012, the EFF compared the privacy policies of various e-readers. The disadvantages:

• Loss of privacy: e-readers collect data about your reading habits and the online searches you performed to find e-books you want to read,
• Some e-readers collect and track the annotations consumers may make on an e-book text,
• The privacy policies of some e-readers are vague about exactly what data they collect (e.g., e-book purchases from other sources),
• Selection may be limited if your e-reader requires a certain format (e.g., AZW, ePub, PDF, RTF, etc.),
• Many books are not available in e-book format,
• Most e-readers share your readhing habits with other companies, while some offer opt-out capabilities.

The obvious data collected by e-readers includes the types (e.g., genre) of books downloaded onto your e-reader, when you downloaded e-books, the books read, and your reading patterns (e.g., the types/genres of books read). Other data collected, that you may not be aware of, includes how fast you read a book, which portions of the book you actually read, what e-book you immediately purchased next after completing a specific book (e.g., this probably applies to books in a series), and any annotations you made on the e-book text.

Some consumers may abandon an e-book after reading the first few chapters or a few pages. Some consumers may skip the introduction. Other consumers may read the last chapter first. For a given book, many consumers may skip a common chapter. For example, the Wall Street Journal reported that an average consumer read the third book in the "Hunger Games" series in about 7 hours, or 57 pages per hour.

Now, publishers and authors can know all of this. Publishers consider this data collected an opportunity to provide more feedback to authors. Thankfully, many authors will ignore this feedback and keep the creative process first (e.g., write what they intended regardless). But the data collection continues.

The e-readers with WiFi capabilities (e.g., Kindles, mobile devices, tablets) can combine geolocation data with your reading habits to determine where you read certain books. Whether or not this data collection bothers you is probably a personal choice.

If your reading habits include books about a certain medical condition, then you might be concerned about the loss of privacy. If your reading habits include topics to research a new business venture you have to keep secret until launch, then you might be concerned about the loss of privacy.

One way to think about e-readers: reading a book was historically something you did alone and in private. Not anymore. What's your opinion of e-readers and e-books?

Want to learn more? Try some of these:

• The Digital Reader
• EFF E-Reader Privacy Charts
• The Slippery Slope of eReader Privacy
• Your E-Book Is Reading You
• American Library Association Magazine: Digital Content

5 Online Privacy Tips To Keep You And Your Family Safe

Monday will be Data Privacy Day (DPD), with celebrations in North America and Europe to raise awareness and provide consumers with education about privacy. DPD was started in 2008. This year's theme is, "Respecting Privacy, Safeguarding Data and Enabling Trust." This year's events will be started with a privacy forum at the George Washington University Law School in Washington, DC. Federal Trade Commissioner Maureen Ohlhausen is the keynote speaker. More events are scheduled nationwide throughout February.

To support this event, Anchorfree and the National Cyber Security Alliance have developed together a list of tips for consumers to maintain their privacy when connected to the Internet via your smart phone, tablet, or laptop/desktop computer:

"1. Risky business - Make sure all family members understand the public nature of the Internet and its risks. Any digital information they share -- emails, photos or videos -- can easily be copied and pasted elsewhere, and is almost impossible to take back. Anything that could damage their reputation, friendships, wallet or future prospects should not be shared electronically."

A recent study found that 30 percent of teenage girls meet in person strangers they met online. So, it is critical for parents and families to practice safe habits while connected to the Internet and in the physical world. If you are a parent, grandparent, or guarding who plans to buy a smart phone for a child, then you definitely should read this contract one smart parent created to help her manage her teen's online usage.

2. Keep it hidden, keep it safe - Make sure all family members are careful about sharing sensitive information such as birth date, addresses, phone numbers, location, financial information, social security numbers, passwords and vacation plans. Most reputable online services have privacy settings. Teach your kids how to use them, too."

3. Browse intelligently - Avoid using sketchy, unfamiliar websites, and delete suspicious emails, particularly those that ask for unnecessary personal information or request that you download something. These may be malware or phishing sites out to steal your personal data.

There are several products available to automatically delete browser HTTP cookies and other files (e.g., Flash Cookies, and other LSO's = Locally Shared Objects) websites use to track you while connected to the Internet. This blog has reviewed some of them, including the MAXA Cookie Manager. I use the BetterPrivacy plugin with the Firefox browser.

The next item is critical because smart phones and tablets save a ton of metadata with each photograph or video you take. The metadata with your photos include a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata combined with your GPS location, a company can tell a lot about you, your purchases, your lifestyle, plus what you did/spent when and where.

That metadata gets uploaded to your favorite social networking website whenever you upload photos. Some social networking sites collect, save, and share all of that metadata. Others use some of it. So, consumers should:

4. Turn off geolocation - Many apps' permissions include backdoor location trackers that are constantly streaming your location. If you're not actively using your phone to navigate, turn them off. The FTC recently noted that many apps aimed at children are disclosing location; make sure your kids are following this rule of thumb as well."

The last tip cannot be over emphasized. Public WiFi hotspots are everywhere. If you expect to perform sensitive tasks (e.g., online banking, access/use sensitive documents from your employer) while connected to a public WiFi hotspot, you should:

5. Get behind a shield - Use a VPN such as Hotspot Shield, which will help identify malware sites and provide a secure, encrypted connection to the Internet for desktop or mobile devices, protecting your browsing from hackers and snoops. This is particularly important when using public Wi-Fi or other unknown networks."

AnchorFree produces Hotspot Shield. There are other brands available. Take a look at Get Cocoon and PrivateWiFi.

The National Cyber Security Alliance is a nonprofit organization formed to educate and empower consumers about Internet privacy. It collaborates with government, corporate, other non-profit and academic entities. NCSA board members include: ADP, AT&T, Bank of America, EMC Corporation, ESET, Facebook, Google, Intel, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Trend Micro, Verizon and Visa.

Some of those board members have a ways to go regarding privacy in their products or services. As a business consultant, I regularly use VPN software to remotely and securely access my clients' networks and servers. This blog post is not an endorsement of Hotspot Shield, since I have not used it.

What's your opinion of this list of tips? What VPN software do you use?

New Terms Of Service And Privacy Policies Go Live At Instagram

On Friday, Instagram sent this letter to its users:

From: Instagram (no-reply@instagram.com)
Subject: Instagram Update
Date: January 18, 2013

Hello,

Our community has grown by many millions of people since we wrote our original Terms of Service and Privacy Policy. As we announced in December, we have updated our Terms of Service and Privacy Policy. These policies also now take into account the feedback we received from the Instagram Community. We're emailing you to remind you that, as we announced last month, these updated policies will be in effect as of January 19th, 2013.

You can read our blog post that highlights some of the key updates. And remember, these updates don't change the fact that you own your photos that you post on Instagram, and our privacy controls work just as they did before.

Thank you,
The Instagram Team

The Instagram blog summaried the changes in its new policies:

"1. Nothing has changed about your photos’ ownership or who can see them.
2. Our updated privacy policy helps Instagram function more easily as part of Facebook by being able to share info between the two groups. This means we can do things like fight spam more effectively, detect system and reliability problems more quickly, and build better features for everyone by understanding how Instagram is used.
3. Our updated terms of service help protect you, and prevent spam and abuse as we grow.

In its blog post, Instagram reassures users that users own their photographs. While that is good, the bigger question is exactly what data dlements are collected, retained, manipulated, and shared? Some relevant portions from the new Terms of Service:

"Instagram does not claim ownership of any Content that you post on or through the Service. Instead, you hereby grant to Instagram a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to use the Content that you post on or through the Service, subject to the Service's Privacy Policy, available here http://instagram.com/legal/privacy/, including but not limited to sections 3 ("Sharing of Your Information"), 4 ("How We Store Your Information"), and 5 ("Your Choices About Your Information")... You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such... Content removed from the [Instagram] Service may continue to be stored by Instagram, including, without limitation, in order to comply with certain legal obligations, but may not be retrievable without a valid court order... Except as otherwise described in the Service's Privacy Policy, available at http://instagram.com/legal/privacy/, as between you and Instagram, any Content will be non-confidential and non-proprietary and we will not be liable for any use or disclosure of Content. You acknowledge and agree that your relationship with Instagram is not a confidential, fiduciary, or other type of special relationship, and that your decision to submit any Content does not place Instagram in a position that is any different from the position held by members of the general public, including with regard to your Content."

Some interesting sections from the new Privacy Policy:

INFORMATION WE COLLECT
We collect the following types of information.
Information you provide us directly:
1. Your username, password and e-mail address when you register for an Instagram account.
2. Profile information that you provide for your user profile (e.g., first and last name, picture, phone number). This information allows us to help you or others be "found" on Instagram.
3. User Content (e.g., photos, comments, and other materials) that you post to the Service.
4. Communications between you and Instagram. For example, we may send you Service-related emails (e.g., account verification, changes/updates to features of the Service, technical and security notices). Note that you may not opt out of Service-related e-mails."

"Metadata:
Metadata is usually technical data that is associated with User Content. For example, Metadata can describe how, when and by whom a piece of User Content was collected and how that content is formatted. Users can add or may have Metadata added to their User Content including a hashtag (e.g., to mark keywords when you post a photo), geotag (e.g., to mark your location to a photo), comments or other data. This makes your User Content more searchable by others and more interactive. If you geotag your photo or tag your photo using other's APIs then, your latitude and longitude will be stored with the photo and searchable (e.g., through a location or map feature) if your photo is made public by you in accordance with your privacy settings."

"We may also share certain information such as cookie data with third-party advertising partners. This information would allow third-party ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you... We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information."

The new policy does not seem to mention exactly how Instagram may manipulate (e.g., add, delete, merge) the metadata attached to your photographs with other data elements (e.g., mobile geolocation data). That is important to know given a recent lawsuit about alleged unannounced and unauthorized data collection, retention, and tracking involving its mobile apps.

The information in this blog post is not legal advice. If you are concerned about the new policies, get legal advice from an attorney. I am not an attorney.

California AG Issues Report With Privacy Guidelines For Mobile App Developers

Earlier this monthy, California Attorney General Kamala D. Harris issued privacy guidelines for mobile app developers and other companies in the mobile industry to better protect consumers. The new guidelines are part of the State's Privacy Enforcement and Protection Unit. Why the California AG devloped these guidelines:

"... 85 percent of American adults have a cell phone, 45 percent a smart phone, 61 percent a laptop, 25 percent a tablet computer, and 18 percent an e-book reader. Over half of adult cell phone owners use the Internet on their phones, twice the rate in 2009. And nearly one third of cell owners report that their phone is the primary, or only, way they access the Internet... there are more than a million apps available on the primary mobile platforms, and more than 1,600 new apps are added daily... many mobile apps did not provide users with privacy policy statements at all..."

And, experts expect millions of consumers will be affected by mobile threats and mobile malware. This is not a surprise since mobile devices uniquely combine several types of valuable information on a single computer: personal and business email, business documents, personal and business contacts, calling history, text messages, passwords for social networking sites, video, photos, audio, browser history, app history, and your GPS locations by date and time.

The general guidelines:

"For App Developers:
1. Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
2. Avoid or limit collecting personally identifiable data not needed for your app's basic functionality.
3. Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
4. Use enhanced measures -- "special notices" or the combination of a short privacy statement and privacy controls -- to draw users' attention to data practices that may be unexpected and to enable them to make meaningful choices.

For App Platform Providers:
1. Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
2. Use the platform to educate users on mobile privacy.

For Mobile Ad Networks:
1. Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
2. Have a privacy policy and provide it to the app developers who will enable the delivery of targeted ads through your network.
3. Move away from the use of interchangeable device-specific identifiers and transition to app-specific or temporary device identifiers.

For Operating System Developers:
Develop global privacy settings that allow users to control the data and device features accessible to apps.

For Mobile carriers:
Leverage your ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children's privacy."

For each general guideline, the document contains specifics. California led the nation with data breach notification laws to inform and protect consumers. The new guidelines, while not legally binding, are consistent with this leadership.

Items I hoped the guidelines would have contained, but didn't:

• Don't build apps that upload consumers' entire address books. You don't need all of their information. You may want it, but you don't need it. A small porton of their contacts use your app.
• Data plan consumption estimates. Auto manufacturers provide consumers with mileage estimates (e.g., city, highway) for their products. App developers should provide similar estimates (e.g., low use, high use) if their apps are bandwidth hogs or operate frequently in the background
• Use plain English whenever possible for privacy statements and terms of usage statements
• Streamline and consolidate privacy statements whenever possible. Currently, consumers must read and wade through at least six privacy statements
• Be transparent and explicit about how you treat metadata with documents, videos, and photos. Consumers have a right to know what metadata elements you use, delete, and add to their assets.
• Be transparent and explicit with the list of affiliates or partners you share consumers' personal information with. That includes cloud vendors.
• Be explicit about the assistance (if any) you provide uses when your app is hacked, or when the transacton flow that supports your app is hacked.
• For additional services, consumers must opt in and register. Don't auto include consumers
• Guidelines for banks. Some banks develop apps and are covered. Others are part of the transaction flow that enables the app (e.g., payments)

Download the "Privacy On The Go" report (Adobe PDF, 2.27 Mbytes) by the California Attorney General.

Lawsuit Claims Instagram Performed Data Collection, Retention, And Tracking Via Its Mobile App Without Notice Or Users Consent

While Instagram, the popular photo-sharing website, made a fast retreat last month after releasing new Terms of Service and Privacy policies, it appears that there are more issues. During the holidays last month, a class-action lawsuit was filed against Instagram claiming unauthorized data collection, retention, and tracking via the photo sharing site's mobile app.

The complaint alleges that Instagram uploaded via its mobile app users' entire address books, accessed and modified both the geolocation and meta data in users' photos uploaded, collected and stored users' fine geolocation data, accessed users' data stored within Amazon-provided cloud-based services, and distributed users' sensitive personal data to third-party companies without notice nor consent. The complaint alleged that Instagram:

"... used Plaintiff's and Class Members' computing devices to access, use, disclose, retain, and store personal information ("PI"), personal identifying information ("PII"), and/or sensitive identifying information ("SII") derived in whole, or part, from Plaintiff and Class members' computing devices' contact address book, aggregating such data derived from the unauthorized access to, and use of Plaintiff and Class members' photo metadata, for purposes not granted..."

There is more. The complaint also states that the plaintiffs:

"... were unaware of the harm that would be imposed... including use, retention, and storage of their computing devices contact address data, installation of geo-tags for tracking, the misappropriate of their Mobile Device resources and bandwith... [the plaintiffs] had not knowledge that contact book data was obtained and stored on Defendant's servers and/or third-party servers, such as on Amazon EC2's remote servers and was stored in an unreasonably insecure manner contrary to accepted standards... [the plaintiffs] did not consent to having their data collected by Defendant. Had [the plaintiffs} known of Defendant's practices, they would not have downloaded its app..."

Of course, mobile apps that consume large amounts of consumers' data plan minutes are undesirable, and consumers should be provided with warnings by these apps. The suit was filed December 27, 2012 in Northern California District Court by attorneys Parisi & Havens LLP, Strange and Carpenter LLP, and the Law Office of Joseph H. Malley, P.C.. Recently, Facebook purchased Instagram in 2012 for $1 billion.

While reading the complaint, I recognized Malley's name, since he is often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, these attorneys know what they are doing.

For the lead plaintiff, Steven Gutierrez, the alleged data collection, retention, and tracking by Instagram affected his minor child and warnings weren't timely enough for consumers who registered and installed the Instagram app early on:

"... ignoring the intent of [the plaintiffs] that used Defendant's application to up upload and/or take photos using Defendant's application and also creating a digital dataset, link to their exact location, posted to a publicly accessible form that revealed their exact fine GPS settings, violating not only their privacy rights, but also posing a security risk, as evidenced by Plaintiff Steven Gutierrez, with his one year old daughter, pictured above, that included within the photo's metadata, the exact location where the picture was taken, his home, and a detailed map of the home's exact location... Defendant failed to adequately disclose, or obtain permission for such activities, evidenced by failing to provide a Terms of Service or Privacy Policy within its application or website for a period in excess of a year after its initial operation... Defendant's access to, deletion, modification, and use of Plaintiff and Class Members' metadata within their photos, was without notice or authorization, and is evidenced by an analysis of the photo metadata at various stages. In order to view such activity, a software program is required, such as the one at [Jeffrey's EXIF Viewer]... Defendant's alteration of the digital content's metadata, in addition to the inclusion of fine GPS actual coordinates, provided a Unique Identifier..."

Photo metadata includes a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata, a company can tell a lot about you, your purchases, and your lifestyle.

If Instagram adds fine geolocation data to photos after upload, then this is very troubling. For privacy reasons and safety, many consumers turn off the camera setting on their smart phones that automatically adds GPS data to each photo and video taken. By re-adding this geolocaton data later to photos/videos uploaded, Instragram is overriding and ignoring users' privacy choices, and enabling tracking of consumers in the real world.

The complaint is rich with detail. Of course it provides background information on the Instagram service, its mobile apps, and usage terms/policy. The complaint also includes information about the public outcry about the new usage terms/policy which it later reversed, smart phone technologies, online tracking, cloud computing, photo metadata, and U.S. Congressional correspondence about app privacy. About the data collection, the complaint states:

"Defendant did not deny it had obtained Plaintiff's and Class Members' contact address data, but attempted to diminish the impact of its public relations nightmare by providing an immediate "Mea Culpa," of sorts, staying out of the press, and quietly adding a new pop-up requesting user authority to obtain contact address data information all users... Defendant's public response that it's activities were a common practice was without merit upon review of the app store guidelines..."

For consumers, letting mobile apps upload your entire address book is a bad idea for several reasons. First, the contact data is valuable to spammers and identity criminals because both issue fake messages (e-mail or text) pretending to be a relative or friend to trick consumers to making payments or disclosing other sensitive data. Second, many consumers use their smart phones for both business and pleasure. That means, the data collected contains valuable business contacts, useful to both advertisers and spies -- a corporate espionage risk.

I really like how the complaint describes in great detail the damages with specific dollar amounts for affected smart phone users. The lawsuit also highlights the issue of who ultimately controls image (e.g., photograph, video) metadata -- the consumer or the social networking service.

View the Gutierrez et. al. vs Instagram Inc. complaint (Adobe PDF, 1.8 Mbytes). Learn more about:

• Amazon Web Services
• How Facebook handles photo metadata
• A new web app by students at Rutgers University that combines Google Street View with GPS metadata from photos uploaded to Instagram to track where photos were taken

FTC Amends Rules Regarding Data Collection Of Personal Information Of Minors

Last month, the U.S. Federal Trade Commission (FTC) clarified and strengthened its rules regarding the collection of personal data of minors under the age of 13. In its announcement, the FTC stated:

"1. Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
2. Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
3. close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
4. Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
5. Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
6. Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
7. Require that covered website operators adopt reasonable procedures for data retention and deletion; and
8. Strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The new rules become effective July 1, 2013. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child. As they should, the new rules add more data elements. The FTC stated in its blog:

"The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. Also covered: persistent identifiers that can be used to recognize a user over time and across different websites or online services. But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service."

It strikes me that the above exception, or loophole, could be used to avoid and abuse consumer information. Those "persistent identifiers" are key since they are used by the online advertising networks, and enable both online tracking and behavioral advertising. Plus, there is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In September 2012, the FTC issued guidelines for mobile app developers.

Companies are advised to watch the FTC Children's Privacy page for additional updates.

In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition.

FTC Report On Mobile Apps For Children: Insufficient Privacy Disclosures

In February 2012, the U.S. Federal Trade Commission (FTC) published its first report on mobile apps for children, after surveying apps in both the Google Android and Apple app stores. That report found that apps provided little or no information for parents about privacy disclosures of the apps. It also called upon all companies in the children's app ecosystem -- app developers, app stores, and third parties -- to provide better disclosures regarding data collection and privacy practices.

In December 2012, the FTC published its second report, which went further than the first report by testing some apps against their state privacy policies. The FTC found:

"... many apps included interactive features or shared kids’ information with third parties without disclosing these practices to parents... Since the first kids’ app report was issued, the market for mobile apps has continued to grow at an explosive rate, providing many benefits and conveniences to consumers. As of September 2012, there were over 700,000 apps available in Apple’s App Store, a 40% increase since December 2011, and over 700,000 apps available in Google Play, an 80% increase since the beginning of 2012."

The survey found that apps still aren't providing sufficient privacy disclosures:

"... parents still are not given basic information about the privacy practices and interactive features of mobile apps aimed at kids. Indeed, most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information – such as device ID, geolocation, or phone number – with third parties without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download."

The survey methodology included a search in each app store for children's apps, a review of the first 480 pages of search results, and the random selection of 200 apps from each app store for a close evaluation. That evaluation included a review for privacy disclosures on each app's promotion page, within the app itself, and the app developer's website. The evaluation included a test of each selected app to determine:

"... whether they contained certain interactive features and whether they collected or transmitted any information from the mobile devices they were tested on... nearly 60% (235) of the apps reviewed transmitted device ID to the developer or, more commonly, an advertising network, analytics company, or other third party... only 20% (81) of the apps reviewed disclosed any information about the app’s privacy practices... 58% (230) of the apps reviewed contained advertising within the app, while only 15% (59) indicated the presence of advertising prior to download. Further, 22% (88) of the apps reviewed contained links to social networking services, while only 9% (36) disclosed such linkage prior to download. In addition, 17% (66) of the apps reviewed contained the ability to make purchases for virtual goods within the app, with prices for each purchase ranging from $0.99 in apps from both app stores, to $9.99 for Google Play apps and $29.99 for Apple store apps..."

An encouraging sign is that consumers and parents are getting the message and flexing their muscle in the marketplace:

"... a recent Pew study found that 54% of app users decided not to install an app once they discovered how much personal information the app would collect. The study also showed that 30% of app users have uninstalled an app that was already on their cell phone because they learned that the app was collecting personal information the users did not wish to share. Consistent with these findings, a recent study by the Berkeley Center for Law and Technology showed that most consumers consider the information on their mobile devices to be private..."

Actions that the FTC to address the lacka of privacy disclosures:

1. Urge app developers to include privacy disclosures by design in mobild apps and provide guidelines,
2. Provide consumers and parents with educational information to help them navigate the mobile app market,
3. Starting investigations to determine if specific apps have violated the Childrens Online Privacy Protection Act (COPPA), and
4. Conduct a third survey of the childrens mobile app market

Download the FTC report: Apps For Kids; Still Not Making The Grade (Adobe PDF, 1.1 Mbytes).

A Smart Phone Gift And A Teachable Moment

Did you buy a smart phone or tablet as a Christmas gift for your child or grandchild? Smart phones are very popular gift items. A recent survey found that about 37% of shoppers planned to buy smart phones as gifts for the holidays.

Last week, an 11-year-old student in my tai chi class mentioned that his mother had purchased an iPhone 5 for him as a Christmas present. After hearing this comment, I began to wonder what I would teach an 11-year-old to prepare him/her to use a smart phone wisely to protect their self online... without over-sharing nor running up a huge monthly bill.

I didn't have to search far nor long. Blogger Janell Burley Hofmann developed a contract when she gave her 13-year-old a new iPhone as a Christmas gift. Hofmann's contract clearly outlines both her terms of the gift and her expectations of her teenager. This makes excellent sense. Some notable items from Hofmann's contract:

"1. It is my phone. I bought it. I pay for it. I am loaning it to you. Aren't I the greatest?
2. I will always know the password.
3. If it rings, answer it. It is a phone. Say hello, use your manners. Do not ever ignore a phone call if the screen reads "Mom" or "Dad." Not ever."

Some of the items on the list are obvious:

"7. Do not use this technology to lie, fool, or deceive another human being. Do not involve yourself in conversations that are hurtful to others. Be a good friend first or stay the hell out of the crossfire.
8. Do not text, email, or say anything through this device you would not say in person.
9. Do not text, email, or say anything to someone that you would not say out loud with their parents in the room. Censor yourself.
10. No porn. Search the web for information you would openly share with me. If you have a question about anything, ask a person -- preferably me or your father...
18. You will mess up. I will take away your phone. We will sit down and talk about it. We will start over again. You and I, we are always learning. I am on your team. We are in this together."

I like that Hofmann has included a no-sexting clause, since many teens now use Snapchat (instead of Facebook.com) thinking that those risky photos disappear, but they don't:

"12. Do not send or receive pictures of your private parts or anyone else's private parts. Don't laugh. Someday you will be tempted to do this despite your high intelligence. It is risky and could ruin your teenage/college/adult life. It is always a bad idea. Cyberspace is vast and more powerful than you. And it is hard to make anything of this magnitude disappear -- including a bad reputation."

Readers of the I've Been Mugged blog may remember smart phone insurance issues encountered by some consumers. So, it makes sense to clarify what happens if/when the smart phone breaks:

6. If it falls into the toilet, smashes on the ground, or vanishes into thin air, you are responsible for the replacement costs or repairs. Mow a lawn, babysit, stash some birthday money. It will happen, you should be prepared."

Items I would add to the any smart phoone or tablet contract for a teenager:

19. You will receive spam via email, text messages, and at social networking websites. Learn how to recognize spam.

20. To avoid using up all of your monthly calling minutes, you will likely be tempted to use the WiFi setting on your smart phone instead. This means you will also be tempted to use public WiFi hotspots, which could make your smart phone vulnerable to malware and computer viruses. Don't. You can use our password-protected home WiFi. If you want to use public WiFi hotspots, you will ask your parents first for a VPN software recommendation.

21. You will install an anti-virus app to protect your smart phone just like this software protects your laptop computer. You will learn how to use that anti-virus software and keep it up-to date.

22. Learn how to read the Privacy Policy and Terms and Conditions Policy at websites. If you don't understand or don't like the policy at a website, don't use that website and don't register at that website, no matter how popular you think it is.

23. Read the Privacy Policy and Terms and Conditions Policy before installing a mobile app. If an app doesn't have a policy, don't install nor use that app. If you don't understand or don't like an app's policy, don't install that app on your smart phone and don't use it.

24. Know the full price of an item or service, including any fees, before making an online purchase with your smart phone. If you are unsure what the price is, don't buy it. If the price is more than $10, get the approval of me or your father, first. If the price is less than $10, you will pay for it out of your weekly allowance.

What do you think of Hofmann's smart phone contract for her teen? What items would you add?