Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.

The 3 Horsemen Of the Apocalypse

Learn more about the impacts of "Big Money."

Class Action Suit Filed Against Path Claims More Data Was Collected Besides Address Books

A second class-action lawsuit was filed against Path Inc. claiming the company's mobile app collected more infromation than just users' address books. The suit also calimed that users of the Path app were:

"... victims of unfair, deceptive, and unlawful business practices; wherein their property, privacy, and security rights were violated..."

The additional data allegedly collected without notice and without consent included find GPS locations, users' personally identifiable information, and the personal information of minor children.

The suit claims that the information collected was distributed to other companies with notice or consent, and that tracking methods were added to users digital information:

"Affix to Plaintiff's and Class members' digital content, referencing photos, videos, and audio files, without notice or authorization tracking mechanisms and information... "filtering" of digital content by installation of geo-tags for tracking, interception and monitoring of social network interactions... that third-party social network interactions would be monitored and then transmitted, used, disclosed, and stored on path's servers..."

The suit claims that Path stored address book information is an insecure manner. By February 2012, Path reportedly had about 2 million users.

The suit was filed in Northern District Court of California by attorneys Strange & Carpenter of Los Angeles, and Joseph Malley of Dallas. Readers of this blog recognize Malley, often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Hulu.com and KISSmetrics ("zombie E-Tags"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

You can download the Hernandez et al v Path Inc. complaint from Courthouse News (Adobe PDF).

A Privacy Bill Of Rights For Mobile Users

The Electronic Frontier Foundation (EFF) issued a statement calling for a bill of rights for wireless users. Because mobile devices are always on and store a vast amount of sensitive personal data (e.g., contacts, Internet usage, social networking website usage, GPS location, calendar, phone calls made and received, online banking, photographs, user-created documents, etc.), the EFF believes firmly that:

"... he stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public."

I agree with this position, and this blog has covered numerous instances where mobile device manufacturers, telecommunications providers, advertising networks, apps-store operators, and/or app developers working singularly or together have abused consumers' privacy. The EFF's proposed Mobile User Bill of Rights contains six items:

1. Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it. Although some access control exists at the operating system level in smart phones, developers should seek to empower users even when it's not technically or legally required by the platform. The right to individual control also includes the ability to remove consent and withdraw that data from application servers. The White House white paper puts it well: "Companies should provide means of with drawing consent that are on equal footing with ways they obtain consent. For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion."

2. Focused data collection: In addition to standard best practices for online service providers, app developers need to be especially careful about concerns unique to mobile devices. Address book information and photo collections have already been the subject of major privacy stories and user backlash. Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information.

3. Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation. Transparency is particularly critical in instances where the user doesn’t directly interact with the application (as with, for example, Carrier IQ).

4. Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a "find friends" feature, for example, it should not be released to third parties or used to e-mail those contacts directly. When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.

5. Security: Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer.

6. Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.

The industry would be well advised to comply now with this bill of rights, rather than wait, deflect, and avoid. It can simply look at the airline industry as an example of what happens when an industry abuses it customers, loses the public's trust, and is then forced to comply with a airline passengers bill of rights.

High Value Targets

FTC Survey: The Good And Bad Experiences Of Identity-Theft Victims With Consumer Reporting Agencies

The U.S. Federal Trade Commission (FTC) released the results of its survey of consumers who had reported to the FTC that they were identity-theft victims. The survey assesses consumers experiences with recovering from identity theft and contacting the national consumer reporting agencies (CRAs). The survey also assesses how consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA - 2003).

Overall findings:

• 68% of survey respondents were somewhat or very satisfied with their overall experiences with the national consumer reporting agencies (e.g., Equifax, Experian, and TransUnion), but many consumers said it was difficult to reach a live person.
• Less than half of the respondents were aware of most of their rights under FACTA before they contacted the consumer reporting agencies.
• Few consumers exercise their right to block selected information in their credit reports from identity theft and fraud, since most consumers (78%) don't know about this right
• Some respondents complained about feeling pressured to buy additional identity theft monitoring products when they called the consumer reporting agencies.

FACTA gave consumers the right to:

• Pace Fraud Alerts on their credit file with the nationwide CRAs,
• Request a free credit report from each of the three national CRAs when placing a fraud alert,
• Block fraudulent information from appearing in their credit reports,
• Receive a notice of these and other rights from the CRAs

When placing a fraud alert, consumer only need to contact one of the three national CRAs. After successfully placing a Fraud Alert on their credit file with one CRA, most of the time the other two CRAs will automatically add Fraud Alerts to the consumer's file on their systems. When requesting a Fraud Alert, consumers can also request a free copy of their credit report. Survey results about Fraud Alert and free credit report requests:

• 44% of survey respondents were not aware before contacting a CRA of their right to place a Fraud Alert on their credit file. Despite this, 85% of respondents ultimately requested a Fraud Alert on their file.
• When requesting a Fraud Alert, 58% of survey respondents reported that all three national CRAs placed alerts when requested. 36% of respondents were unsure what happened, and 6% reported that at least one CRA didn't place a Fraud Alert.
• 44% of respondents who requested a Fraud Alert said they were very satisfied with the process, 32% said they were somewhat satisfied, and 17% said there were either somewhat or very dissatisfied with the process.
• Most survey respondents (56%) requested their free credit report (when placing a Fraud Alert) by telephone, compared to the website (33%), and postal mail form (14%).
• Most (51%) said that they received their free credit report from all CRAs they contacted, while 33% stated that they received it from only some of the CRAs they contacted. 11% said that they did not receive any credit reports.
• 43% of respondents said that they were very satisfied with the process of requesting free credit reports after placing a fraud alert. 32% said that they were somewhat satisfied. 22% said that they were either somewhat or very dissatisfied.

Errors occur in credit reports, either from identity fraud or from honest mistakes by the CRA or lender. Consumers can dispute this erroneous data and demand that it be removed or corrected. Survey results about credit report accuracy:

• Most survey respondents (60%) were aware before contacting a CRA that they had the right to challenge the accuracy of information on their credit report.
• 36% of respondents who contacted a CRA disputed the accuracy of information on their credit report in connection with the identity theft that led to the contact. Of those who disputed information, 72% filed disputes with a CRA and while 46% contacted the creditor that provided the information to the CRA.
• The types of credit report information disputed: 47% challenged identification and employment (47%), payments (48%) about a specific debt, and unauthorized lenders who obtained their credit report (40%).
• Of survey respondents who disputed information in their credit reports, 52% said that the information was corrected or removed, 22% said that the information was not corrected, and 18% said that they were not sure what happened.
• Of survey respondents who had information corrected by the CRA, 42% said that the error was corrected after a single contact. 27% said the error was corrected after two contacts. 24% said the correction required three to five contacts, and 4% said they contacted the CRA six or more times.
• Of survey respondents who disputed information in their credit reports, most (57%) said that they were either very or somewhat satisfied with the process. 17% said that they were somewhat dissatisfied, and 21% said that they were very dissatisfied.

Consumers can block certain information within their credit reports that resulted from identity theft and fraud. Blocks are different from disputes. CRAs must respond within four (4) days after receiving a valid request to block certain data in a credit report. Survey results about blocking fraudulent information:

• Of survey respondents who contacted a credit reporting agency, 78% were not aware of the right to block information in the credit file. Few survey respondents (21%) exercised this right to block the reporting of information resulting from identity theft.
• Of those who requested that information be blocked, 46% said that all CRAs blocked the information. 18% said that some of the CRAs blocked the information, and 9% said that none of the agencies blocked the information.

The FTC concluded in its report (bold emphasis added):

"Despite the 68% general satisfaction rate with the CRAs, the survey reveals three areas where respondents faced difficulties in exercising their FACTA rights. First, one prominent complaint was the difficulty in reaching a representative at a CRA with whom to speak about identity theft. Many respondents said that it was difficult or impossible to move past the automated response system... Second, the survey results suggest that a relatively small number of identity theft victims are aware of their FACTA rights. Less than half of the respondents were aware of most of their rights prior to contacting the CRAs. Even for the most well-understood right – disputing inaccurate information – only 60% of respondents who contacted a CRA were aware of this right prior to contacting the CRA... Third, both the survey respondents and the focus groups raised concerns about the CRAs using consumer contacts about identity theft as an opportunity to sell identity theft protection products. Several respondents and focus group participants complained that they felt pressured to buy one or more products and that, in some cases, they received services that they did not want or need."

The FTC sent survey invitations to about 3,000 consumers who had previously reported to the FTC hotline that they were identity-theft victims. The survey questions were based on six focus groups conducted in 2009. 634 consumers responded. The FTC maintains the anonymity of all survey respondents. Download the FTC, Using FACTA Remedies Report (Adobe PDF - 4.9 M Bytes), which is also available here.

Want to learn more? Suggested readings about credit and CRAs:

• Fraud Alert Renewal: Easy And Fast
• Placing a Freeze (Or Lock) On Your Credit Files
• Fraud Alert or Credit Freeze: What's The Difference?
• Are Fraud Alerts Useless?
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms (Part One)?
• Have You Heard About Credit Reports From Innovis?
• Directory Of Credit Reporting Agencies
• What It Means To Have An Unrequested Security Freeze On Your Credit Report
• A Primer On Credit Scores
• FTC Testifies Before Congress About Identity Theft And Fraud
• FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports
• FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

National Consumer Protection Week

March 4 - 10, 2012 is national Consumer Protection Week (NCPW). About 30 federal agencies and the U.S. Federal Trade Commission (FTC), plus consumer groups, state, county, and local government agencies are participating with the goal to:

"... focus attention on the importance of consumer information and provide people with free resources explaining their rights in the marketplace."

During the week, various groups will share information and tips about how to:

• Avoid identity theft, and scams,
• Protect your privacy, and
• Manage your money

NCPW began 14 years ago. The website has materials in both English and Spanish. David Vladeck, Director of the FTC's Bureau of Consumer Protection, said:

"The information on NCPW.gov can help consumers understand their rights, protect their privacy online and off, manage credit and debt, avoid identity theft, recognize foreclosure rescue scams, and report fraud... Visitors can download and print materials to share with friends and neighbors, or use the toolkit to plan a larger community event."

To learn more, visit NCPW.gov.

FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

Earlier this week, the U.S. Federal Trade Commission (FTC) released its annual report of the leading complaints filed by consumers. During 2011, identity theft (again) led the list of complaints. This is the 12th consecutive year that identity theft has led the list:

Type of Complaint or Scam	Number	% Of Total
1. Identity Theft	279,156	15%
2. Debt Collection	180,928	10%
3. Prizes, Sweepstakes and Lotteries	100,208	6%
4. Shop-at-Home and Catalog Sales	98,306	5%
5. Banks and Lenders	89,341	5%
6. Internet Services	81,805	5%
7. Auto Related	77,435	4%
8. Imposter Scams	73,281	4%
9. Telephone and Mobile Services	70,024	4%
10. Advance-Fee Loans and Credit Protection/Repair	47,414	3%

Other notable findings:

• Fraud: 990k of the 1.8 million complaints were fraud-related. 68% of consumers reported a fraud complaint where they paid an amount. The total amount paid was $1.5 billion, and the median amount paid was $537. 43% of consumers were contacted via email. The five states with the highest per-capita fraud reported were Colorado, Delaware, Maryland, Nevada, and Virginia.
• Identity Theft: Government documents/benefits fraud (27%) was the most common form reported, followed by credit card fraud (14%), phone or utilities fraud (13%), bank fraud (9%), and employment fraud (8%). 45% of consumers reported they contacted local law enforcement. The five states with the highest per-capita identity theft were Florida, Georgia, California, Arizona, and Texas.
• Countries: the top five countries were the USA (80%), Canada (4%), the United Kingdom (4%), Nigeria (2%), and Jamaica (2%).
• Age: consumers that filed complaints during 2011 were ages 50-59 (23%), followed by ages 40-49 (20%), ages 30-39 (17%), ages 60-69 (15%), and ages 20-29 (15%).
• Military: members from all four branches plus the Coast Guard reported complaints. For this group, identity theft ranked as the number one complaint, followed by Debt Collection. Mortgage Foreclosure Relief and Debt Management ranked as fourth for this group, compared to 13 for all consumers.

During 2011, consumers submitted about 1.8 million complaints, an increase of 24% over 2010. All complaints submitted by consumers are collected in the FTC Consumer Sentinel Network database, which contains 30 different categories of complaints. Download the 2011 FTC Consumer Sentinel Network Data Book (Adobe PDF).

Consumers Adapt Their Social Media Use Given Privacy Concerns

Pew Internet recently released the results of a second quarter 2011 survey about consumers' usage of social networking web sites and privacy. The survey found that consumers are adapting their usage of social networking web sites given privacy concerns:

• 63% of survey respondents have deleted people from their “friends” lists, up from 56% in 2009,
• 58% of users restrict access to their profiles on social networking websites. More women (67%) do this than men (48%),
• 48% of users have had some difficulty managing their profile privacy settings on social networking web sites,
• 44% have deleted comments made by others on their profile,
• 37% have removed their names from photos that were tagged to identify them, and
• 11% have posted content they regret.

It will be interesting to see how much further adaptation occurs in next year's survey results, since users will have had more time to use features, like the Timeline feature from Facebook. I have talked with consumers who use the Timeline feature to delete harmful archived status messages, since employers now use social networking web sites to screen job applicants, to determine credit worthiness, and to evaluate insurance worthiness.

Some consumers use the new Facebook Profile Preview feature to screen and reject their friends' attempts to tag them in status messages and photographs. That seems very wise since too many users (42% total) don't restrict access to their profiles.

Should companies use social networking websites for financial, insurance, and employment screening uses? That's debatable, but the reality is that companies use the data anyway for screening, and the social networking sites are happy to make more money. My advice: prune your profile of harmful archived posts, and don't post anything at a social networking web sites that you don't want read/shown in court.

How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

• Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
• Banks regularly collect and resell both debit-card and credit-card purchases,
• Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
• Consumers share product preferences and travel vacation habits through loyalty program memberships,
• State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
• Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
• Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
• Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

• Name, address, age from the store loyalty program registration
• Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
• Favorite colors from the colors of clothes purchased
• Left-handed preference from types of products purchased
• Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
• Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
• Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
• Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
• Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
• Auto and electronics owned from purchases, either the item or related accessories purchased
• Approximate ages of children by types of toys purchased or from photographs at social networking websites
• Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
• Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
• Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.

Apple Says Path And Other iPhone Apps Violated Policy

A prior blog post discussed how a developer found the Path iPhone app collecting his contact information without notice nor consent. The All Things D blog reported a reply by an Apple spokesperson:

"Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines... We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

Twitter, Hipster, and other apps that collected users' contact information also are modifying their processes to stop collection. The statement by Apple still doesn't explain why Apple did not reject apps that violate its policy from being sold in its app store. Nor does Apple seem to address the consequences for these violators.

The "working to make this even better" sounds disingenuous. Either an app violated the policy, or it didn't. Either Apple checks apps for compliance or it doesn't. There is no inbetween. One cannot be a little pregnant.

At press time, the Apple Press Info website section did not mention the above statement.

When Online Convenience Trumps Security

Recently, a coworker said to me that she definitely values convenience over security when it comes to using her mobile device and the Internet. To me, that is a false choice. Consumers can, and should, demand both.

iPhone App Uploads Users' Entire iPhone Address Books

An I've Been Mugged reader alerted me about this. In his blog, Arun Thampi has documented technically how the Path iPhone app uploaded his entire iPhone address book and contact information to its servers without notifying customers nor gaining their permission. Arun's described his experience:

"I was thinking of implementing a Path Mac OS X app... I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add. Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path."

The comments section of the blog post includes a conversation between Arun and Dave Morin, CEO of Path. During the discussion, one user raises the relevant issues and questions:

"1. Why are you uploading the actual address book data, rather than (say) generating hashes of the user's email addresses locally, then uploading just those hashes... 2. Why wasn't this an opt-in situation to begin with? Isn't that against Apple's own T&Cs? 3. How can we have our contact information deleted from your servers, if we wish to do that?

It is good that Morin apologized on behalf of Path. He also wrote in the comment sectionr:

1. This is a good alternative solution which we'll look into. Thanks for the idea. 2. This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information... 3. As I mentioned in the previous answer, we are rolling out this functionality for 2.0.6. In the meantime, if you would like your data deleted from our servers please contact our service team at service@path.com..."

During the discussion, a user cites the relevant sections of the App Store's terms and conditions (Adobe PDF):

"I'd say that 17.1 and 17.2 of the approval guidelines specifically forbids what you are currently doing: 17.1: Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used. 17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected..."

The additional issues I see:

• Almost all of the comments are by people who aren't lawyers. I am sure that a lawyer will weigh in on this soon.
• The opt-out process Morin describe sounded cumbersome to me, as if it was created in haste after the fact. The system default never should have been to auto upload customers' entire phone books.
• It's great that Thampi found this problem. However, one should not have to be a computer programmer or website developer in order to verify that smartphone apps don't violate either the app developer's policies or the app store's policies.
• As social networking and app companies innovate, it is critical for the industry to figure out where the line is between users accepting data collection to enable convenience versus too much data collection. This makes it difficult to impossible to gain trust among users about the safety, security, and reliability of mobile device apps.
• I look forward to reading Apple's response about why it didn't reject the Path iPhone app.

Both C/Net and Wired summarized well the situation. C/Net said:

"Apple, of course, has learned the hard way that it needs to be strict about how iOS apps use, share, and distribute users' private data..."

And Wired said:

In fact, Facebook was caught doing the exact same thing that Path is currently taking heat for, over two years ago."

Why You Shouldn't Install Those Entertaining Apps On Facebook

There is an excellent Facecrooks blog post that explains the risks of installing most "fun and entertaining" apps on Facebook. First, you have to understand the extreme limitations of Facebook:

"... there is no formal review process for applications or developers on the Facebook platform. Anyone and everyone (scammers included) can create apps. This is far different from the “Walled Garden” approach taken by Apple. Many unsuspecting users might be under the impression that if it’s on Facebook then it must be legitimate. That is totally not the case."

Second, think long and hard before installing any app that requires you to give it permission to:

• Access all of the data in your Facebook profile
• Access all of your Facebook friends list
• Post as you
• Just because the app address starts with HTTPS doesn't mean it is safe
• Doesn't have a privacy policy
• Has a privacy policy you don't like

Third, it is wise for Facebook members to "like" Facecrooks and follow its posts, so you are aware of emerging threats and scams.

Slowly, More Consumers Consider Website Privacy Policies Before Buying

PC Pro recently reported the results of a recent Forrester Research study. Forrester surveyed 37,000 consumers in North America, and found that a growing percentage of consumers consider companies' website privacy policies in their decisions about whether to do business with a company:

"Websites need to rethink their privacy policies as consumers ditch those that hide data rules or leak information, according to research from Forrester. The analyst found that a growing number of consumers were reading how companies dealt with their privacy and voting with their feet if they didn’t like what they saw."

More than half of survey respondents over 55 years of age said that they refused to complete an online transaction because of the company’s terms of use or privacy policy. In 2008, 40% answered this question the same way.

The PC Pro article would have been more helpful if it linked directly to the Forrester Research report and included more facts. The Forrester research study found:

"Individuals see different types of data differently -- they're most worried about what we consider individual identity data, and far less concerned about the capture and use of their behavioral data... Most consumers are willing to share their data in exchange for value. But, what they consider "valuable" is very age-dependent..."

If the article had included examples of well-crafted privacy policies, this would help consumers learn about what to look for in privacy policies -- at websites, social networking websites, and with mobile-device apps. In 2011, the European Union Justice Commissioner described four pillars of online data privacy, which is a good start for any corporate privacy policy.

In 2008, a brief review of the privacy policy at Mint.com prompted a huge discussion on this blog -- that still continues today.

The Personal Data Elements Consumers Want To Keep Private Online

At the All Things D blog, Liz Gannes has posted a very interesting inforgraphic about the data elements consumers care about and want to keep private online. The inforgraphic was created from a research report by Forrester Research. Some of the data elements and the percent of consumers that care about each item:

• 72% - Social Security number
• 71% - credit card number
• 62% - driver's license number
• 57% - credit score
• 52% - Internet browsing history

This was a good infographic. It would have been even better if it included consumers' GPS location history, since so many mobile phone companies, telecommunications companies, and social networking websites collect this data. When and where you go in the physical world is very valuable and equally sensitive data. It is a way of uniquely defining you.

Making Data-Sharing Choices With Incomplete Information

This morning, I signed into my Discover credit card online account to read the new privacy policy which the bank had sent several e-mail messages about. Since writing this blog, I have learned two things: banks constantly tweak their terms and privacy policies, and it is important to read the fine print. Frankly, I found the online experience unsatisfactory.

The new policy clearly describes what Discover shares about sharing cardholders' personal information. Some of this personal data sharing is necessary (and appropriate) for banks to report consumers' balances to credit reporting agencies (e.g., Equifax, Experian, TransUnion). Note that the policy includes three types of companies (e.g., Affiliates, Non-Affiliates, and Joint Marketing):

The new policy also defines the three classes of companies Discover does business with and shares cardholders' personal information with:

This new policy doesn't list the actual company names within each category. It leaves cardholders to guess, and make an uninformed decision about whether to share their personal data where Discover allows above. And, you can't make your sharing decisions online at the website. you have to call the toll-free number.

This incomplete disclopsure makes the new privacy policy pretty useless for the following reasons:

1. The policy doesn't provide enough information (e.g., specific company names by category) to make an infomred decision,
2. For one class of companies, cardholders have to go hunting in another document,
3. The new policy didn't highlight what had changed from the old policy, and
4. The whole data-sharing decision process forces Discover cardholders to be financial experts about Discover's business relationships in order to make a decision about whether to share their personal information.

The new Discover Privacy Policy is also available to the public here. The above policy is not full, honest, transparent disclosure. Not even close.

While at the website, I sent this secure message to Discover to try and get an answer:

"This morning, I read online your new privacy policy about changes in information you share with affiliates, non-affiliates, and joint marketing companies. I found the whole online experience unsatisfactory, since it never provides examples of actual companies in each category. This makes it difficult for customers to make informed choices. When will you update the policy with actual company names?"

To try and learn more, I also started an online chat with one of the Discover customer service representatives. The text of that chat is below. Note that the representative provided only an example of a corporate affiliate:

"Katie: Thank you for visiting Discover.com. What questions can I help you with today?
George: I have a question about the new privacy policy. Which companies are affiliates, non-affiliates and joint marketing?
Katie: That's a great question! Our corporate affiliates are GE Money Bank (Sam's Club and Wal-Mart Discover Cards) as well as HSBC as we do offer a Discover Card through them."

Hmmmmm. I didn't say anything but I recognize the GE Money Bank and Wal-Mart company names from this prior post. The online chat session resumed:

"Katie: As to who is included as a joint marketer; I am not sure. I can forward that information to a specialist and email you back as soon as I hear from them.
George: Is there a list somewhere, so I can make an informed decision about whether or not to share my personal data?
Katie: Those partners should be listed in your most recent Cardmember Terms and Agreement. Would you like me to mail you a copy of that document?
George: Yes, please.
Katie: Thank you. Can I help you with anything else today?
George: It would be nice if you listed the companies online at the website privacy policy and terms policy. Please tell your managers of this request.
Katie: I can certainly forward your feedback! Have a great day, Mr. Jenkins!"

Sadly, Discover isn't the only bank that does this. Many banks and non-financial companies have similarly incomplete privacy policies.

ScanScout Settles With FTC About Flash Cookies Used For Tracking Consumers

ScanScout has agreed to settle with the U.S. Federal Trade Commission (FTC) about charges the company used deceptive marketing with a website privacy policy that claimed consumers could opt-out of online tracking, when they couldn't opt-out because the company's website used the Flash cookie technology to collect data which browser settings couldn't block. An FTC press release summarized the terms of the proposed settlement:

"... bars misrepresentations about the company’s data-collection practices and consumers’ ability to control collection of their data. It also requires that ScanScout take steps to improve disclosure of their data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked."

During the lawsuit and before the settlement agreement, ScanScout merged with Tremor Video. The consent order (PDF), which applies to the merged company and its subsidiaries, stated:

"... officers, agents, representatives, and employees and all other persons in active concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any entity, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which data from or about a particular user or the user’s online activities is collected, used, disclosed, or shared; or (B) the extent to which users may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities."

The consent order also stated that within 30 days of the approved consent order, the company:

"... place a clear and prominent notice, including a hyperlink, on the homepage(s) of its website(s), which states, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” When selected, the hyperlink shall take consumers directly to the mechanism... that enables users to prevent respondent: from collecting data that can be associated with a particular user, or that contains any unique identifier, including user ID or Internet Protocol (IP) address; from redirecting users’ browsers to third parties that collect data, absent a click or other affirmative action by such user; and from associating any previously collected data with the user..."

For five years after the approved consent order, the companies must save and forward to the FTC both complaints from consumers and all company documentation proving compliance with the consent order.

During the summer of 2011, a class-action lawsuit was filed against AOL, Brightcove, and ScanScout about the use of the Flash cookies technology to secretly track consumers' online usage.

The proposed settlement agreement is open for comment by the public until December 8, 2011, after which the FTC will decide whether to make it final. To submit comments, follow the online comment instructions at this website. Comments submitted via postal mail should be sent to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

To learn more about the various tracking technologies, browse posts in this blog about browser cookies, "zombie cookies," Flash cookies, "super cookies," and etags. The FTC OnGuard Online website also contains a section about the various online cookies technologies.

A 24 Year Old Student Issues The Challenge: Europe Versus Facebook

Whether you use Facebook or not, this bears watching. After researching the issues, a 24 year-old student from Vienna is challenging how Facebook treats members' personal information: data collection and deletion. Not liking what he found, his next steps were a series of 22 clear and well-reasoned complaints submitted to the Irish Data Protection Commissioner, since European users have a relationship with the Facebook subsidiary located in Ireland.

According to Kim Cameron's blog:

"Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel. As part of the documentation, they publicised the procedure Max used to get his personal CD... So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement..."

The article confirms what I found in this prior post about Facebook social plugins: they monitor your usage across the Internet whenever you visit a site with the Like button (or other Facebook social plugins). Using a different web browser may or may not provide the privacy you seek.

For English, click on both the CC and annotation icons to see subtitles in English.

Services To Remotely Lock, Locate, And Retrieve Your Lost Or Stolen Mobile Device

If you seek a way to protect your mobile device, there seem to be plenty of choices for consumers. Ubergizmo recently reported that Symantec has launched its Norton Anti-Theft service to help consumers remotely lock, locate, and retrieve lost or stolen mobile devices.

What I really like about the Ubergizmo article is its list of mobile device anti-theft services:

"... such as Find My iPhone by Apple, GadgetTrak, AccuTracking, SeekDroid that use location-based software, or StuffBak and TrackitBack that use a coded recovery label placed on the device. AT&T now offers the Mobile Locate app in its Mobile Protection Pack and Verizon offers Asurion’s Mobile Recovery app."

This blog recently covered the smartphone insurance plan from Verizon and Asurion.