Search The Web's Nooks And Crannies To Find Connected Devices

Most people believe that when they use one of the popular search engines (e.g., Bing, Google, Yahoo, DuckDuckGo), that they have effectively searched the entire Internet. That belief is erroneous for a couple reasons.

CNN Money has a good report about the Shodan search engine, which was developed specifically to search what I call the nooks and crannies of the Internet. Shodan users can find devices connected to the Internet that other search engines don't necessarily focus upon:

"... servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet... traffic lights, security cameras, home automation devices and heating systems... control systems for a water park, a gas station, a hotel wine cooler and a crematorium... command and control systems for nuclear power plants and a particle-accelerating cyclotron..."

If it isn't obvious to you, these search results have huge privacy and identity theft implications for a variety of reasons. Many users connect devices to the Internet which they shouldn't connect. Or don't properly secure their Internet-connected devices with firewall software. You can bet that since the good guys already know about and use Shodan, then the bad guys will, too, and hack into unprotected devices, steal identity information, and/or cause havoc.

The second reason: many consumers are trapped in the search Filter Bubble, and don't know it.

The Top 5 Places You Should Never Use Your Smart Phone

Social Times recently listed the top five places consumers should not use their smart phone. The top two places:

1. Business meetings with clients
2. In-person job interviews

Gee, you'd think that people would know better. Places I would add to the list: 6) in school, especially during an exam; 7) during wakes and funeral services; and 8) your doctor's office (especially when they post signs telling patients to turn off their mobile devices). There's just too much sensitive equipment nearby.

Follow the above link to read the entire list. What places do you believe consumers should turn off their mobile devices?

Facebook Becomes More Annoying

This morning, I decided to clean out my personal Facebook email folder. I use Facebook.com for two reasons: 1) connect with friends, family, and former co-workers; and 2) a business page for this blog to connect with readers. The Facebook mail I deleted was for #1.

If you use Facebook.com, it is important to manage your email inbox, since you probably have received Facebook email from both people you are connected to and business pages you have "liked." I found the process to delete old Facebook emails both time-consuming and difficult. Unlike traditional email software, the Facebook email interface forces members to delete one conversation at a time:

So, what should have taken at most 2 minutes, took almost 20 minutes. After deleting old conversations in my Facebook inbox, then I had to switch to the Facebook archive folder and repeat the deletion process:

I find this user interface unnecessarily difficult and time consuming. (Deleting Facebook email is even more tedious and time consuming if you delete items one message at a time. Who would choose that form of self torture?) Perhaps, making it difficult for you to delete your information is a key part of Facebook's "Big Data" strategy to retain as much of its members' content for as long as possible. Facebook frequently hides tasks in unlabeled drop-down menus, and/or in multiple locations you wouldn't expect.

Combine this with the new ads that appear directly in your Facebook News Feed (e.g., Facebook calls them "Suggested Pages," but an ad is an ad by any name -- and some users report this as spam!), and the service has become much more annoying. And, it seems that Facebook plans to deliver more ads in members' News Feeds in the future.

Of course, the folks at Facebook would love for you to use only Facebook email, and stop using traditional email. Last year, without asking Facebook switched the default email addresses in its members' profiles from your traditional email address to your new Facebook email address. Check your Facebook profile. I'll be you didn't notice that.

I switched back the default email address in my Facebook profile, since I still use traditional email. It is important to me to not use any single company's service for all of my online activities. To do that would be for me to give up my power as a consumer. No walled gardens for me. That's why I also use DuckDuckGo -- to escape from being trapped in the search engine filter bubble.

If you use Facebook email, what are your opinions of it? Share below.

Google Shares Personal Data Of App Purchasers With App Developers

Over at his Internet Hughbox blog, Dan Nolan raised a startling and huge privacy issue for Google Play users. After developing an Android app, Nolan found that Google had shared with him the sensitive personal information of purchasers of his app:

"I jumped over to the ‘merchant account’ section to see the orders and realised one absolutely insane thing. If you bought the app on Google Play (even if you cancelled the order) I have your email address, your suburb, and in many instances your full name. Each Google Play order is treated as a Google wallet transaction and as such software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical."

While the personal data shared includes a flag whether or not the consumers wants to receive marketing offers via email, Nolan wonders how many app developers will comply with that. The implications of this detailed data sharing:

"... I could track down and harass users who left negative reviews or refunded the app purchase... This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it..."

Google Play is a cloud-based service offering. According to the MediaPost blog:

"... the data-sharing was intentional. Google designed its platform so that people who purchase apps do so from the developer. That model differs from the iTunes platform, where people purchase apps from Apple."

And, the Chicago Tribune reported:

"... Joel Reidenberg, Director of the Center on Law and Information Policy at Fordham University School of Law, said Google and other online and mobile services needed to be more transparent about what personal information was being shared with third-party firms."

Well said Mr. Nolan. Users should always be in control, with programs asking users to opt-in. Too many websites do the opposite: automatically include users and force users to opt-out.

Some app developers may use this personal information responsibly to provide product support and service, while others may not. Already, there are problems with consumers getting harassed about negative reviews posted online. Some physicians already try to stifle online discussion by forcing their patients to sign a "Mutual Agreement To Maintain Privacy" contract, which prohibits patients from posting negative comments on social networking websites.

Positive and negative reviews are part of a healthy, functioning marketplace, that helps users make informed choices. A 2011 survey found that 89% of consumers said they found online reviews trustworthy.

Facebook Hacked. Site Says User Data Not Compromised

In case you were away for the long weekend and missed it, on Friday Facebook.com announced via its website that it had been hacked:

"Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues... We have found no evidence that Facebook user data was compromised."

This means that the old saying still applies: a chain is only as strong as its weakest link. In this case, your sensitive personal information on a social networking site is only as secure as the weakest (mobile or website) app developer.

What You Post Online Could Be Used To Determine Your Mental State

Elizabeth Martin, a researches in the Psychological Science department at the University of Missouri recently completed a study of social networking usage. Martin concluded:

"Therapists could possibly use social media activity to create a more complete clinical picture of a patient... The beauty of social media activity as a tool in psychological diagnosis is that it removes some of the problems associated with patients’ self-reporting. For example, questionnaires often depend on a person’s memory, which may or may not be accurate. By asking patients to share their Facebook activity, we were able to see how they expressed themselves naturally. Even the parts of their Facebook activities that they chose to conceal exposed information about their psychological state.”

Martin had study participants -- about 200 college students -- print out their Facebook activity, and then:

"... correlated aspects of that activity with the degree to which those individuals exhibited schizotypy, a range of symptoms including social withdrawal to odd beliefs. Some study participants showed signs of the schizotypy condition known as social anhedonia, or the inability to experience pleasure from usually enjoyable activities, such as communicating and interacting with others. In the study, people with social anhedonia tended to have fewer friends on Facebook, communicated with friends less frequently and shared fewer photos."

According to Mashable:

"The idea for the study came through a conversation between Martin and the second author, Drew Bailey, who doesn't have a Facebook profile. A discussion arose about profile content and its correlation to psychology."

If therapists and psychologists believe that can tell a person's mental state from their posts on social networking websites, then it is appropriate to assume that other professionals (e.g., insurance, human resource professionals) will also want access to social networking profiles. In other words, some social networking websites may view this as a potnetial, new revenue stream. Credit reporting agencies already want access to consumers' social networking profiles to enhance credit decisions. And in some instances, courts have ruled that your social networking activity can be accessible during a lawsuit.

 

Path Inc. Settles With FTC For COPPA And Privacy Violations With Its Mobile Apps

This morning, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with mobile app developer Path for COPPA and privacy violations where users' entire address books were uploaded and stored without notice nor consent. The terms of the settlement require Path Inc. to:

"... establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent."

The Path mobile app enables consumers to create and share journals with up to 150 friends. The app also enables users to upload, store, and share photos, notes, songs they are listening to, and their geolocation. At registration, users share their gender, phone number, and date of birth. The lawsuit filed by the FTC (Adobe PDF, 918 kbytes) alleged that Path:

"Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of lnternet websites or online services... In version 2.0 of the Path App for iOS, regardless of whether the user elected to "Add Friends," Defendant automatically collected personal information from users' mobile device contacts (also known as the user's "address book") and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. The automatic collection and storage of personal information from the user's mobile device contacts occurred the first time the user launched version 2.0 of the Path App and, if the user signed out of the service, each time the user signed in again. This practice continued until February 8, 2012."

The complaint also alleged:

"From November 14, 2010, through May 4, 2012, Defendant accepted registrations from users who entered a date of birth indicating that the user was under the age of 13. As a result, Defendant knowingly collected email address, first name, last name, date of birth, and if provided, gender and phone number, from approximately 3,000 children under age 13... From November 29, 2011, through February 8, 2012, Defendant also knowingly collected from these children the following personal information for each contact in the child's mobile device address book, if available: first name, last name, address, phone numbers, email addresses, and date of birth... Defendant did not provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information. Defendant did not obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information."

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. Kudos to the FTC for this settlement, although I wish the fine was far more.

However, Path Inc. faces other legal challenges including a class-action lawsuit about similar privacy violations. The class-action suit included more allegations that Path collected and shared more data with other companies, and tracked users with geo-tags.

To learn more, read about the COPPA Rule in the 2013 U.S. Federal Register (Adobe PDF, 590 kbytes).

New Terms Of Service And Privacy Policies Go Live At Instagram

On Friday, Instagram sent this letter to its users:

From: Instagram (no-reply@instagram.com)
Subject: Instagram Update
Date: January 18, 2013

Hello,

Our community has grown by many millions of people since we wrote our original Terms of Service and Privacy Policy. As we announced in December, we have updated our Terms of Service and Privacy Policy. These policies also now take into account the feedback we received from the Instagram Community. We're emailing you to remind you that, as we announced last month, these updated policies will be in effect as of January 19th, 2013.

You can read our blog post that highlights some of the key updates. And remember, these updates don't change the fact that you own your photos that you post on Instagram, and our privacy controls work just as they did before.

Thank you,
The Instagram Team

The Instagram blog summaried the changes in its new policies:

"1. Nothing has changed about your photos’ ownership or who can see them.
2. Our updated privacy policy helps Instagram function more easily as part of Facebook by being able to share info between the two groups. This means we can do things like fight spam more effectively, detect system and reliability problems more quickly, and build better features for everyone by understanding how Instagram is used.
3. Our updated terms of service help protect you, and prevent spam and abuse as we grow.

In its blog post, Instagram reassures users that users own their photographs. While that is good, the bigger question is exactly what data dlements are collected, retained, manipulated, and shared? Some relevant portions from the new Terms of Service:

"Instagram does not claim ownership of any Content that you post on or through the Service. Instead, you hereby grant to Instagram a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to use the Content that you post on or through the Service, subject to the Service's Privacy Policy, available here http://instagram.com/legal/privacy/, including but not limited to sections 3 ("Sharing of Your Information"), 4 ("How We Store Your Information"), and 5 ("Your Choices About Your Information")... You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such... Content removed from the [Instagram] Service may continue to be stored by Instagram, including, without limitation, in order to comply with certain legal obligations, but may not be retrievable without a valid court order... Except as otherwise described in the Service's Privacy Policy, available at http://instagram.com/legal/privacy/, as between you and Instagram, any Content will be non-confidential and non-proprietary and we will not be liable for any use or disclosure of Content. You acknowledge and agree that your relationship with Instagram is not a confidential, fiduciary, or other type of special relationship, and that your decision to submit any Content does not place Instagram in a position that is any different from the position held by members of the general public, including with regard to your Content."

Some interesting sections from the new Privacy Policy:

INFORMATION WE COLLECT
We collect the following types of information.
Information you provide us directly:
1. Your username, password and e-mail address when you register for an Instagram account.
2. Profile information that you provide for your user profile (e.g., first and last name, picture, phone number). This information allows us to help you or others be "found" on Instagram.
3. User Content (e.g., photos, comments, and other materials) that you post to the Service.
4. Communications between you and Instagram. For example, we may send you Service-related emails (e.g., account verification, changes/updates to features of the Service, technical and security notices). Note that you may not opt out of Service-related e-mails."

"Metadata:
Metadata is usually technical data that is associated with User Content. For example, Metadata can describe how, when and by whom a piece of User Content was collected and how that content is formatted. Users can add or may have Metadata added to their User Content including a hashtag (e.g., to mark keywords when you post a photo), geotag (e.g., to mark your location to a photo), comments or other data. This makes your User Content more searchable by others and more interactive. If you geotag your photo or tag your photo using other's APIs then, your latitude and longitude will be stored with the photo and searchable (e.g., through a location or map feature) if your photo is made public by you in accordance with your privacy settings."

"We may also share certain information such as cookie data with third-party advertising partners. This information would allow third-party ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you... We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information."

The new policy does not seem to mention exactly how Instagram may manipulate (e.g., add, delete, merge) the metadata attached to your photographs with other data elements (e.g., mobile geolocation data). That is important to know given a recent lawsuit about alleged unannounced and unauthorized data collection, retention, and tracking involving its mobile apps.

The information in this blog post is not legal advice. If you are concerned about the new policies, get legal advice from an attorney. I am not an attorney.

Study: 30 Percent Of Teen Girls Meet In Person Strangers They Met Online

This is a startling and terrifying statistic. Parents: what is your teenage daughter doing online? WFMJ reported the results of a recent pediatric study:

"... the study tracked online and offline activity among more than 250 girls aged 14 to 17 years and found that 30 percent followed online acquaintance with in-person contact..."

The study, funded by a grant from the National Institutes of Health (NIH), included a mix of girls with and without a history of risky behavior. The study's author is Jennie Noll, a professor of pediatrics at the University of Cincinnati. The NIH is part of the U.S. Department of Health and Human Services (DHHS).

I recommend that parents read the WFMJ article, since it includes additional information. Reportedly, the study appeared in the Journal of Pediatrics. I wished that the study had included younger girls, since many social networking sites allow youth aged 13 and older to register.

Lawsuit Claims Instagram Performed Data Collection, Retention, And Tracking Via Its Mobile App Without Notice Or Users Consent

While Instagram, the popular photo-sharing website, made a fast retreat last month after releasing new Terms of Service and Privacy policies, it appears that there are more issues. During the holidays last month, a class-action lawsuit was filed against Instagram claiming unauthorized data collection, retention, and tracking via the photo sharing site's mobile app.

The complaint alleges that Instagram uploaded via its mobile app users' entire address books, accessed and modified both the geolocation and meta data in users' photos uploaded, collected and stored users' fine geolocation data, accessed users' data stored within Amazon-provided cloud-based services, and distributed users' sensitive personal data to third-party companies without notice nor consent. The complaint alleged that Instagram:

"... used Plaintiff's and Class Members' computing devices to access, use, disclose, retain, and store personal information ("PI"), personal identifying information ("PII"), and/or sensitive identifying information ("SII") derived in whole, or part, from Plaintiff and Class members' computing devices' contact address book, aggregating such data derived from the unauthorized access to, and use of Plaintiff and Class members' photo metadata, for purposes not granted..."

There is more. The complaint also states that the plaintiffs:

"... were unaware of the harm that would be imposed... including use, retention, and storage of their computing devices contact address data, installation of geo-tags for tracking, the misappropriate of their Mobile Device resources and bandwith... [the plaintiffs] had not knowledge that contact book data was obtained and stored on Defendant's servers and/or third-party servers, such as on Amazon EC2's remote servers and was stored in an unreasonably insecure manner contrary to accepted standards... [the plaintiffs] did not consent to having their data collected by Defendant. Had [the plaintiffs} known of Defendant's practices, they would not have downloaded its app..."

Of course, mobile apps that consume large amounts of consumers' data plan minutes are undesirable, and consumers should be provided with warnings by these apps. The suit was filed December 27, 2012 in Northern California District Court by attorneys Parisi & Havens LLP, Strange and Carpenter LLP, and the Law Office of Joseph H. Malley, P.C.. Recently, Facebook purchased Instagram in 2012 for $1 billion.

While reading the complaint, I recognized Malley's name, since he is often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, these attorneys know what they are doing.

For the lead plaintiff, Steven Gutierrez, the alleged data collection, retention, and tracking by Instagram affected his minor child and warnings weren't timely enough for consumers who registered and installed the Instagram app early on:

"... ignoring the intent of [the plaintiffs] that used Defendant's application to up upload and/or take photos using Defendant's application and also creating a digital dataset, link to their exact location, posted to a publicly accessible form that revealed their exact fine GPS settings, violating not only their privacy rights, but also posing a security risk, as evidenced by Plaintiff Steven Gutierrez, with his one year old daughter, pictured above, that included within the photo's metadata, the exact location where the picture was taken, his home, and a detailed map of the home's exact location... Defendant failed to adequately disclose, or obtain permission for such activities, evidenced by failing to provide a Terms of Service or Privacy Policy within its application or website for a period in excess of a year after its initial operation... Defendant's access to, deletion, modification, and use of Plaintiff and Class Members' metadata within their photos, was without notice or authorization, and is evidenced by an analysis of the photo metadata at various stages. In order to view such activity, a software program is required, such as the one at [Jeffrey's EXIF Viewer]... Defendant's alteration of the digital content's metadata, in addition to the inclusion of fine GPS actual coordinates, provided a Unique Identifier..."

Photo metadata includes a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata, a company can tell a lot about you, your purchases, and your lifestyle.

If Instagram adds fine geolocation data to photos after upload, then this is very troubling. For privacy reasons and safety, many consumers turn off the camera setting on their smart phones that automatically adds GPS data to each photo and video taken. By re-adding this geolocaton data later to photos/videos uploaded, Instragram is overriding and ignoring users' privacy choices, and enabling tracking of consumers in the real world.

The complaint is rich with detail. Of course it provides background information on the Instagram service, its mobile apps, and usage terms/policy. The complaint also includes information about the public outcry about the new usage terms/policy which it later reversed, smart phone technologies, online tracking, cloud computing, photo metadata, and U.S. Congressional correspondence about app privacy. About the data collection, the complaint states:

"Defendant did not deny it had obtained Plaintiff's and Class Members' contact address data, but attempted to diminish the impact of its public relations nightmare by providing an immediate "Mea Culpa," of sorts, staying out of the press, and quietly adding a new pop-up requesting user authority to obtain contact address data information all users... Defendant's public response that it's activities were a common practice was without merit upon review of the app store guidelines..."

For consumers, letting mobile apps upload your entire address book is a bad idea for several reasons. First, the contact data is valuable to spammers and identity criminals because both issue fake messages (e-mail or text) pretending to be a relative or friend to trick consumers to making payments or disclosing other sensitive data. Second, many consumers use their smart phones for both business and pleasure. That means, the data collected contains valuable business contacts, useful to both advertisers and spies -- a corporate espionage risk.

I really like how the complaint describes in great detail the damages with specific dollar amounts for affected smart phone users. The lawsuit also highlights the issue of who ultimately controls image (e.g., photograph, video) metadata -- the consumer or the social networking service.

View the Gutierrez et. al. vs Instagram Inc. complaint (Adobe PDF, 1.8 Mbytes). Learn more about:

• Amazon Web Services
• How Facebook handles photo metadata
• A new web app by students at Rutgers University that combines Google Street View with GPS metadata from photos uploaded to Instagram to track where photos were taken

FTC Report On Mobile Apps For Children: Insufficient Privacy Disclosures

In February 2012, the U.S. Federal Trade Commission (FTC) published its first report on mobile apps for children, after surveying apps in both the Google Android and Apple app stores. That report found that apps provided little or no information for parents about privacy disclosures of the apps. It also called upon all companies in the children's app ecosystem -- app developers, app stores, and third parties -- to provide better disclosures regarding data collection and privacy practices.

In December 2012, the FTC published its second report, which went further than the first report by testing some apps against their state privacy policies. The FTC found:

"... many apps included interactive features or shared kids’ information with third parties without disclosing these practices to parents... Since the first kids’ app report was issued, the market for mobile apps has continued to grow at an explosive rate, providing many benefits and conveniences to consumers. As of September 2012, there were over 700,000 apps available in Apple’s App Store, a 40% increase since December 2011, and over 700,000 apps available in Google Play, an 80% increase since the beginning of 2012."

The survey found that apps still aren't providing sufficient privacy disclosures:

"... parents still are not given basic information about the privacy practices and interactive features of mobile apps aimed at kids. Indeed, most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information – such as device ID, geolocation, or phone number – with third parties without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download."

The survey methodology included a search in each app store for children's apps, a review of the first 480 pages of search results, and the random selection of 200 apps from each app store for a close evaluation. That evaluation included a review for privacy disclosures on each app's promotion page, within the app itself, and the app developer's website. The evaluation included a test of each selected app to determine:

"... whether they contained certain interactive features and whether they collected or transmitted any information from the mobile devices they were tested on... nearly 60% (235) of the apps reviewed transmitted device ID to the developer or, more commonly, an advertising network, analytics company, or other third party... only 20% (81) of the apps reviewed disclosed any information about the app’s privacy practices... 58% (230) of the apps reviewed contained advertising within the app, while only 15% (59) indicated the presence of advertising prior to download. Further, 22% (88) of the apps reviewed contained links to social networking services, while only 9% (36) disclosed such linkage prior to download. In addition, 17% (66) of the apps reviewed contained the ability to make purchases for virtual goods within the app, with prices for each purchase ranging from $0.99 in apps from both app stores, to $9.99 for Google Play apps and $29.99 for Apple store apps..."

An encouraging sign is that consumers and parents are getting the message and flexing their muscle in the marketplace:

"... a recent Pew study found that 54% of app users decided not to install an app once they discovered how much personal information the app would collect. The study also showed that 30% of app users have uninstalled an app that was already on their cell phone because they learned that the app was collecting personal information the users did not wish to share. Consistent with these findings, a recent study by the Berkeley Center for Law and Technology showed that most consumers consider the information on their mobile devices to be private..."

Actions that the FTC to address the lacka of privacy disclosures:

1. Urge app developers to include privacy disclosures by design in mobild apps and provide guidelines,
2. Provide consumers and parents with educational information to help them navigate the mobile app market,
3. Starting investigations to determine if specific apps have violated the Childrens Online Privacy Protection Act (COPPA), and
4. Conduct a third survey of the childrens mobile app market

Download the FTC report: Apps For Kids; Still Not Making The Grade (Adobe PDF, 1.1 Mbytes).

Twitter's Tailored Suggestions Program And Online Tracking

In May 2012, Twitter.com introduced a new program called Tailored Suggestions, which recommends other Twitter members to follow based upon your online usage:

"How tailored suggestions work: We determine the people you might enjoy following based on your recent visits to websites in the Twitter ecosystem (sites that have integrated Twitter buttons or widgets). Specifically, our feature works by suggesting people who are frequently followed by other Twitter users that visit the same websites."

The use of buttons or widgets to track social networking website users around the web  is not new. Facebook, LinkedIn, and Youtube have similar programs. Twitter users can easily opt out of this tracking by un-clicking the box next to "Personalization" in your Twitter Profile Settings page. (See image below.) Or, you can adjust the Do Not Track settings on your web browser.

Last month, Forbes magazine reported about Twitter's expansion plans with its Tailored Suggestions program.

For me, Twitter is a wonderful resource, which I use primarily with this blog and to network with other privacy advocates and bloggers. I like and trust Twitter far, far more than Facebook. Twitter hasn't had the repeated privacy snafus which have happened at Facebook. As of January 1, 2013 about 560 people follow this blog via Twitter compared to about 120 via Facebook.

6 States Now Ban Employers From Snooping On Your Social Networking Accounts

NBC News reported on Tuesday that six states now have laws making it illegal for employers to request login credentials (e.g., ID and password) to your social networking accounts. The states include California, Delaware, Illinois, Maryland, Michigan, and New Jersey.

The laws in California and Illinois went into effect on January 1, 2013. In the Spring of 2012, Maryland was the first state to ban employers from accessing consumers' social networking accounts.

Congratulations to lawmakers in these states for passing sensible legislation. If you live in a state doesn't have such a law, contact your elected officials today and demand action.

A Smart Phone Gift And A Teachable Moment

Did you buy a smart phone or tablet as a Christmas gift for your child or grandchild? Smart phones are very popular gift items. A recent survey found that about 37% of shoppers planned to buy smart phones as gifts for the holidays.

Last week, an 11-year-old student in my tai chi class mentioned that his mother had purchased an iPhone 5 for him as a Christmas present. After hearing this comment, I began to wonder what I would teach an 11-year-old to prepare him/her to use a smart phone wisely to protect their self online... without over-sharing nor running up a huge monthly bill.

I didn't have to search far nor long. Blogger Janell Burley Hofmann developed a contract when she gave her 13-year-old a new iPhone as a Christmas gift. Hofmann's contract clearly outlines both her terms of the gift and her expectations of her teenager. This makes excellent sense. Some notable items from Hofmann's contract:

"1. It is my phone. I bought it. I pay for it. I am loaning it to you. Aren't I the greatest?
2. I will always know the password.
3. If it rings, answer it. It is a phone. Say hello, use your manners. Do not ever ignore a phone call if the screen reads "Mom" or "Dad." Not ever."

Some of the items on the list are obvious:

"7. Do not use this technology to lie, fool, or deceive another human being. Do not involve yourself in conversations that are hurtful to others. Be a good friend first or stay the hell out of the crossfire.
8. Do not text, email, or say anything through this device you would not say in person.
9. Do not text, email, or say anything to someone that you would not say out loud with their parents in the room. Censor yourself.
10. No porn. Search the web for information you would openly share with me. If you have a question about anything, ask a person -- preferably me or your father...
18. You will mess up. I will take away your phone. We will sit down and talk about it. We will start over again. You and I, we are always learning. I am on your team. We are in this together."

I like that Hofmann has included a no-sexting clause, since many teens now use Snapchat (instead of Facebook.com) thinking that those risky photos disappear, but they don't:

"12. Do not send or receive pictures of your private parts or anyone else's private parts. Don't laugh. Someday you will be tempted to do this despite your high intelligence. It is risky and could ruin your teenage/college/adult life. It is always a bad idea. Cyberspace is vast and more powerful than you. And it is hard to make anything of this magnitude disappear -- including a bad reputation."

Readers of the I've Been Mugged blog may remember smart phone insurance issues encountered by some consumers. So, it makes sense to clarify what happens if/when the smart phone breaks:

6. If it falls into the toilet, smashes on the ground, or vanishes into thin air, you are responsible for the replacement costs or repairs. Mow a lawn, babysit, stash some birthday money. It will happen, you should be prepared."

Items I would add to the any smart phoone or tablet contract for a teenager:

19. You will receive spam via email, text messages, and at social networking websites. Learn how to recognize spam.

20. To avoid using up all of your monthly calling minutes, you will likely be tempted to use the WiFi setting on your smart phone instead. This means you will also be tempted to use public WiFi hotspots, which could make your smart phone vulnerable to malware and computer viruses. Don't. You can use our password-protected home WiFi. If you want to use public WiFi hotspots, you will ask your parents first for a VPN software recommendation.

21. You will install an anti-virus app to protect your smart phone just like this software protects your laptop computer. You will learn how to use that anti-virus software and keep it up-to date.

22. Learn how to read the Privacy Policy and Terms and Conditions Policy at websites. If you don't understand or don't like the policy at a website, don't use that website and don't register at that website, no matter how popular you think it is.

23. Read the Privacy Policy and Terms and Conditions Policy before installing a mobile app. If an app doesn't have a policy, don't install nor use that app. If you don't understand or don't like an app's policy, don't install that app on your smart phone and don't use it.

24. Know the full price of an item or service, including any fees, before making an online purchase with your smart phone. If you are unsure what the price is, don't buy it. If the price is more than $10, get the approval of me or your father, first. If the price is less than $10, you will pay for it out of your weekly allowance.

What do you think of Hofmann's smart phone contract for her teen? What items would you add?

California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws

Earlier this week, the State Of California Attorney General (AG), Kamala Harris, announced that her office had begun notifying mobile device app developers that were in violation of state privacy laws:

"The companies were given 30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms."

Last week, the California AG had notified United Airlines about its mobile app. Other companies warned include Delta Air Lines and OpenTable Inc..

The letters are part of enforcement of the California Online Privacy Protection Act, which requires operators of online services (e.g., mobile device apps and apps at social networking sites) that collect personally identifiable information from California residents to conspicuously post a privacy policy. Operators not in compliance face fines of up to $2,500 for each download of a non-compliant app.

Reportedly, non-compliant app developers and app store operators could also be prosecuted under the California Unfair Competition Law and/or False Advertising Law, with fines up to $500,000 per use of a non-compliant app.

This should not be a surprise, given the law and given the February 2012 global agreement between the California AG and several technology companies -- Amazon, Apple, Google, Hewlett-Packard, Microsoft, Amazon, and Research In Motion -- to require mobile app developers to post privacy policies.

This is really good news for consumers who have become increasingly reliant upon mobile devices. Past studies have documented sporadic and poor access to privacy policies by mobile device apps both before and after installation. Once again, California leads the way in protections for consumers.

Compete Settles With FTC About Alleged Secret Tracking And Data Security

In a press release, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with Compete Inc., a Boston-based Internet analytics firm, about alleged data collection without fully notifying consumers and failures to adequately protect the collected information. According to the FTC:

"... Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services... The proposed settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software... the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years."

The proposed settlement is open for comment by the public until November 19, 2012. After that time, the FTC will decide whether or not to make the proposed settlement final.

California AG Asks United Airlines To Provide A Privacy Policy With Its Mobile Device App

Recently, Kamala Harris, the Attorney General for the State of California, posted the following on her Twitter feed:

"@KamalaHarris Fabulous app, @United Airlines, but where is your app’s #privacy policy? http://1.usa.gov/SWGCTm"

A quick scan of United Airline's twitter feed did not find a reply by the airline to the AG's request. Harris' request refers to a 2004 law in California requiring website operators that collect consumers' personal information to post a privacy policy on its website. While that law predates mobile device apps, Harris' request highlights an important privacy and data security situation. Prior studies have documented privacy abuses by mobile device apps, and either lacking or sporadic access to apps' privacy policies both before and after a user installs an app.

Of course, a privacy policy won't prevent a data breach nor prevent abuse of consumers' sensitive personal information, but it is an important disclosure tool, like food labels, to help consumers:

• Understand what data is collected, archived, and shared with other companies by a product or service,
• Utilize any opt-out or opt-in service settings,
• Begin to evaluate whether or not a company complies with its own privacy policy, and
• Compare data security offerings between competitive products or services

One could argue that given the privacy abuses, privacy policies are even more important for mobile device users. With a traditional desktop or laptop device, there is usually to parties involved: the consumer and the website he/she is visiting. With mobile devices, there are more parties involved: the mobile device manufacturer, the mobile device operating system developer, the app developer, the telecommunications provider, and the app store. It's critical for consumers to know which party's privacy policy applies; and an opportunity to streamline,, consolidate, and reduce the number of privacy policies.

Now that Harris has highlighted the issue, it is an opportunity for the california legislature to amend its state's laws to include apps; and for legislatures in other states to do the same.

What's your opinion of Harris' request? What's your view of privacy policies for mobile device apps?

How To Lock Down Your iOS Mobile Device

Apple iPhones are very popular, and too many consumers believe that they won't get malware (or risky apps) on their Apple devices. You may not, but your device might be lost or stolen.

For those that value data security and want to protect their sensitive personal information (and their friends/colleagues in your address book), below is a tutorial from the security pros at Threatpost about how to lock down your iOS mobile device:

Study: Small And Medium Sized Businesses Face Growing Data Security Threats

According to a new report by Osterman Research, and sponsored by Trend Micro, while cloud and mobile device usage have increased within small and medium sized businesses, so too has malware and data security threats. The survey found that about 52.1% of devices (e.g., desktop computers, laptops, tablets, smartphones) used by employees were infected annually with malware. In any given month, about 4.3% of devices were infected.

The report found that the malware has become more serious, with more versions, a short life, had target specific mobile devices (e.g., devices running the Android operating system) ,and had targeted businesses in specific countries that perform online banking.

The researchers found the costs to businesses were substantial. Information technology (I.T.) departments spent on average 72 minutes per device to remove the malware and fix the infected computer. The direct I.T. staff cost was about $2,400 per device per year. And, those costs don't include the lost employee productivity.

The data breaches from this malware can lead to theft of money, trade secrets, or the sensitive personal information of employees, former employees, and contractors. Criminals try to infect employees' devices with keystroke-logging malware to steal online bank account passwords. The report listed some of the company data breaches where businesses were robbed in this manner:

• Western Beaver County School District: $700,000
• The Catholic Diocese of Des Moines: $600,000
• Hillary Machinery: $800,000 (its bank was able to recover only $600,000)
• Patco: $588,000
• Experi-Metal, Inc.: $560,000
• Village View Escrow: $465,000
• An unidentified construction company in California: $447,000
• Choice Escrow: $440,000
• An unidentified solid waste management company in New York: $150,000
• An unidentified law firm in South Carolina: $78,421

So, if you work in a small or medium sized business that performs online banking, you can assume that identity thieves and criminals have targeted your employer and, most likely, your mobile device.

Mobile Marketing Company To Pay $500K Settlement Fine For Text Message Spam

This past weekend, the office of the New York State Attorney General announced a settlement with Game Theory LLC, a mobile content company. Game Theory agreed to pay a $500,000 settlement for allegedly sending deceptive text messages that tricked New York State residents into signing up for monthly text messages costing $9.99 per month:

"These charges appeared on the victim’s wireless telephone bill in a way that was difficult to detect. For months, consumers would pay for text messages they did not want before they realized they were being charged. For example, between May 23, 2011 and July 5, 2011, Game Theory sent text messages claiming that the recipients had a “secret crush,” and that the recipient needed to respond “yes” to find out who it was. However, in the process of finding out the identity of the “secret crush,” the recipient was also unknowingly signing-up for a text message service..."

Game Theory reportedly sent 150,000 such text messages to the mobile phones of New York State residents. Terms of the settlement require the company to exit the text messaging business.

Security experts advise consumers to never respond to unsolicited text messages, including those that claim a reply is necessary to stop any charges. Consumers should report text message spam and fraudulent mobile phone charges to their mobile service provider, and ask their provider to block those third-party charges. Consumers can also report this fraud to their state consumer protection agency, and to the U.S. Federal Trade Commission (FTC).

It is important for parents to remind and teach their children of good mobile device security habits, including how to recognize and delete smishing text messages.