5 Ways Retail Stores Spy On Their Shoppers

If you haven't read it, there is a good article at Consumer Reports which lists the ways retail stores spy on consumers while shopping. Not the online stores but the physical, brick-and-mortar store locations. Some of the ways stores spy on shoppers:

1. Spy cameras: armed with facial recognition software, these cameras record and track both your movements in the store, the items you look at, and for how long. Some stores use mannequins that contain spy cameras, to distribute cameras thought store areas. Stores often merge these recordings with data from your purchases: amount, payment method (e.g., cash, credit, debit), store sections (e.g., clothing, shoes, housewares, etc.), and items browsed (e.g., pants, dresses, cookware, etc.). Outside cameras record your auto data (e.g., license number, make, model) which is also merged with interior recordings.
2. Smart phone tracking: retailers record the geo-location data from your phone to map/track which departments you visit, in what order, and how long you stay in each department.
3. Interactive digital ads: many contain tiny cameras to record the shoppers that view the ads.
4. RFID technology: merchandise with radio frequency identification tags (RFID) can trigger nearby interactive digital ads, to then serve up targeted, personal ads based on the specific merchandise you are carrying
5. Product returns: many stores demand photo identification to process product returns. Stores claim that the reasons for this are to prevent fraud, but the data collection includes shoppers who do not commit fraud.

What is worse is that the stores do no disclose any warning to shoppers or parents, except that most states require stores to post product return policies visibly in stores.

What's your opinion of the tracking/spying?

The Top 5 Places You Should Never Use Your Smart Phone

Social Times recently listed the top five places consumers should not use their smart phone. The top two places:

1. Business meetings with clients
2. In-person job interviews

Gee, you'd think that people would know better. Places I would add to the list: 6) in school, especially during an exam; 7) during wakes and funeral services; and 8) your doctor's office (especially when they post signs telling patients to turn off their mobile devices). There's just too much sensitive equipment nearby.

Follow the above link to read the entire list. What places do you believe consumers should turn off their mobile devices?

Disney Cruise Ship Child Care Staff Lose Young Child. Frantic Search Ensues

At his blog, Brent Csutoras shared a frightening story about how his child was lost during a Disney cruise while under the supervision of daycare staff. Brent wrote:

"In January, we decided to take our two children on a Disney Wonder cruise... While on board, we left our 3 year old son, in their child care facility, the Oceaneer Club (for children aged 3 to 12). We were happy to see they had a wrist band tracking system, which could identify where a child was on the ship at any time and alert staff if the band went outside the area he was supposed to be in. So you can imagine our fear, shock, outrage and panic when we came back after an evening with friends, to find our child missing from their child care facility."

And, what happened with that high-tech wristband tracking? It's similar technology to what Disney plans to use in its land-based theme parks. It failed to work:

"... the next step was to check the tracking band system, which would pinpoint my son’s location. We walked over to the computer and as they pulled it up, everyone got very quiet. The screen showed my son’s band as ‘UNREADABLE’!!!."

After searching frantically for about 45 minutes, Brent's child was found sleeping under a "tunnel of chairs" in the child care center.

This story is horrendous. I am a parent, plus my wife and I have sailed on about 19 cruises on several cruise lines: Carnival,Celebrity, Costa, Holland America, MSC, Norwegian, Princess, and Royal Caribbean. We've sailed the Caribbean (West, South, and East), the Hawaiian Islands, Bermuda, the Panama Canal, Alaska, and the Eastern Mediterranean. While we have not sailed yet on Disney, we are very familiar with the cruising vacation experience. I would classify Brent's experience on the Disney Wonder an epic customer-service failure:

• Clearly, the wristband technology, which should have worked, didn't and failed.
• Clearly, the lighting in the daycare space was insufficient
• Responsible cruise ship daycare staff should know where their children are, and not rely on wristbands to locate children. An on-board power failure could render that technology useless.
• While cruise ship staff emphasized that they had a process for lost/missing children, it was not apparent nor clearly explained to the parents.
• The ship seemed very reluctant to perform a public announcement. While they probably didn't want to alarm other passengers, the needs of a lost child outweigh that concern.

By law, cruise ships must perform safety drills before departing the embarkation port, or at sea soon after departure. This helps passengers what to do in case of an emergency.

Brent's story highlights the need for parents to apply the same level of importance to daycare services and safety, so they know what to do and where to go for their children during or after an emergency.

Disney's response, as Brent explained it, seems shortsighted and insufficient -- especially since the stranded Carnival Triumph cruise ship is fresh in many consumers' minds. After that mishap, some passengers have sued Carnival. Frankly, Disney's poor response to Brent and his family seems to risk losing future business:

"Considering I have two little boys, we would most certainly have booked other Disney vacations and cruises in the years to come. But this experience—the loss of my son, the poor response to the crisis aboard ship, and the uncaring, calculated corporate response afterward—has changed all that... Where is the Disney ‘magic’? For me, it’s been lost. Where is the customer service Disney is supposed to be known for? Nonexistent."

I suggest that Brent submit a cruise review to several cruising industry websites that consumers visit, such as Cruise Critic, Cruise411.com, and Cruise-Addicts.com. For parents who are considering a future cruise ship vacation with their children, I suggest that you:

1. Before booking a cruise, read the safety materials in the cruise lines' websites
2. After booking a cruise, read the safety materials in your cruise documents before your vacation. The cruise line or your travel agent will send these documents
3. After boarding the cruise ship, meet with the daycare staff and have them show a successful test of any wristband or other technology used to track young children
4. After boarding the cruise ship, review with daycare staff the safety procedures involving lost/missing young children before you drop them off at daycare, so you know what the process is and what to do during or after an emergency

In 2003, my wife and I sailed with our children, who were teenagers at that time. Before leaving on vacation, we reviewed with them the ship's safety rules, which we expected them to comply with 100%. Although rare, some adults have fallen overboard during cruises. A young woman wrote fake bomb-threat notes to divert a cruise ship so she could return home sooner to her boyfriend.

For cruise ship vacation, I think that this is a good rule of thumb: act and plan accordingly, because the knuckleheads you encounter on land you may also encounter at sea.

5 Online Privacy Tips To Keep You And Your Family Safe

Monday will be Data Privacy Day (DPD), with celebrations in North America and Europe to raise awareness and provide consumers with education about privacy. DPD was started in 2008. This year's theme is, "Respecting Privacy, Safeguarding Data and Enabling Trust." This year's events will be started with a privacy forum at the George Washington University Law School in Washington, DC. Federal Trade Commissioner Maureen Ohlhausen is the keynote speaker. More events are scheduled nationwide throughout February.

To support this event, Anchorfree and the National Cyber Security Alliance have developed together a list of tips for consumers to maintain their privacy when connected to the Internet via your smart phone, tablet, or laptop/desktop computer:

"1. Risky business - Make sure all family members understand the public nature of the Internet and its risks. Any digital information they share -- emails, photos or videos -- can easily be copied and pasted elsewhere, and is almost impossible to take back. Anything that could damage their reputation, friendships, wallet or future prospects should not be shared electronically."

A recent study found that 30 percent of teenage girls meet in person strangers they met online. So, it is critical for parents and families to practice safe habits while connected to the Internet and in the physical world. If you are a parent, grandparent, or guarding who plans to buy a smart phone for a child, then you definitely should read this contract one smart parent created to help her manage her teen's online usage.

2. Keep it hidden, keep it safe - Make sure all family members are careful about sharing sensitive information such as birth date, addresses, phone numbers, location, financial information, social security numbers, passwords and vacation plans. Most reputable online services have privacy settings. Teach your kids how to use them, too."

3. Browse intelligently - Avoid using sketchy, unfamiliar websites, and delete suspicious emails, particularly those that ask for unnecessary personal information or request that you download something. These may be malware or phishing sites out to steal your personal data.

There are several products available to automatically delete browser HTTP cookies and other files (e.g., Flash Cookies, and other LSO's = Locally Shared Objects) websites use to track you while connected to the Internet. This blog has reviewed some of them, including the MAXA Cookie Manager. I use the BetterPrivacy plugin with the Firefox browser.

The next item is critical because smart phones and tablets save a ton of metadata with each photograph or video you take. The metadata with your photos include a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata combined with your GPS location, a company can tell a lot about you, your purchases, your lifestyle, plus what you did/spent when and where.

That metadata gets uploaded to your favorite social networking website whenever you upload photos. Some social networking sites collect, save, and share all of that metadata. Others use some of it. So, consumers should:

4. Turn off geolocation - Many apps' permissions include backdoor location trackers that are constantly streaming your location. If you're not actively using your phone to navigate, turn them off. The FTC recently noted that many apps aimed at children are disclosing location; make sure your kids are following this rule of thumb as well."

The last tip cannot be over emphasized. Public WiFi hotspots are everywhere. If you expect to perform sensitive tasks (e.g., online banking, access/use sensitive documents from your employer) while connected to a public WiFi hotspot, you should:

5. Get behind a shield - Use a VPN such as Hotspot Shield, which will help identify malware sites and provide a secure, encrypted connection to the Internet for desktop or mobile devices, protecting your browsing from hackers and snoops. This is particularly important when using public Wi-Fi or other unknown networks."

AnchorFree produces Hotspot Shield. There are other brands available. Take a look at Get Cocoon and PrivateWiFi.

The National Cyber Security Alliance is a nonprofit organization formed to educate and empower consumers about Internet privacy. It collaborates with government, corporate, other non-profit and academic entities. NCSA board members include: ADP, AT&T, Bank of America, EMC Corporation, ESET, Facebook, Google, Intel, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Trend Micro, Verizon and Visa.

Some of those board members have a ways to go regarding privacy in their products or services. As a business consultant, I regularly use VPN software to remotely and securely access my clients' networks and servers. This blog post is not an endorsement of Hotspot Shield, since I have not used it.

What's your opinion of this list of tips? What VPN software do you use?

New Terms Of Service And Privacy Policies Go Live At Instagram

On Friday, Instagram sent this letter to its users:

From: Instagram (no-reply@instagram.com)
Subject: Instagram Update
Date: January 18, 2013

Hello,

Our community has grown by many millions of people since we wrote our original Terms of Service and Privacy Policy. As we announced in December, we have updated our Terms of Service and Privacy Policy. These policies also now take into account the feedback we received from the Instagram Community. We're emailing you to remind you that, as we announced last month, these updated policies will be in effect as of January 19th, 2013.

You can read our blog post that highlights some of the key updates. And remember, these updates don't change the fact that you own your photos that you post on Instagram, and our privacy controls work just as they did before.

Thank you,
The Instagram Team

The Instagram blog summaried the changes in its new policies:

"1. Nothing has changed about your photos’ ownership or who can see them.
2. Our updated privacy policy helps Instagram function more easily as part of Facebook by being able to share info between the two groups. This means we can do things like fight spam more effectively, detect system and reliability problems more quickly, and build better features for everyone by understanding how Instagram is used.
3. Our updated terms of service help protect you, and prevent spam and abuse as we grow.

In its blog post, Instagram reassures users that users own their photographs. While that is good, the bigger question is exactly what data dlements are collected, retained, manipulated, and shared? Some relevant portions from the new Terms of Service:

"Instagram does not claim ownership of any Content that you post on or through the Service. Instead, you hereby grant to Instagram a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to use the Content that you post on or through the Service, subject to the Service's Privacy Policy, available here http://instagram.com/legal/privacy/, including but not limited to sections 3 ("Sharing of Your Information"), 4 ("How We Store Your Information"), and 5 ("Your Choices About Your Information")... You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such... Content removed from the [Instagram] Service may continue to be stored by Instagram, including, without limitation, in order to comply with certain legal obligations, but may not be retrievable without a valid court order... Except as otherwise described in the Service's Privacy Policy, available at http://instagram.com/legal/privacy/, as between you and Instagram, any Content will be non-confidential and non-proprietary and we will not be liable for any use or disclosure of Content. You acknowledge and agree that your relationship with Instagram is not a confidential, fiduciary, or other type of special relationship, and that your decision to submit any Content does not place Instagram in a position that is any different from the position held by members of the general public, including with regard to your Content."

Some interesting sections from the new Privacy Policy:

INFORMATION WE COLLECT
We collect the following types of information.
Information you provide us directly:
1. Your username, password and e-mail address when you register for an Instagram account.
2. Profile information that you provide for your user profile (e.g., first and last name, picture, phone number). This information allows us to help you or others be "found" on Instagram.
3. User Content (e.g., photos, comments, and other materials) that you post to the Service.
4. Communications between you and Instagram. For example, we may send you Service-related emails (e.g., account verification, changes/updates to features of the Service, technical and security notices). Note that you may not opt out of Service-related e-mails."

"Metadata:
Metadata is usually technical data that is associated with User Content. For example, Metadata can describe how, when and by whom a piece of User Content was collected and how that content is formatted. Users can add or may have Metadata added to their User Content including a hashtag (e.g., to mark keywords when you post a photo), geotag (e.g., to mark your location to a photo), comments or other data. This makes your User Content more searchable by others and more interactive. If you geotag your photo or tag your photo using other's APIs then, your latitude and longitude will be stored with the photo and searchable (e.g., through a location or map feature) if your photo is made public by you in accordance with your privacy settings."

"We may also share certain information such as cookie data with third-party advertising partners. This information would allow third-party ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you... We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information."

The new policy does not seem to mention exactly how Instagram may manipulate (e.g., add, delete, merge) the metadata attached to your photographs with other data elements (e.g., mobile geolocation data). That is important to know given a recent lawsuit about alleged unannounced and unauthorized data collection, retention, and tracking involving its mobile apps.

The information in this blog post is not legal advice. If you are concerned about the new policies, get legal advice from an attorney. I am not an attorney.

Study: 30 Percent Of Teen Girls Meet In Person Strangers They Met Online

This is a startling and terrifying statistic. Parents: what is your teenage daughter doing online? WFMJ reported the results of a recent pediatric study:

"... the study tracked online and offline activity among more than 250 girls aged 14 to 17 years and found that 30 percent followed online acquaintance with in-person contact..."

The study, funded by a grant from the National Institutes of Health (NIH), included a mix of girls with and without a history of risky behavior. The study's author is Jennie Noll, a professor of pediatrics at the University of Cincinnati. The NIH is part of the U.S. Department of Health and Human Services (DHHS).

I recommend that parents read the WFMJ article, since it includes additional information. Reportedly, the study appeared in the Journal of Pediatrics. I wished that the study had included younger girls, since many social networking sites allow youth aged 13 and older to register.

FTC Amends Rules Regarding Data Collection Of Personal Information Of Minors

Last month, the U.S. Federal Trade Commission (FTC) clarified and strengthened its rules regarding the collection of personal data of minors under the age of 13. In its announcement, the FTC stated:

"1. Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
2. Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
3. close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
4. Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
5. Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
6. Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
7. Require that covered website operators adopt reasonable procedures for data retention and deletion; and
8. Strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The new rules become effective July 1, 2013. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child. As they should, the new rules add more data elements. The FTC stated in its blog:

"The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. Also covered: persistent identifiers that can be used to recognize a user over time and across different websites or online services. But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service."

It strikes me that the above exception, or loophole, could be used to avoid and abuse consumer information. Those "persistent identifiers" are key since they are used by the online advertising networks, and enable both online tracking and behavioral advertising. Plus, there is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In September 2012, the FTC issued guidelines for mobile app developers.

Companies are advised to watch the FTC Children's Privacy page for additional updates.

In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition.

FTC Report On Mobile Apps For Children: Insufficient Privacy Disclosures

In February 2012, the U.S. Federal Trade Commission (FTC) published its first report on mobile apps for children, after surveying apps in both the Google Android and Apple app stores. That report found that apps provided little or no information for parents about privacy disclosures of the apps. It also called upon all companies in the children's app ecosystem -- app developers, app stores, and third parties -- to provide better disclosures regarding data collection and privacy practices.

In December 2012, the FTC published its second report, which went further than the first report by testing some apps against their state privacy policies. The FTC found:

"... many apps included interactive features or shared kids’ information with third parties without disclosing these practices to parents... Since the first kids’ app report was issued, the market for mobile apps has continued to grow at an explosive rate, providing many benefits and conveniences to consumers. As of September 2012, there were over 700,000 apps available in Apple’s App Store, a 40% increase since December 2011, and over 700,000 apps available in Google Play, an 80% increase since the beginning of 2012."

The survey found that apps still aren't providing sufficient privacy disclosures:

"... parents still are not given basic information about the privacy practices and interactive features of mobile apps aimed at kids. Indeed, most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information – such as device ID, geolocation, or phone number – with third parties without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download."

The survey methodology included a search in each app store for children's apps, a review of the first 480 pages of search results, and the random selection of 200 apps from each app store for a close evaluation. That evaluation included a review for privacy disclosures on each app's promotion page, within the app itself, and the app developer's website. The evaluation included a test of each selected app to determine:

"... whether they contained certain interactive features and whether they collected or transmitted any information from the mobile devices they were tested on... nearly 60% (235) of the apps reviewed transmitted device ID to the developer or, more commonly, an advertising network, analytics company, or other third party... only 20% (81) of the apps reviewed disclosed any information about the app’s privacy practices... 58% (230) of the apps reviewed contained advertising within the app, while only 15% (59) indicated the presence of advertising prior to download. Further, 22% (88) of the apps reviewed contained links to social networking services, while only 9% (36) disclosed such linkage prior to download. In addition, 17% (66) of the apps reviewed contained the ability to make purchases for virtual goods within the app, with prices for each purchase ranging from $0.99 in apps from both app stores, to $9.99 for Google Play apps and $29.99 for Apple store apps..."

An encouraging sign is that consumers and parents are getting the message and flexing their muscle in the marketplace:

"... a recent Pew study found that 54% of app users decided not to install an app once they discovered how much personal information the app would collect. The study also showed that 30% of app users have uninstalled an app that was already on their cell phone because they learned that the app was collecting personal information the users did not wish to share. Consistent with these findings, a recent study by the Berkeley Center for Law and Technology showed that most consumers consider the information on their mobile devices to be private..."

Actions that the FTC to address the lacka of privacy disclosures:

1. Urge app developers to include privacy disclosures by design in mobild apps and provide guidelines,
2. Provide consumers and parents with educational information to help them navigate the mobile app market,
3. Starting investigations to determine if specific apps have violated the Childrens Online Privacy Protection Act (COPPA), and
4. Conduct a third survey of the childrens mobile app market

Download the FTC report: Apps For Kids; Still Not Making The Grade (Adobe PDF, 1.1 Mbytes).

2 Teens Drug Parents' Milkshakes To Get More Internet Time

This is weird news.

According to the Sacramento Bee, two teenage girls were arrested on Wednesday after allegedly drugging one of the girl's parents, so the teens could use the Internet after a 10 pm curfew. The teens allegedly spiked milkshakes they'd bought for the parents with a prescription sleep aid. After waking up, the suspicious parents had the milkshakes tested and then notified local law enforcement.

It is unclear what the two teens were doing online.

The story has been picked up by many newspapers and news sources including the major television news networks.

A Smart Phone Gift And A Teachable Moment

Did you buy a smart phone or tablet as a Christmas gift for your child or grandchild? Smart phones are very popular gift items. A recent survey found that about 37% of shoppers planned to buy smart phones as gifts for the holidays.

Last week, an 11-year-old student in my tai chi class mentioned that his mother had purchased an iPhone 5 for him as a Christmas present. After hearing this comment, I began to wonder what I would teach an 11-year-old to prepare him/her to use a smart phone wisely to protect their self online... without over-sharing nor running up a huge monthly bill.

I didn't have to search far nor long. Blogger Janell Burley Hofmann developed a contract when she gave her 13-year-old a new iPhone as a Christmas gift. Hofmann's contract clearly outlines both her terms of the gift and her expectations of her teenager. This makes excellent sense. Some notable items from Hofmann's contract:

"1. It is my phone. I bought it. I pay for it. I am loaning it to you. Aren't I the greatest?
2. I will always know the password.
3. If it rings, answer it. It is a phone. Say hello, use your manners. Do not ever ignore a phone call if the screen reads "Mom" or "Dad." Not ever."

Some of the items on the list are obvious:

"7. Do not use this technology to lie, fool, or deceive another human being. Do not involve yourself in conversations that are hurtful to others. Be a good friend first or stay the hell out of the crossfire.
8. Do not text, email, or say anything through this device you would not say in person.
9. Do not text, email, or say anything to someone that you would not say out loud with their parents in the room. Censor yourself.
10. No porn. Search the web for information you would openly share with me. If you have a question about anything, ask a person -- preferably me or your father...
18. You will mess up. I will take away your phone. We will sit down and talk about it. We will start over again. You and I, we are always learning. I am on your team. We are in this together."

I like that Hofmann has included a no-sexting clause, since many teens now use Snapchat (instead of Facebook.com) thinking that those risky photos disappear, but they don't:

"12. Do not send or receive pictures of your private parts or anyone else's private parts. Don't laugh. Someday you will be tempted to do this despite your high intelligence. It is risky and could ruin your teenage/college/adult life. It is always a bad idea. Cyberspace is vast and more powerful than you. And it is hard to make anything of this magnitude disappear -- including a bad reputation."

Readers of the I've Been Mugged blog may remember smart phone insurance issues encountered by some consumers. So, it makes sense to clarify what happens if/when the smart phone breaks:

6. If it falls into the toilet, smashes on the ground, or vanishes into thin air, you are responsible for the replacement costs or repairs. Mow a lawn, babysit, stash some birthday money. It will happen, you should be prepared."

Items I would add to the any smart phoone or tablet contract for a teenager:

19. You will receive spam via email, text messages, and at social networking websites. Learn how to recognize spam.

20. To avoid using up all of your monthly calling minutes, you will likely be tempted to use the WiFi setting on your smart phone instead. This means you will also be tempted to use public WiFi hotspots, which could make your smart phone vulnerable to malware and computer viruses. Don't. You can use our password-protected home WiFi. If you want to use public WiFi hotspots, you will ask your parents first for a VPN software recommendation.

21. You will install an anti-virus app to protect your smart phone just like this software protects your laptop computer. You will learn how to use that anti-virus software and keep it up-to date.

22. Learn how to read the Privacy Policy and Terms and Conditions Policy at websites. If you don't understand or don't like the policy at a website, don't use that website and don't register at that website, no matter how popular you think it is.

23. Read the Privacy Policy and Terms and Conditions Policy before installing a mobile app. If an app doesn't have a policy, don't install nor use that app. If you don't understand or don't like an app's policy, don't install that app on your smart phone and don't use it.

24. Know the full price of an item or service, including any fees, before making an online purchase with your smart phone. If you are unsure what the price is, don't buy it. If the price is more than $10, get the approval of me or your father, first. If the price is less than $10, you will pay for it out of your weekly allowance.

What do you think of Hofmann's smart phone contract for her teen? What items would you add?

FDIC Publishes Money Guide For Young Adults And Teens

The fall issue of the quarterly Consumer News newsletter published by the Federal Deposit Insurance Corporation (FDIC) includes a money guide for young adults and teenage children. Topics include:

• Choosing and using an account for everyday banking;
• Mobile banking by smart phone;
• Avoiding mistakes with credit cards;
• Building a good credit record;
• Obtaining and repaying student loans;
• Getting a good deal on an auto loan;
• Recovering from debt or bill-payment problems;
• Saving money to meet specific goals, made easier with the help of automated services; and
• Guarding against fraud, including identity theft.

Congress created the FDIC in 1933. The agency insures deposits at the nation's 7,181 banks and savings associations. It ensures the soundness of these institutions by identifying, monitoring and addressing risks. The FDIC is funded by fees it charges to the banks its oversees.

The section of the guide about how to avoid costly mistakes with credit cards includes sound advice:

"1. Read the fine print. Before you apply for a credit card, read all the terms and conditions... 2. You can avoid fees by being aware of your card’s credit limit. If you want your credit card issuer to permit transactions over your credit limit to go through, you must notify your lender that you want that service in advance and will pay the resulting fees... 3. Try to pay the entire balance in full and on time every month. That way, you will avoid interest charges and save money... 4. Think twice before applying for more credit cards. Special promotions, such as low introductory rates or discounts on purchases, make it tempting to apply for additional credit cards. But every time you apply for a card, it appears on your credit report. Multiple applications (called “inquiries” on a credit report) or new cards opened within a short time period can lower your credit score... 5. Take advantage of automated alerts from your card issuer. Many lenders and other companies can send customers messages by cell phone or e-mail, such as payment reminders, balance notifications to let you know if you’re close to your credit limit..."

The section about online banking with your smart phone includes several valuable tips:

"1. Ask your bank about the mobile banking services it offers and how much they may cost... 2. Understand your potential liability for unauthorized transactions... 3. Also be aware that the funds you place on a prepaid card may or may not be protected by FDIC insurance if the bank that holds the money (for you and other customers) were to fail... 4. As with any activity conducted online, keep security in mind. Protect your mobile device with a password that is hard for others to guess. Don’t lend your smartphone to others... Quickly report any unauthorized transactions or other suspicious activity."

You can read the money guide online or download a printable copy (Adobe PDF; 892K Bytes).

Trouble In Smart Phone Land

Where I live and work, it seems that most people have smart phones, and love to use them. However, I am getting the impression that many, if not most, have no idea how to protect themselves and their sensitive personal data. While discussing good data security habits, I have been asked the following question by several smart phone users:

Where do I find anti-virus software for my smart phone?

While most people understand the need and take action to protect their desktop and laptop computers with anti-virus software, it doesn't seem to translate to mobile devices. Some feel that their smart phones are immune to computer viruses and malware. Actually, experts warn that malware can infect your smart phone in 4 ways: text messages, email, Bluetooth, and web surfacing. So, I spent a few minutes the other day showing a person how to find anti-virus apps for her new Samsung galaxy III smartphone.

To find anti-virus apps for your smart phone, start with the app store your device is configured with. You can also visit Androidapps.com and select:

Android App Directory > Tools > Security

Next, you'll see a list of familiar brands of anti-virus software providers. Kaspersky, McAfee, Norton, and others. Some brands offer bundle opportunities to protect several devices you might have at home: laptops, tables, and smart phones; or devices for several family members. Shop around, read the service agreements, and shop wisely.

Got an iPhone or iPad? Start shopping here for data security apps. For users with mobilde devices that run Windows® or other operating systems, start shopping here.

I wish that the industry called the devices "handheld computers" or "pocket computers" because that is what the devices are.The phrase "smart phone" seems antiquated for mobile devices that do so much more than make and receive telephone calls.

Smart Mannequins Coming Soon To A Retail Store Near You

A few weeks ago, I wrote a blog post about facial recognition and what consumers need to know. Then, a couple articles appeared about EyeSee, a brand of the new version of bionic mannequins coming soon to retail stores.

I like to call them "smart mannequins," which seems to more aequately describe the technologies used.

Smart mannequins allow retailers to place cameras discretely (or secretly, dpending upon your point-of-view) throughout their stores at eye-level (or lower), unlike traditional security cameras mounted high-up on poles or in the ceilings. I am sure that some retailers hope that this new technology will decrease or deter shoplifting crime.

Also, there several implications for consumers. First, retailers can learn more about the types of consumers that enter their stores. How? The cameras can distinguish betwen gender (e.g., male and female), and age (e.g., children and adults). Some experts claim that the cameras in smart mannequins can determine a person's race. I highly doubt the accuracy of that claim since race is a social construct and since people's appearances vary widely within a race.

Second, retailers can learn more about your shopping habits, since smart mannequins utilize facial recognition technogy. The cameras record the store locations and times of day shoppers visit. The facial recognition component allows retailers to learn where within the store you visit, plus your shopping preferences -- even when you do not buy anything. Depending upon placement, the camera can record the types of clothing you review (e.g., pants, dresses, shoes), the size, and colors as your remove garments from the racks to inspect and/or try on.

This brings the data collection about shoppers and browsers at brick-and-mortar stores closer to the online data collection, where retailers learn about your preferences given the website pages you select and view. Together, it makes anonymous shopping more difficult.

And bionic mannequins raises issues about privacy, disclosure, and notification:

• How long is the in-store collected data archived?
• What other companies does the retailer share the in-store collected facial data with?
• How long is the in-store collected data archived?
• How can consumers opt out of the in-store data collection?
• At what point during the in-store visit should a retailer present its privacy policy?
• Or will a single policy "rule" both online and in-store data collection?
• Should there be separate rules that govern retail store section with medical/health devices and products?
• Should data be collected about children?
• If data should be collected about some children, starting at what age?

The facial recognition guidelines recommended by the FTC include privacy by design, transparency, and choice (to opt in or out). The FTC and CDT support a tiered approach that distinguishes between facial recognition technologies that Count (Level 1), Target (Level 2), and Identify (Level 3) consumers.

Some privacy advocates propose a Digital Out Of Home (DOOH) structure to cover all of the various several technologies (e.g., auto license plate scanners, RFID skimmers, interactive billboards, drones, smart mannequins) which can be used to track consumers.

What's your opinion of smart mannequins and tracking within brick-and-mortar stores?

Safe Shopping Tips For 'Black Friday' And The Holidays

You have probably read or heard about it in either the print, television, or radio advertisements. Many retailers will open early Thanksgiving day night to start the long weekend of shopping including what many refer to as "Black Friday." If you plan to shop, know your rights and shopping tips so you don't get "mugged" by excessive fees.

To help consumers, the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) has developed a holiday shopping guide that explains consumers' rights, the actions retailers are allowed, and shopping tips for the best experience. For example:

"Sale: For the term "sale" to be used in an ad when the actual savings are not stated, the law requires the savings to be at least 10% for items regularly priced $200 or less, and at least 5% for items over $200."

"Restocking Fee: This is a charge deducted from the purchase price when an item is returned, resulting in a partial refund. Sellers must disclose their return policies, including restocking fees, before the initial transaction is completed."

"Layaway: A plan that allows you to pay for a product in installments and receive the merchandise after you have paid in full. A store must fully disclose its policy on layaway plans, including cancellation and return (or non-return) of payments already made."

"Know the seller: Purchasing from a seller you know and trust is the best way to ensure an excellent shopping experience. For unknown web-sites, use an online store review service such as Epinions, BizRate, the Better Business Bureau..."

"Shop smart with a Smartphone: Smartphones allow consumers to keep track of deals, navigate between stores, and compare prices. Check out apps such as Consumer Reports Mobile Shopper and Google Shopper..."

To read the full list of right and tips for consumers, download the "Black Friday Shoppers Guide" (Adobe PDF) or this mobile-friendly version of the same report. Rules for retailers in other states may vary. Check with the consumer affairs agency in your state.

Related posts:

• California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws
• How To Lock Down Your iOS Mobile Device
• Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps
• 5 Things You SHould Know About Prepaid Cards
• Will A Credit Card Or A Debit Card Protect You Better From Fraud?

California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws

Earlier this week, the State Of California Attorney General (AG), Kamala Harris, announced that her office had begun notifying mobile device app developers that were in violation of state privacy laws:

"The companies were given 30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms."

Last week, the California AG had notified United Airlines about its mobile app. Other companies warned include Delta Air Lines and OpenTable Inc..

The letters are part of enforcement of the California Online Privacy Protection Act, which requires operators of online services (e.g., mobile device apps and apps at social networking sites) that collect personally identifiable information from California residents to conspicuously post a privacy policy. Operators not in compliance face fines of up to $2,500 for each download of a non-compliant app.

Reportedly, non-compliant app developers and app store operators could also be prosecuted under the California Unfair Competition Law and/or False Advertising Law, with fines up to $500,000 per use of a non-compliant app.

This should not be a surprise, given the law and given the February 2012 global agreement between the California AG and several technology companies -- Amazon, Apple, Google, Hewlett-Packard, Microsoft, Amazon, and Research In Motion -- to require mobile app developers to post privacy policies.

This is really good news for consumers who have become increasingly reliant upon mobile devices. Past studies have documented sporadic and poor access to privacy policies by mobile device apps both before and after installation. Once again, California leads the way in protections for consumers.

Ashesi University, Ethics, Africa, And I've Been Mugged Blog

I was very pleased to learn that while Ashesi University began teaching to its students in 2010 the ethics curriculum "Giving Voice To Values" (GVV) developed by Mary Gentile, the university also uses the I've Been Mugged interview with Gentile. Ashesi University, located in Ghana, is a private, secular liberal arts institution that offers bachelor degree programs in Computer Science, Management Information Systems and Business Administration. All students perform community service before graduation.

In July 2012, the university and the MasterCard Foundation jointly hosted the first-ever robotics competition in Ghana to encourage high school students to study computer science, engineering, and other technical fields. The Ashesi University Foundation, located in Seattle, Washington (USA) helps donors around the world support the school.

The school was founded in 2002 by Patrick Awuah, a graduate of Swarthmore College. Watch this June 2007 speech by Awuah at the Ted (Technology, Entertainment, and Design) Global Conference held in Arusha, Tanzania. The New York Times reported in January 2011:

"Africa has reached an inflection point with the march of democracy across the continent,” said Mr. Awuah, speaking at the World Innovation Summit for Education in Doha in November... We can bring change in one generation. How we train our leaders will make all the difference. According to Mr. Awuah, the goal of Ashesi, whose name means “beginning” in Akan, the local language of Ghana, is to train a new ethically responsible educated elite to break the cycle of corruption on the continent."

To find all schools (including Ashesi University) that offer the GVV ethics curriculum, browse the list of GVV pilot sites (Adobe PDF) maintained by Babson College, and its curriculum information. Visit the GVV book website to learn more about and the book, available to the public.

If you know of a school that uses the I've Been Mugged blog as part of an ethics or Interent-related curriculum, let me know or share it below.

FTC Publishes 9 Guidelines For Mobile App Developers

Earlier this week, the U.S. Federal Trade Commission (FTC) introduced guidelines for businesses and mobile application (app) developers. The information is in a new guide titled, "Marketing Your Mobile App: Get It Right from the Start." The guide includes nine recommendations:

"1. Tell the truth about what your app can do. Once you start distributing your app, you become an advertiser... Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth. False or misleading claims, as well as the omission of certain important information, can tick off users and land you in legal hot water... If you make objective claims about your app, you need solid proof to back them up before you start selling. The law calls that “competent and reliable evidence.” If you say your app provides benefits related to health, safety, or performance, you may need competent and reliable scientific evidence."

Businesses that are unsure how to back up their claims with scientific evidence can visit the Business Center Blog for more information.

"2. Disclose key information clearly and conspicuously... your disclosures have to be “clear and conspicuous.” What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say."

"3. Build privacy considerations in from the start... privacy by design... Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need... For any collection or sharing of information that’s not apparent, get users’ express agreement."

"4. Be transparent about your data practices... be clear to users about your practices. Explain what information your app collects from users or their devices and what you do with their data."

You'd think that following these guidelines was obvious, but researchers at M.I.T. recently documented abuses by mobile apps that tracked users' GPS locations and collected users' browser histories without notice nor consent; sometimes, even when the app was supposedly turned off.

"5. Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared... Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made."

"6. Honor your privacy promises... Chances are you make assurances to users about the security standards you apply or what you do with their personal information. At minimum, app developers — like all other marketers — have to live up to those promises. The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises... The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other app developers."

"7. Protect kids’ privacy. If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. Specifically, under COPPA, any operator whose app is directed to kids under age 13 or who has actual knowledge that a user is under 13 must clearly explain its information practices and get parental consent before collecting personal information from children. App operators also must keep personal information collected from children confidential and secure."

"8. Collect sensitive information only with consent... get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information. It’s a mistake to assume they won’t mind."

"9. Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information? Under the law, you still have to take reasonable steps to keep sensitive data secure."

This is a good list, but in my view the above guidelines are the minimum app developers should do. Ways for businesses and app developers to do better than the FTC minimums:

• Choices for consumers should be opt-in not opt-out
• Consolidate and simplify whenever possible. There are too many privacy policies: mobile device manufacturers, device operating system developers, app stores, telecommunications providers, and the app developer
• Plain language privacy policies, not lawyer speak
• Consistent, easy access. Prior studies have documented sporadic and inconsistent access to privacy policies before app install, after app install, and while the app is running
• Give users an estimate of the daily or monthly consumption by the app, so users can make informed decisions and avoid data plan surprises and overage fees. Auto manufacturers publish mileage estimates. App developers can easily do the same (and should) about data plan consumption by their apps

It is a sad state of affairs when the first guideline has to be, "tell the truth." What do you think mobile apps should do to protect consumers' privacy?

Companies Lobby As Congress Considers Changes To The Video Privacy Protection Act

On Monday, this blog discussed a recent ruling by a California District Court judge regarding a lawsuit against Hulu.com, KISSmetrics, and several defendant. The suit alleged that the defendant companies tracked consumers without notice and consent. Hulu and others attempted to use the Video Privacy Protection Act (VPPA) as a defense, which the court rejected -- meaning movie/video streaming is covered by the VPPA. That blog post also mentioned lobbying efforts by Netflix and Facebook. Today, I'd like to discusses the lobbying activities related to H.R. 2471, and explore the related privacy issues.

H.R. 2471 was introduced in July 2011 by Representative Robert Goodlatte, and passed by the House of Representatives in December 2011. It amends 18 USC 2710, commonly referred to as the VPPA. The Senate has not yet voted on the proposed legislation. In July 2012, MediaPost reported:

"Sen. Patrick Leahy (D-Vt.) this week proposed amending the federal video privacy law to enable consumers to consent on an ongoing basis to the disclosure of information about their movie rentals. Leahy made the proposal as an amendment to a controversial Cybersecurity Act of 2012 (S. 3414)... even if the cybersecurity bill doesn't go through, Leahy's move indicates that the lawmaker agrees with Netflix that the law should be changed..."

Not everyone agrees that the law should be changed, or needs to be changed:

"University of Minnesota law professor Bill McGeveran testified to a Senate panel in January that Netflix could simply offer Facebook users a “play and share” button. If users click on that button, the company could then spread information about users' movie selections to their friends on a per-occasion basis."

Senator Leahy proposed the original VPPA legislation. Now, he supports changing it. You can read the senator's January 2012 statement about why he supports changing the VPPA. To the senator's credit, he mentioned several cautions:

"My original [VPPA] proposal was also to include library records, but we were unable to sustain that protection as the bill worked its way through Congress. More recently, I have worked to add protections for library and bookseller records to section 215 of the USA PATRIOT Act... I worry that sometimes what is “simpler” for corporate purposes is not better for consumers. It might be “simpler” for some if we had no privacy protections, no antitrust protections and no consumer protections, but that is not better for Americans... A one-time check off that has the effect of an all-time surrender of privacy does not seem to me the best course for consumers."

I think that there may be more going on. Forbes reported in December 2011:

"While Netflix has rolled out frictionless Facebook sharing for its Canada and Latin America customers, it has held off in the U.S. in the hopes that Congress will address the issue... Virginia Rep. Robert Goodlatte introduced an update to the Video Privacy Protection Act in July that will allow a "video tape service provider" to disclose people's activity on an "ongoing bases," and that "consent may be obtained through the Internet" -- meaning clicking a box will suffice... Political money analysis non-profit Maplight notes that "the online computer services industry (e.g., the Digital media Association and Netflix), which supported the bill, gave on average 73% more to House members who voted 'YES' ($2,644) than to House members who voted 'NO' ($1,525)."

A review of Senator Leahy's donors may also provide a clue. Media, entertainment, and film companies seem to dominate his donors who gave the most. As of August 15, the senator's largest donors ranked: Time Warner, 3; Walt Disney, 4; Vivendi, 5; Comcast, 9; and Sony, 14.

EPIC shared its views about the legislation:

"H.R. 2471 weakens the consent provision of the VPPA by diminishing the ability of users to control the use and disclosure of their personal information. Under the Amendment, companies like Netflix would be able to obtain one-time, blanket consent from a user and then continuously disclose on Facebook all of the movies watched by that user. Netflix would automatically post this viewing information regardless of whether users would choose to post such information themselves. In addition to transferring control over the user’s information from the user to the company, the Amendment’s blanket-disclosure provision allows companies to profit from the association between users and products. Currently, users of social networking services such as Facebook must take some affirmative action, such as liking or sharing, in order to associate themselves with the product. Thus, users are able to decide on a case-by-case basis which associations they want Facebook to disclose to their friends. By automatically disclosing everything a user watches, the Amendment would make simply watching a movie the equivalent of “liking” it."

The "one-time, blanket consent" that concerns EPIC appears to be the same, "one time check-off" Senator Leahy said he is concerned about. So, I hope that Senator Leahy and the Senate explore improvements to H.R. 2471 that address these concerns. The "one-time, blanket consent" seems tilted too far for the benefits of companies at the expense of consumers.

In my opinion, H.R. 2471 as passed by the House is unacceptable and insufficient. It doesn't go far enough to protect consumers' privacy. How much farther should the legislation go? What might better legislation include?

Below is my list of privacy issues which better legislation, including changes to the VPPA, should include:

• Keep consumers in control of their privacy. This means that the default privacy setting should be "nothing shared" unless the consumer gives explicit consent. A one-time consent is insufficient and undesirable.
• Privacy policies need to be accurate and readable. Since the days of VHS tapes, the Internet has grown along with the use by companies of privacy policies at their' websites. The legislation needs to ensure that privacy policies (including Netflix.com) are crystal clear about what personal information is shared and to whom. That includes any meta data (e.g., viewing time, device, number of views) delivered with the video/movie titles. Otherwise, consumers have no way to make an informed decision about giving consent.
• Mobile devices matter. This is critical since social networking web sites support mobile devices, and this support necessitates several corporate partners (e.g., the mobile device manufacturer, the device operating system manufacturers, telecommunications providers, co-marketing firms, advertisers). Given so many partners' privacy policies, it is difficult for consumers to determine which policy applies. The legislation needs to ensure that mobile app privacy policies are consistently accessible both before and after app installs, and are consistent with partners' website policies. Prior studies have documented poor and inconsistent access to mobile app privacy policies.
• Flexible consent options. For users to maintain control, there should be several sharing opt-in choices. I'd rather see opt-in as device-specific and not global (e.g., across all devices a consumer has). That control may also need to be topic or genre specific. Remember, not all movies are entertainment. Some are closer in content to books (e.g., documentaries) and include sensitive topics (e.g., health care, diseases).
• Consent has limits. The sharing options must provide consumers with the ability to distinguish between sharing with friends and sharing with advertisers. That control should distinguish between social networking websites. Some video/movie-sharing advocates claim, "... people are more willing to share information about what they're watching now." That doesn't mean all consumers nor all social networking websites. Consumers need the control to pick which social networking sites to share their video/movie choices. A single, one-time blanket consent to share is insufficient.
• Children matter. None of the articles I have read about proposed VPPA changes discussed privacy for children. The modified legislation must fit with existing privacy legislation for children, since 56% of parents give their children smart phones for safety and security reasons. Changes to VPPA need to reflect this, which H.R. 2471 does not seem to do.
• Consent can be revoked. Consumers change their minds. People get married, have children, change their consumption habits, experience a data breach, or whatever -- lifestyle changes and experiences impact consumers' privacy choices. The legislation needs to provide consumers with the ability to revoke consent and stop video/movie sharing. H.R. 2471 does not seem to address this.
• Geography alone is an insufficient reason. Just because frictionless movie sharing is already available in other countries (which H.R. 2471 proponents mention), doesn't mean it should be available in the USA. Plenty of laws vary by country or region.
• Speed is not the priority. The old saying, "haste makes waste" applies here, too. A speedy update of the VPPA is not wise. The issues need to be thought through and reconciled with other privacy laws.

In the interest of full disclosure, I am a Netflix subscriber.

If you have opinions or concerns about H.R. 2471, I encourage consumers to contact your elected officials in the Senate, as the Senate could vote to approve H.R. 2471, or develop its own version of legislation to amend the VPPA. Of course, if you are a Vermont resident, please contact Senator Leahy's office.

What's your opinion of H.R. 2471?

Survey Documents Sporadic Access To Privacy Policies By Mobile Device Apps

The Future of Privacy Forum (FPF) recently released the results of its June 2012 survey of mobile device apps and privacy. The survey goal was to understand how often apps provide users with a privacy policy. While a privacy policy is a minimal first step towards data security, it provides both a baseline for consumers to judge the app's operation, and informs users about what sensitive personal data the app uses, and where that data is shared. An industry problem is that too many mobile apps for children still lack privacy policies.

The FPF examined 150 of the most popular mobile apps across three platforms: iOs App Store, Google Play,9 and Kindle. Key findings from the survey:

• 61.3% of all apps examined presented users with a privacy policy. That total included 69.3% of free apps and 53.3% of paid apps.
• The apps examined included many well-known apps: Angry Birds, ESPN Score Center, Facebook, Google Earth, Google Search, Instagram, Netflix, Shazam, Skype, Style Me Girl, Twitter, Virtual Makeover, The Weather Channel, Yahoo! Mail, and more.
• The availability of privacy policies vary greatly by app store and app type:

% of Top Apps That Have A Privacy Policy*
	Free Apps	Paid Apps
iOS App Store	84%	64%
Android - Google Play	76%	48%
Kindle Fire - Kindle App Store	48%	48%
All Platforms	69.3%	53.3%
*Privacy policy either in the app listing page, in the app, or in the developer's website

Ideally, apps should provide immediate and easy access to their privacy policies from the app listing page within the app store. Unfortunately, this access varies greatly:

% of Top Apps That Provide Access To A Privacy Policy On The App Listing Page In The App Store
	Free Apps	Paid Apps
iOS App Store	48%	28%
Android - Google Play	20%	12%
Kindle Fire - Kindle App Store	0%	0%
All Platforms	22.7%	13.3%

Ideally, apps should provide immediate and easy access to their privacy policy from within the app, too. Performance here is somewhat better:

% of Top Apps That Provide Access To A Privacy Policy From Within The App
	Free Apps	Paid Apps
iOS App Store	60%	44%
Android - Google Play	64%	24%
Kindle Fire - Kindle App Store	20%	28%
All Platforms	48%	32%

The other measure of privacy is whether apps collect location-based data (e.g., GPS) and provide users with an opt-in choice before data collection. The researchers found:

"... 12 out of the 50 apps surveyed on the iOS App Store platform requested precise location information and 14 out of the 50 apps surveyed on the Google Play platform requested precise location information and ten out of those fourteen had privacy policies. The study revealed that almost all of the leading apps requesting precise location data did have a privacy policy in place, but found that some very well known apps did not."

Based in Washington, DC, the Future of Privacy Forum (FPF) is a think tank that seeks to advance responsible data practices. The FPF hosts the ApplicationPrivacy.org website that provides best practices for data security for mobile app developers.

The FPF survey is a good first step. Consumers should be warned that the FPF survey did not evaluate whether developers' mobile apps actually complied with the promises in their privacy policies. That is an important issue to be addressed -- often in the courts, or by diligent technologists.

In June, California Attorney General Kamala Harris announced a deal with Facebook.com to ensure that any apps that collect personal data from California residents have privacy policies. Earlier in the year, several app store operators (e.g., Apple Inc., Google Inc., Amazon.com Inc., Microsoft Corporation, RIM Ltd., and Hewlett-Packard) agreed to a similar arrangement with the California AG. This makes one wonder where the other states' attorney general are on this issue.

Since security experts have documented multiple threats that target Apple and Android mobile devices, wise consumers look for trustworthy apps and protections in privacy policies. What do you look for in a mobile app privacy policy?

Website Exposes Embarrassing Facebook Status Messages

Much has been written about the benefits for Facebook members to properly adjust the privacy settings for their profiles. Still, many people don't. There is a new website, "We Know What You're Doing (WKWYD)," which collects and publishes status messages by Facebook users who make their status messages publicly available to everyone. As the WKWYD website explains in its disclaimer:

"All data is pulled directly from Facebook, it is not censored, and it is publicly accessible via the Graph API... the information is provided "as is" without warranty of any kind..."

So, the website is doing what you could do by searching for members' Facebook profiles that are open to the public. The WKWYD site describes itself as a "social networking privacy experiment" to get people to correctly use the privacy settings on their Facebook profile. The WKWYD site focused upon four types of embarrassing status messages:

1. People who trash their boss
2. People who show up at work hungover/drunk/etc.
3. People who admit to takeing drugs (e.g., illegal substances)
4. People who disclose their (or others) telephone numbers

I read a few of the messages, and they are truly embarrassing -- stuff you might tell close friends, but not publicly to everyone. Some of the messages could get some people fired from their jobs:

To avoid having your Facebook status messages published on the WKWYD site, sign into your Facebook account, select "Privacy Settings," and under "Control Your Default Privacy" select either the "Friends" or "Custom" option. If you already see your Facebook status messages on WKWYD, to remove them delete the message(s) from your timeline.

To learn more about the WKWYD site, read CNN, or the Sophos Naked Security blog, or the Huffington Post.

A warning to the wise: use the privacy settings on your Facebook profile.