In this presentation, FMC’s Timothy Banks describes the important issues to consider when thinking about privacy and security in mobile e-commerce. The presentation includes a discussion of the following topics: - Outlines for M-Commerce - Overview of Guidelines - Special Issues (address book information, online behavioral tracking and analytics, geolocation data, children, and ongoing emerging issues) - Transparency and Accountability in Design (consent, representations and disclaimers and applying Canada’s Anti-Spam Legislation) - The three dimensions of M-Commerce

1. Privacy and Security in
Mobile E‐Commerce
Current to: February 20, 2013
Presented by: Timothy M. Banks, Partner
timothy.banks@fmc‐law.com
@TM_Banks
1

2. Outline of Presentation
• Opportunities for M‐Commerce (5)
• Overview of Guidelines (5)
– Canada
– U.S. FTC and California
• Special Issues (25)
– Address Book Information
– Online Behavioural Tracking and Analytics
– Geolocation Data
– Children
– Ongoing and Emerging Issues
• Transparency and Accountability in Design (15)
– Consent, Representations and Disclaimers
– Applying Canada’s Anti‐Spam Legislation
2

3. Opportunities for M‐Commerce
• M‐Commerce has three dimensions
– influencing purchasing decisions
– bringing the point of sale to the consumer
– data gathering
3

4. Recent Guidelines in Canada
• Seizing Opportunity: Good Privacy Practices for Developing
Mobile Apps (Canada, British Columbia and Alberta) (October
2012)
• Policy Position on Online Behavioural Advertising (Canada)
(June 2012)
• Gaming consoles and personal information: playing with
privacy (Canada) (November 2012)
• Data at Your Fingertips: Biometrics and the Challenges to
Privacy (Canada) (February 2011)
4

5. Recent Guidelines in the United States
• Mobile Privacy Disclosures: Building Trust Through
Transparency (FTC) (February 2013)
• Facing Facts: Best Practices for Common Uses of Facial
Recognition Technologies (FTC) (October 2012)
• Protecting Consumer Privacy in an Era of Rapid Change (FTC)
(March 2012)
• Privacy on the Go (California) (January 2013)
5

6. Key Messages
• Expansive view of personal information
• Contextual Notice
• Real Time Consent
• Opt‐Out of tracking only if clear notice, and non‐sensitive
information
• Do Not Track must be an option
• High standard for de‐identification
• Privacy policy must match practices
• Your privacy policy might be a contract (treat it as one – can
you meet your obligations?)
• Express Opt‐In – just‐in‐time might be the future
6

7. Address Book Information
• WhatsApp Case Study
• Allows individuals to exchange messages on mobile devices
through the Internet rather than SMS
• User registers and provides:
– Country of residence
– Mobile phone number
– Acceptance of terms of service
– Double verification through SMS response
7

8. Device Information Collection
• Device identifier
– Mobile Subscriber ID
– Mobile Country code
– Mobile Network code
8

9. Address Book Collection
• WhatsApp populated the “All Contacts” list by:
– Accessing address book up to 2 x per day
– Collecting only mobile numbers
– Transmitting by Secure Socket Layer or Transport Layer Security
– Matching against mobile numbers of other users
– Hashing non‐matches
9

10. Terms of Service
• In order to access and use the features of the Service, you
acknowledge and agree that you will have to provide WhatsApp
with your mobile phone number. You expressly acknowledge
and agree that in order to provide the Service, WhatsApp may
periodically access your contact list and/or address book on
your mobile device to find and keep track of mobile phone
numbers of other users of the Service [...]
• You hereby give your express consent to WhatsApp to access
your contact list and/or address book for mobile phone
numbers in order to provide and use the Service. We do not
collect names, addresses or email addresses, just mobile phone
numbers. (para. 32)
10

11. Treatment of Out‐of‐Network Users
• WhatsApp made the out‐of‐network numbers anonymous
– “Out‐of‐network numbers are stored as one‐way, irreversibly hashed
values. WhatsApp uses a multi‐step treatment of the numbers, with the
key step being an “MD5” hash function. The phone number and a fixed
salt value serve as input to the hash function, and the output is
truncated to 53 bits and combined with the country code for the
number. The result is a 64‐bit value which is stored in data tables on
WhatsApp's servers. According to WhatsApp, this procedure is designed
to render out‐of‐network numbers (i.e., the mobile numbers of non‐
users) anonymous.” (para. 28)
11

12. All okay, right? … Wrong!
• PIPEDA, Principle 4.3.3
– An organization shall not, as a condition of the supply of a product or
service, require an individual to consent to the collection, use, or
disclosure of information beyond that required to fulfil the explicitly
specified, and legitimate purposes.
• PIPEDA, Principle 4.4
– The collection of personal information shall be limited to that which is
necessary for the purposes identified by the organization. Information
shall be collected by fair and lawful means.
12

13. Findings
• Users should have the ability to manually add and manage
contacts rather than being compelled to provide complete
access.
– Violates the condition of service rule
• Did not require the out‐of‐network mobile numbers.
– Violates the limited collection rules
• Rejected idea that it was no longer personal information
– True anonymity is only achieved where information can never be linked
to an individual, either directly or indirectly. In our view, WhatsApp's
use of all digits in an out‐of‐network phone number, coupled with a
fixed salt value for the hash function, does not result in a true
anonymization of out‐of‐network numbers. This is because the number
could be recovered, with a modest amount of computing effort, if the
out‐of‐network number database and salt value were breached.
13

14. Address Book Information and Children
• U.S. Case Study – Path Social Networking
• Path automatically collected and stored address book
information even if the user did not select the “Find Friends
from Contacts” feature
• Collected name, address, phone numbers, email addresses,
Facebook and Twitter user names and date of birth (if in the
address book)
• Accepted registrations from children under 13
14

15. FTC Settlement
• Settled with FTC for $800,000 for:
– making deceptive representations regarding the automatic collection of
personal information
– collected information from minors in violation of Children’s Online
Privacy Protection Act (COPPA)
• Plus variety of monitoring and assessment orders
15

16. Online Behavioural Advertising and
Tracking
• Mobile Apps are not free
• Apps are the medium
• Influencing your purchasing decision is the message
• Your personal information is valuable for delivering the right
message at the right time
• OBA is advertising that is placed by an advertising service based
on multiple unrelated Internet‐based activities, geolocation
data and other sources
16

17. It is Personal Information
• MAC address / IP address, website history, search terms, App
activities and transactions, coarse location
• PIPEDA, s. 2
– “personal information” means information about an identifiable
individual, but does not include …
• OPC says given the context and the purpose of OBA, the
information collected will be treated as personal information
and it is up to organizations to prove otherwise
17

18. Reasonable Purpose Test
• Consent is a necessary but not sufficient condition in Canada
• PIPEDA, s. 5(3)
– An organization may collect, use or disclose personal information only
for purposes that a reasonable person would consider are appropriate
in the circumstances.
• OBA can be a reasonable purpose but not a condition of service
for accessing and using the Internet generally (OPC’s OBA
Guidance)
18

19. Consent – Opt‐In / Opt‐Out
• Opt‐Out if:
– User has clear notice
– User is able to opt‐out without difficulty
– Notice is given before collection
• Consent should be contextual (“just in time”)
• Information should not be “sensitive” information
• Information should be destroyed “as soon as possible” or
effectively de‐identified
• No tracking children (in U.S., get parental consent)
• Warning: Advertising to children in Québec
19

20. Geolocation Data
• Location awareness
• IP address, GPS, cell phone towers, Wifi, sensors on device to
determine inside or outside
• Malte Spitz: http://bit.ly/O64QGN
• Used in advertising
• Social and “Dating Apps” (some pinpoint to an address)
20

21. Geolocation is Personal Information
• Where you are and where you aren’t is information about you
• Mobile devices are personal devices
• Location information is, therefore, likely to be information
about an identifiable individual because the location of the
device correlates with the individual’s location
21

22. Canadian Approach to Geolocation: Still
Emerging Outside Work
• Previously the OPC has taken the position that the existence of
a legitimate security objective does not automatically justify
the use of a surveillance technology.
• Four‐part test
– Is the use of the technology demonstrably necessary to meet a specific
need?
– Is the use of the technology likely to be effective in meeting that need?
– Is the loss of privacy proportional to the benefit gained?
– Is there a less privacy‐invasive way of achieving the same end?
22

23. Ongoing and Emerging Issues
• Emerging gatekeeper role for App Stores
– Desired by FTC
• Concerns regarding layering and symbols
– Solving one problem and creating another
– “Gotcha” problem with transparency and misleading representations
• Leakage
– The opaque nature of analytics companies
• Unlawful Use
– Consumer Reporting / Credit Reporting
– FTC settlement against two mobile Apps offering job applicant
screening tools (Filiquarian Publishing, LLC and Choice Level, LLC)
23

24. Transparency and Accountability in Design
• Consent
• Representations
• Disclaimers
24

25. Best Consent Practices
• Just‐in‐time consent and graphics
• Layering information
– Main points up‐front
– Details click through
– Note: Worries in the U.S. regarding misleading representations
• Privacy dashboards allowing users to customize settings
25

26. Representations
• Is your Privacy Policy a representation?
• Statutory right of rescission
• Damages
26

27. Ontario Consumer Protection Act, 2002
(OCPA)
• s. 1: “representation” means a representation, claim,
statement, offer, request or proposal that is or purports to be,
(a) made respecting or with a view to the supplying of goods or
services to consumers, or (b) made for the purpose of receiving
payment for goods or services supplied or purporting to be
supplied to consumers;
27

28. Unfair Practices
• OCPA s. 14. (1) It is an unfair practice for a person to make a
false, misleading or deceptive representation.
• OCPA s. 17. (1) No person shall engage in an unfair practice.
28

29. Quebec Consumer Protection Act
• art. 228. No merchant, manufacturer or advertiser may fail to
mention an important fact in any representation made to a
consumer.
29

30. Warranty: Quality of services
• Is privacy part of the quality of the services?
• OCPA, s. 9.(1) The supplier is deemed to warrant that the
services supplied under a consumer agreement are of a
reasonably acceptable quality.
• No disclaimer permitted
• Québec has additional issues
30

31. Applying Canada’s Anti‐Spam Legislation
• Mobile not exempt!
• Messages to an electronic address
– Covers email
– SMS
– In App messaging, depending on whether it is sent to specific address
(i.e. not a “wall” or Twitter feed)
• Installation of computer programs
– Covers installation of Apps, add‐ons, etc.
31

32. Commercial Electronic Messages (CEMS)
• An electronic message that, having regard to the content of the
message, the hyperlinks in the message to content on a website
or other database, or the contact information contained in the
message, it would be reasonable to conclude has as its
purpose, or one of its purposes, to encourage participation in a
commercial activity
• Need not be predominant purpose
• Opt‐In consent with limited exceptions
32

33. More Than Just Spam
• Computer program includes any data representing instructions
or statements that, when executed in a computer system,
causes the computer system to perform a function
• Opt‐in consent to installation of a computer program
• Limited exceptions such as for cookie, HTML code, Java Scripts,
operating system provided that “the person’s conduct is such
that it is reasonable to believe that they [sic] consent to the
program’s installation”
33

34. CRTC Guidance
• http://bit.ly/WShRsq
34

35. Questions?
Timothy M. Banks, Partner
Fraser Milner Casgrain LLP
416 863 4424
timothy.banks@fmc‐law.com
@TM_Banks
www.datagovernancelaw.com

36. The preceding presentation contains examples of
the kinds of issues companies dealing with
privacy and security in mobile e‐commerce could
face. If you are faced with one of these issues,
please retain professional assistance as each
situation is unique.