In this presentation, FMC’s Timothy Banks describes the important issues to consider when thinking about privacy and security in mobile e-commerce. The presentation includes a discussion of the following topics:
- Outlines for M-Commerce
- Overview of Guidelines
- Special Issues (address book information, online behavioral tracking and analytics, geolocation data, children, and ongoing emerging issues)
- Transparency and Accountability in Design (consent, representations and disclaimers and applying Canada’s Anti-Spam Legislation)
- The three dimensions of M-Commerce
2. Outline of Presentation
• Opportunities for M‐Commerce (5)
• Overview of Guidelines (5)
– Canada
– U.S. FTC and California
• Special Issues (25)
– Address Book Information
– Online Behavioural Tracking and Analytics
– Geolocation Data
– Children
– Ongoing and Emerging Issues
• Transparency and Accountability in Design (15)
– Consent, Representations and Disclaimers
– Applying Canada’s Anti‐Spam Legislation
2
4. Recent Guidelines in Canada
• Seizing Opportunity: Good Privacy Practices for Developing
Mobile Apps (Canada, British Columbia and Alberta) (October
2012)
• Policy Position on Online Behavioural Advertising (Canada)
(June 2012)
• Gaming consoles and personal information: playing with
privacy (Canada) (November 2012)
• Data at Your Fingertips: Biometrics and the Challenges to
Privacy (Canada) (February 2011)
4
6. Key Messages
• Expansive view of personal information
• Contextual Notice
• Real Time Consent
• Opt‐Out of tracking only if clear notice, and non‐sensitive
information
• Do Not Track must be an option
• High standard for de‐identification
• Privacy policy must match practices
• Your privacy policy might be a contract (treat it as one – can
you meet your obligations?)
• Express Opt‐In – just‐in‐time might be the future
6
10. Terms of Service
• In order to access and use the features of the Service, you
acknowledge and agree that you will have to provide WhatsApp
with your mobile phone number. You expressly acknowledge
and agree that in order to provide the Service, WhatsApp may
periodically access your contact list and/or address book on
your mobile device to find and keep track of mobile phone
numbers of other users of the Service [...]
• You hereby give your express consent to WhatsApp to access
your contact list and/or address book for mobile phone
numbers in order to provide and use the Service. We do not
collect names, addresses or email addresses, just mobile phone
numbers. (para. 32)
10
11. Treatment of Out‐of‐Network Users
• WhatsApp made the out‐of‐network numbers anonymous
– “Out‐of‐network numbers are stored as one‐way, irreversibly hashed
values. WhatsApp uses a multi‐step treatment of the numbers, with the
key step being an “MD5” hash function. The phone number and a fixed
salt value serve as input to the hash function, and the output is
truncated to 53 bits and combined with the country code for the
number. The result is a 64‐bit value which is stored in data tables on
WhatsApp's servers. According to WhatsApp, this procedure is designed
to render out‐of‐network numbers (i.e., the mobile numbers of non‐
users) anonymous.” (para. 28)
11
12. All okay, right? … Wrong!
• PIPEDA, Principle 4.3.3
– An organization shall not, as a condition of the supply of a product or
service, require an individual to consent to the collection, use, or
disclosure of information beyond that required to fulfil the explicitly
specified, and legitimate purposes.
• PIPEDA, Principle 4.4
– The collection of personal information shall be limited to that which is
necessary for the purposes identified by the organization. Information
shall be collected by fair and lawful means.
12
13. Findings
• Users should have the ability to manually add and manage
contacts rather than being compelled to provide complete
access.
– Violates the condition of service rule
• Did not require the out‐of‐network mobile numbers.
– Violates the limited collection rules
• Rejected idea that it was no longer personal information
– True anonymity is only achieved where information can never be linked
to an individual, either directly or indirectly. In our view, WhatsApp's
use of all digits in an out‐of‐network phone number, coupled with a
fixed salt value for the hash function, does not result in a true
anonymization of out‐of‐network numbers. This is because the number
could be recovered, with a modest amount of computing effort, if the
out‐of‐network number database and salt value were breached.
13
14. Address Book Information and Children
• U.S. Case Study – Path Social Networking
• Path automatically collected and stored address book
information even if the user did not select the “Find Friends
from Contacts” feature
• Collected name, address, phone numbers, email addresses,
Facebook and Twitter user names and date of birth (if in the
address book)
• Accepted registrations from children under 13
14
15. FTC Settlement
• Settled with FTC for $800,000 for:
– making deceptive representations regarding the automatic collection of
personal information
– collected information from minors in violation of Children’s Online
Privacy Protection Act (COPPA)
• Plus variety of monitoring and assessment orders
15
16. Online Behavioural Advertising and
Tracking
• Mobile Apps are not free
• Apps are the medium
• Influencing your purchasing decision is the message
• Your personal information is valuable for delivering the right
message at the right time
• OBA is advertising that is placed by an advertising service based
on multiple unrelated Internet‐based activities, geolocation
data and other sources
16
17. It is Personal Information
• MAC address / IP address, website history, search terms, App
activities and transactions, coarse location
• PIPEDA, s. 2
– “personal information” means information about an identifiable
individual, but does not include …
• OPC says given the context and the purpose of OBA, the
information collected will be treated as personal information
and it is up to organizations to prove otherwise
17
19. Consent – Opt‐In / Opt‐Out
• Opt‐Out if:
– User has clear notice
– User is able to opt‐out without difficulty
– Notice is given before collection
• Consent should be contextual (“just in time”)
• Information should not be “sensitive” information
• Information should be destroyed “as soon as possible” or
effectively de‐identified
• No tracking children (in U.S., get parental consent)
• Warning: Advertising to children in Québec
19
22. Canadian Approach to Geolocation: Still
Emerging Outside Work
• Previously the OPC has taken the position that the existence of
a legitimate security objective does not automatically justify
the use of a surveillance technology.
• Four‐part test
– Is the use of the technology demonstrably necessary to meet a specific
need?
– Is the use of the technology likely to be effective in meeting that need?
– Is the loss of privacy proportional to the benefit gained?
– Is there a less privacy‐invasive way of achieving the same end?
22
23. Ongoing and Emerging Issues
• Emerging gatekeeper role for App Stores
– Desired by FTC
• Concerns regarding layering and symbols
– Solving one problem and creating another
– “Gotcha” problem with transparency and misleading representations
• Leakage
– The opaque nature of analytics companies
• Unlawful Use
– Consumer Reporting / Credit Reporting
– FTC settlement against two mobile Apps offering job applicant
screening tools (Filiquarian Publishing, LLC and Choice Level, LLC)
23
32. Commercial Electronic Messages (CEMS)
• An electronic message that, having regard to the content of the
message, the hyperlinks in the message to content on a website
or other database, or the contact information contained in the
message, it would be reasonable to conclude has as its
purpose, or one of its purposes, to encourage participation in a
commercial activity
• Need not be predominant purpose
• Opt‐In consent with limited exceptions
32
33. More Than Just Spam
• Computer program includes any data representing instructions
or statements that, when executed in a computer system,
causes the computer system to perform a function
• Opt‐in consent to installation of a computer program
• Limited exceptions such as for cookie, HTML code, Java Scripts,
operating system provided that “the person’s conduct is such
that it is reasonable to believe that they [sic] consent to the
program’s installation”
33
36. The preceding presentation contains examples of
the kinds of issues companies dealing with
privacy and security in mobile e‐commerce could
face. If you are faced with one of these issues,
please retain professional assistance as each
situation is unique.