California's mobile privacy crackdown praised
State's attorney has started notifying businesses that their apps are in violation of the state's Online Privacy Protection Act
By Antone Gonsalves
November 01, 2012 — CSO — California's top prosecutor has sent warnings to scores of mobile app developers that have allegedly violated the state's privacy laws, a crackdown that security experts applaud as good for the industry.
Attorney General Kamala D. Harris started notifying businesses this week that their apps did not have easily accessible privacy policies, as required by the state's Online Privacy Protection Act. The warnings affect as many as 100 apps.
The companies have 30 days to correct the problem. Besides being conspicuous, privacy policies must also inform users what personal information is gathered and how it is used. Violators face fines of $2,500 for each downloaded app.
"We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California's privacy laws," Harris said in a statement.
Among the businesses receiving warnings were airlines United Continental and Delta and restaurant reservation scheduler OpenTable, Bloomberg BusinessWeek reports. The latter two companies did not respond to a request for comment, but United confirmed receiving the warning.
"We are taking all steps necessary and appropriate to ensure compliance with California law as it relates to our mobile app," United spokeswoman Mary Clark said in an email.
Mobile security experts and vendors said the crackdown was good for the industry, because it would boost California consumers' confidence. California is one of the most aggressive states in the nation on privacy protection.
"In the long run, this will be good for the mobile app industry," said Xuxian Jiang, an assistant professor at North Carolina State University who has done research on mobile privacy.
Because people often use their mobile devices for work, the law also provides some protection to employers as well.
"Businesses may not be aware of the risks to data leakage from these apps," said Chester Wisniewski, a senior security adviser for Sophos. "Imagine a situation where employees are loading some application that is sending your corporate address book to some third party without your knowledge."
Studies have shown that many smartphone game developers have partnered with advertisers that gather personal information without permission. This has become a serious problem on devices running Google's Android operating system, because anyone can sell apps for the platform. All apps for Apple devices are sold and vetted by the company.
"Smartphones are in my opinion the greatest threat to loss of intellectual property and concern about privacy," said Darren Hayes, an assistant professor and expert in computer forensics at Pace University. "There are mobile apps that are masked as legitimate games which compromise other data on your phone. More aggressive privacy laws may mitigate some of the risk."
App developers caught in California's privacy net may have difficulty meeting the state's 30-day window for fixing the problem, Jiang said. "Lots of apps would have to be updated to include the privacy notice, so this is a seriously short time for the app developer."
Nevertheless, Lee Cocking, vice president of corporate strategy at Fixmo, said he would like to see California go even further. "What's really needed is clear and concise information for an end user and business that clearly states something like, 'This application has access to the following: camera, contact list, SMS messages.'"
Harris created this year a Privacy Enforcement and Protection Unit dedicated to enforcing the state's privacy laws. A number of tech companies have formally agreed to improve privacy protections, including Amazon, Apple, Google, Hewlett-Packard, Microsoft, Facebook and Research In Motion (RIM).
Despite California's efforts, privacy remains a serious problem on mobile apps. In a recent analysis of 1.7 million apps on the Google Play market, Juniper Networks found that free apps were four times more likely than paid apps to track the user's location, three times more likely to access address books and two-and-a-half times more likely to access the device camera.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.