Mobile Apps provide a significant privacy risk in Australia and overseas. Snapchat breaches provide another example

January 6, 2014 |

Mobile Apps are privacy invasive time bombs.  That unfortunately go off way too often.  This issue is now on the radar of information commissioner’s around the world.  And not before time.

The Privacy Commissioner has issued a guide on Mobile apps (found here)  and a check list (found here). The Warsaw declaration at the 35th international conference of data protection and privacy commissioners on the appification of society stated:

Nowadays, mobile applications (apps) are ubiquitous. On our smart phones and tablets, in cars, in and around the house: a growing number of items have user interfaces connected to the internet. Currently, over 6 million apps are available in both the public and private sector. This number is growing by over 30.000 a day. Apps are making many parts of our day-­to-­day lives more easy and more fun. At the same time, apps also collect large amounts of personal data. This allows for continuous digital monitoring, often without the users being aware that this happens and what their data are used for.

 App developers are often unaware of the privacy implications of their work and unfamiliar with concepts like privacy by design and default. The main operating systems and app platforms do offer some privacy settings, but do not allow for full control by the users to protect their personal data and verify what information is collected for which purpose.

 During their 35th International Conference held on 23 and 24 September 2013 in Warsaw, the data protection and privacy commissioners discussed the “appiQication” of society, the challenges posed by the increased use of mobile apps, as well as possible ways to address these.

 Various reports published by the data protection community on mobile apps in the past years, including but not limited to the European Union’s Article 29 Data Protection Working Party’s Opinion on apps on smart devices, the Privacy Commissioner of Canada’s Guidance for mobile app developers, the United States Federal Trade Commission’s staff report Mobile privacy disclosures: building trust through transparency as well as the International Working Group on Data Protection in Telecommunication’s 2012 Sopot Memorandum, give valuable guidance on how to deal with the relation between apps and privacy.

 The commissioners expressed their clear commitment to ensure users are offered a better privacy experience and plan to address various actors in both the public and the private sector with regard to their roles and responsibilities.

 It  is  essential  that  users  are  and  will  remain  in  charge  of  their  own  data.  They  should  be  able to  decide  what  information  to  share  with  whom  and  for  what  purposes.  To  this  end,  clear  and intelligible  information  should  be  available -­?   including  within  an  app -­?   about  data  collections taking  place  before  the  actual  collection  starts.  Users  should  be  given  the  option  to  allow access to speciQic information like location data or address book entries on a case-­?by-­?case basis.  Most  importantly,  apps  should  be  developed  on  the  basis  of  surprise  minimisation:  no hidden  features,  nor  unveriQiable  background  data  collection.

 App developers are drivers of the growth in the digital economy and bring ease to our day-­? to-­?day lives. At the same time, they need to ensure compliance with existing privacy and data protection rules around the globe. In order to achieve this goal and at the same time maintain a positive user experience, privacy should be taken into account at the very start of the development of an app. In this way, privacy can also provide a competitive advantage by increasing user trust. Developers need to make a clear decision on what information is necessary for the performance of the app and ensure no additional personal data is collected without informed user consent. This also applies when third party code or plug ins are used by app developers, for example from ad networks. Developers at all times need to be aware what they offer to and request from their users.

 The responsibility for privacy does not rest with app developers alone. Providers of operating systems should bear responsibility for their platforms. Admittedly, these actors are increasingly taking up their responsibility by offering general privacy settings on mobile devices. However, these are insufQiciently granular to offer full user control for all meaningful aspects of individual data collection. As platform providers create and maintain the framework in which apps are used, they are best positioned to guarantee data protection and bear special responsibility towards the users. In this respect, commitment of the industry to privacy seals or other enforceable certiQication schemes is to be encouraged.

 Although the primary responsibility for user privacy lies with the app industry, privacy and data protection commissioners can and should raise awareness of these issues amongst the actors of the app industry as well as with app users, the general public. In particular, engagement with providers of operating systems should be sought in an endeavour to ensure the essentials of data protection are put in place in their platforms. It is not our task to spoil the fun apps can offer to their users, but misuse of personal data has to be prevented. If encouraging a better privacy practice does not resort to sufQicient effect, the commissioners will be ready to enforce the legislation in a global effort to reclaim user control.

 The privacy and data protection commissioners around the world intend to use the coming year to make serious steps in improving privacy and data protection in this area and will revisit the subject during their 36th Conference in Mauritius.

New Zealand Privacy Commissioner stated:

Among a raft of resolutions debated and passed at the 35thInternational Conference of Data Protection and Privacy Commissioners in Warsaw in September, delegates discussed what the conference described as the “appification” of society.

The Warsaw conference declaration focused on the challenges posed by the increased use of mobile apps, as well as possible ways to address these, expressing a clear commitment to ensure users are offered a better privacy experience.

The commissioners agreed it was essential that users remained in charge of their own data and that they should be able to decide what information to share with whom and for what purposes. The conference said clear and intelligible information should be available – including within an app – about data collections taking place before the actual collection started.

Users should be given the option to allow access to specific information like location data or address book entries on a case-by-case basis. Apps should be developed on the basis of ‘no surprises’ with no hidden features or unverifiable background data collection.

The conference declaration recognised that app developers were growth drivers in the digital economy, but said they needed to comply with existing privacy and data protection rules. Privacy should be taken into account at the very start of the development of an app and, when incorporated in this way, privacy could provide a competitive advantage by increasing user trust.

Developers needed to make a clear decision on what information is necessary for the performance of the app and ensure no additional personal data was collected without informed user consent.

The conference said providers of operating systems should bear responsibility for their platforms. While many providers were increasingly offering general privacy settings on mobile devices, these were insufficiently granular to offer full user control.

As platform providers created and maintained the framework in which apps are used, they were best positioned to guarantee data protection. Commitment of the industry to privacy seals or other enforceable certification schemes was to be encouraged, the declaration said.

Privacy and data protection commissioners could and should raise awareness of these issues amongst the app industry as well as with the general public.

“It is not our task to spoil the fun apps can offer to their users, but misuse of personal data has to be prevented. If encouraging a better privacy practice does not resort to sufficient effect, the commissioners will be ready to enforce the legislation in a global effort to reclaim user control,” the declaration said.

Asia Pacific Privacy Authorities (APPA) will highlight privacy and mobile apps in Privacy Awareness Week next year. APPA members have agreed to develop an online guide for the safe use of mobile apps, informing people of some of the privacy pitfalls that can be found.

There is good reason to be concerned about privacy breaches by mobile app developers if the US experience is anything to go by.  Snapchat suffered a major data security breach on New Years Eve.  Over 4.6 million user’s data were hacked.  Zdnet reports in Snapchat introduces Find Friends opt-out, bolsters security efforts after data breach the history of the breach and what Snapchat has done to fix the problem, too late of course.

It provides:

Snapchat will offer a way for users to prevent themselves from being exposed to a repeat of the privacy leak that affected 4.6m of its users on New Years eve.

Nearly four months after first being warned its Find Friends feature was open to abuse, the ephemeral messaging service has announced plans to update its Android and iOS apps to allow users to opt-out of appearing in its Find Friends database. While Snapchat users previously didn’t need to provide their phone number to use the service, the company encouraged the practice so users could find other people they knew that were already using the app. 

The planned update, announced by Snapchat yesterday, comes in response to the leak earlier this week of 4.6 million Snapchat usernames and phone numbers, which hackers had gained by exploiting the Find Friends privacy flaw that Snapchat had previously dismissed as “theoretical”.

Gibson Security published details of two flaws in Snapchat on Christmas Day, along with Snapchat’s previously private API. One of the flaws revealed by the security company could allow an attacker to use the API to uncover Snapchat usernames, display names and whether accounts were private or not, if a phone number inputted into the Find Friends feature matched one listed by Snapchat’s users.

Gibson Security reported the potential flaws to Snapchat in August. Snapchat yesterday suggested it didn’t ignore the initial report, stating it implemented rate limiting — capping the amount of phone numbers that can be entered into Find Friends in a given period — in August to prevent automated attacks that throw large lists of numbers at Find Friends.

Besides adding the opt-out option, Snapchat says it will introduce several other security changes, including bolstering the rate limiting. 

Snapchat is also implementing systems to make it easier for security researchers to responsibly disclose flaws in its systems. The company isn’t offering any bug bounties, but the public can now email discovered security vulnerabilities to the dedicated address security@snapchat.com.

“We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns,” the company said.

Zdnet also covered the story as the privacy nightmare evolved here, here and here. CNN covered the story here.  The report provides:

Snapchat will add new privacy features after a hack last week that exposed millions of phone numbers and user names from the popular photo- and video-sharing app.

The company said in a blog post it will be updating the app to allow users to opt out of a “Find Friends” feature that uses their mobile phone number. They’ll also be adding internal restrictions that will make it more difficult to employ the method hackers say they used to expose 4.6 million accounts.

“The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse,” Snapchat said in the post, which did not include an apology to its users.

On Tuesday, hackers posted user names and phone numbers, with the final two numbers redacted, to a website called SnapchatDB.info. The site had been suspended by its Web host but, by Friday, appeared to be back online with phone numbers and user names both partially disguised.

The site made the data available for download and offered, by request, to consider releasing unredacted info, which matched the user names with the phone numbers associated with them.

The hack appears to have been an effort to push Snapchat into improving its privacy protections.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the hackers said in a statement released to news outlets. “It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”

Last week, Gibson Security — a group of “white hat” hackers, meaning they don’t exploit the security gaps they find — published what they said was code that would enable such a hack. The SnapchatDB group said Snapchat implemented “very minor obstacles” after that.

In the blog post, Snapchat said it had added security measures after Gibson suggested in August that such a hack was possible, but that the group’s Christmas Eve post had more details that made Snapchat’s system easier to exploit.

Sources told Business Insider last month that Snapchat has about 30 million monthly active users and more than 16 million daily users.

App developers are often small business operators.  Sometimes small businesses but commonly individuals or a couple of guys/girls developing a good idea in a spare room of a house.  In Australia many of them are exempt under the Privacy Act, which requires a turnover of less than $3 million per annum.  Given apps thrive on personal information the need for compliance with the privacy principles.  The failure to have mandatory data breach notification is another major flaw in the regulatory regime

 

 

 

 

 

 

 

 

Leave a Reply