Apple Suit Underscores Privacy Regulation Pressure
A lawsuit recently filed against Apple for violating the California Invasion of Privacy Act underscores not only that regulators are serious about holding companies to privacy strictures but also that companies that are in the business of protecting users’ privacy will be held to the same high standard.
“The allegations in this new lawsuit are serious and are a perfect example of the ‘glass houses’ principle–if your brand is protecting privacy, you’d better be holier than the Pope on protecting privacy, especially from your own commercial interests,” said Bryan Cunningham, attorney and advisory council member at Theon Technology.
Casey Ellis, founder and CTO at Bugcrowd, said, “It’ll be interesting to watch this case play out and where it lands, but in general, I think it sends a message to organizations who market privacy and security as a differentiating feature to anticipate and prepare for increased scrutiny and accountability around the validity of these claims in the future.”
Still, “allegations, of course, are not proof; we should not jump to conclusions based just on the filing of a lawsuit,” said Cunningham.
“That said, what this case reinforces—for both business and consumers—is that you cannot trust your security or privacy to big-data companies and/or cloud providers,” he noted. “We all must be proactive in protecting our own security, including encrypting sensitive data we store in the cloud, ideally with emerging quantum decryption-resistant technologies.”
The suit, filed in U.S. District Court for the Northern District of California on behalf of a New York resident, Elliot Libman, and others claimed Apple violated California’s state law “in connection with its illegal recordings of customers’ confidential activity on its consumer mobile application,” which it called “a huge and growing treasure trove of data that Apple amasses and uses for its own profit,” according to the filing.
“Apple records, tracks, collects and monetizes analytics data—including browsing history and activity information — regardless of what safeguards or “privacy settings” consumers undertake to protect their privacy,” the suit alleged. “Even when consumers follow Apple’s own instructions and turn off “Allow Apps to Request to Track” and/or “Share [Device] Analytics” on their privacy controls, Apple nevertheless continues to record consumers’ app usage, app browsing communications and personal information in its proprietary Apple apps, including the App Store, Apple Music, Apple TV, Books and Stocks.”
Because location data is so “intensely private,” it is “important for device and software makes to ensure the options provided to consumers to manage the tracking of this data are easy to understand and work as expected,” said Jason Hicks, field CISO and executive advisor at Coalfire.
“If consumers, as a group, start to doubt their ability to opt-in and opt-out of location tracking by app or service, it’s likely many will just choose to disable it completely. This would be a worst-case scenario for tech companies given the amount of revenue they earn from location-based ads,” Hicks said.
“There appear to be two separate clarifications to be made here. One relates to device analytics, and the other relates to application analytics,” said Michael Gibeau, senior cybersecurity consultant, nVisium.
“Typical device analytics would include information about the specific device you are using. Some examples may fall into the following categories: Type of phone, hardware components and, potentially, its operating system version. These are specific to the device you may be using and could be used to link that device to an individual based on the hardware they used at the time,” Gibeau said. “An example of application analytics would be more focused on the app usage itself. Some application analytics may contain information such as links clicked on, ads viewed or accessed, how often the app was accessed, errors encountered, etc.”
Gibeau said it is not feasible for a user to have full control over what application analytics information is collected because “the app must send a request to a server when a user clicks on a link for them to receive the data they requested. This can be easily considered analytics data and collected by the server itself with no ability for the user to block this logged information. The data is collected based on what requests the user has made and does not identify the user itself. It only shows statistics based on what is received by an unknown end-user.”
But device analytics “is centralized around what device model and its properties are being used or manipulated,” Gibeau said. “This information can be given to apps through permissions to access such data. Thus, it should be disabled in all cases where the user has chosen not to share their device data.
Claude Mandy, chief evangelist, data security, at Symmetry Systems, said, “It will be interesting to watch this lawsuit unfold as the case centers around the user’s expectations from specific privacy-enabling features rather than the published privacy policy.”
The App Store’s specific privacy policy “clearly states which settings should be used to opt-out of location tracking and ad targeting,” said Mandy.
“Regardless of the outcome, it is increasingly clear that user expectations, product design and privacy UX are going to play an increasing role in determining whether organizations are compliant and acting in accordance with their privacy policies or are really focused on helping their users make the right privacy enhancing choices,” Mandy said, which will create headaches for companies. “Unfortunately for a lot of organizations, they are still struggling to ensure data is being handled securely in accordance with their privacy policy, let alone their user’s expectations.”
Ellis, however, said he welcomes the pressure. “If a feature is being marketed as behaving in a particular way, it should behave according to that claim, especially when it comes to areas like user security and privacy,” he said.