Risk
12/7/2012
10:23 AM
Connect Directly
RSS
E-Mail
50%
50%

Calif. Sues Delta For App Privacy Violations

California attorney general opens suit after Delta ignores warnings about its nonexistent app privacy policy. This may be a small part of the airline's larger technology problems.

Has Delta's smartphone app program been left to fly on autopilot?

That's one possible explanation for why Delta failed to address a written notice from California, sent in October, which warned that unless the airline updated its mobile apps within 30 days to include a privacy policy, the state would sue it for violating privacy laws.

As promised, California's attorney general, Kamala D. Harris, Thursday filed a groundbreaking civil lawsuit against the airline in San Francisco state court. The lawsuit accuses Delta of violating both the 2004 California Online Privacy Protection Act and California's Unfair Competition Law by failing to post a conspicuous privacy policy for its mobile "Fly Delta" app, which debuted in 2010. By conspicuous, the state means that the privacy policy should be "reasonably accessible to consumers within the apps."

According to the lawsuit, "despite collecting substantial personality identifiable information (PII) such as a user's full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, the Fly Delta application does not have a privacy policy." As a result, it said, "users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed or sold."

[ Privacy seems to be an antiquated concept. Read Social Networks Continue Push For Control. ]

"Losing your personal privacy should not be the cost of using mobile apps, but all too often it is," Harris said in a statement. "California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information."

The state's lawsuit seeks to prohibit Delta from distributing its mobile app until it posts a privacy policy, and requests a $2,500 fine for every non-compliant app that's been downloaded by consumers. "FlyDelta has been downloaded over 1 million times on Google Play store alone. That's $2.5 billion in potential penalties," said Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, via Twitter.

A Delta spokesman didn't immediately respond to an emailed request for comment about how the airline intends to respond to the lawsuit.

What's perplexing about this case is that the lawsuit could have easily been avoided. Harris first began warning about the state's mobile-app privacy policy enforcement plans in February, when she announced a legal settlement with the six largest mobile app distribution platforms. That settlement included a set of privacy principles that will allow consumers to review an app's privacy policy without having to first download or install the app.

Subsequently, the state began directly cautioning mobile-app developers who failed to post a privacy policy both online and in their app. In letters dated Oct. 29, Harris notified numerous businesses -- which collectively develop as many as 100 different mobile apps -- that they were breaking California privacy law, and had 30 days "to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected."

On Oct. 31, Delta spokeswoman Chris Kelly Singley confirmed to InformationWeek via email, "We have received the letter from the attorney general and intend to provide the requested information."

More than 30 days later, what accounts for Delta's failure to include a privacy policy in its Fly Delta app, which is available for Android, BlackBerry, iOS and Windows Phone devices? Interestingly, every platform version of the app has recently garnered withering reviews for its slow response time, as well as for requiring a PIN code, which Delta previously issued to all new website users. But while Delta has discontinued issuing new PIN codes, its mobile app still requires one. That led one reviewer at the iTunes store to note of the app: "Will only let you login with a pin, and the Delta website says they've switched from pins to passwords (login will only let you continue with a pin). I'm deleting this app immediately."

User reviews also note that the Windows Phone version of the app remains incompatible with Windows Phone 8, which was released more than a month ago. Likewise, some BlackBerry users with recently released handsets said the BlackBerry version of the app fails to work on their device.

In other words, irrespective of the California privacy-lawsuit warning, Delta hasn't been updating its mobile applications lately. Combined with the company's recent decision to drop PINs for passwords -- which appears to be a work in progress -- does the airline currently have more technology challenges on its plate than the company's developers can handle?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1234301472779
50%
50%
ANON1234301472779,
User Rank: Apprentice
12/7/2012 | 4:44:25 PM
re: Calif. Sues Delta For App Privacy Violations
Delta has more technology challenges on its plate than Management can handle. They're doing well with refusing to board passengers carrying buggy-whips, however.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.