Risk
12/7/2012
10:23 AM
50%
50%

Calif. Sues Delta For App Privacy Violations

California attorney general opens suit after Delta ignores warnings about its nonexistent app privacy policy. This may be a small part of the airline's larger technology problems.

Has Delta's smartphone app program been left to fly on autopilot?

That's one possible explanation for why Delta failed to address a written notice from California, sent in October, which warned that unless the airline updated its mobile apps within 30 days to include a privacy policy, the state would sue it for violating privacy laws.

As promised, California's attorney general, Kamala D. Harris, Thursday filed a groundbreaking civil lawsuit against the airline in San Francisco state court. The lawsuit accuses Delta of violating both the 2004 California Online Privacy Protection Act and California's Unfair Competition Law by failing to post a conspicuous privacy policy for its mobile "Fly Delta" app, which debuted in 2010. By conspicuous, the state means that the privacy policy should be "reasonably accessible to consumers within the apps."

According to the lawsuit, "despite collecting substantial personality identifiable information (PII) such as a user's full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, the Fly Delta application does not have a privacy policy." As a result, it said, "users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed or sold."

[ Privacy seems to be an antiquated concept. Read Social Networks Continue Push For Control. ]

"Losing your personal privacy should not be the cost of using mobile apps, but all too often it is," Harris said in a statement. "California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information."

The state's lawsuit seeks to prohibit Delta from distributing its mobile app until it posts a privacy policy, and requests a $2,500 fine for every non-compliant app that's been downloaded by consumers. "FlyDelta has been downloaded over 1 million times on Google Play store alone. That's $2.5 billion in potential penalties," said Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, via Twitter.

A Delta spokesman didn't immediately respond to an emailed request for comment about how the airline intends to respond to the lawsuit.

What's perplexing about this case is that the lawsuit could have easily been avoided. Harris first began warning about the state's mobile-app privacy policy enforcement plans in February, when she announced a legal settlement with the six largest mobile app distribution platforms. That settlement included a set of privacy principles that will allow consumers to review an app's privacy policy without having to first download or install the app.

Subsequently, the state began directly cautioning mobile-app developers who failed to post a privacy policy both online and in their app. In letters dated Oct. 29, Harris notified numerous businesses -- which collectively develop as many as 100 different mobile apps -- that they were breaking California privacy law, and had 30 days "to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected."

On Oct. 31, Delta spokeswoman Chris Kelly Singley confirmed to InformationWeek via email, "We have received the letter from the attorney general and intend to provide the requested information."

More than 30 days later, what accounts for Delta's failure to include a privacy policy in its Fly Delta app, which is available for Android, BlackBerry, iOS and Windows Phone devices? Interestingly, every platform version of the app has recently garnered withering reviews for its slow response time, as well as for requiring a PIN code, which Delta previously issued to all new website users. But while Delta has discontinued issuing new PIN codes, its mobile app still requires one. That led one reviewer at the iTunes store to note of the app: "Will only let you login with a pin, and the Delta website says they've switched from pins to passwords (login will only let you continue with a pin). I'm deleting this app immediately."

User reviews also note that the Windows Phone version of the app remains incompatible with Windows Phone 8, which was released more than a month ago. Likewise, some BlackBerry users with recently released handsets said the BlackBerry version of the app fails to work on their device.

In other words, irrespective of the California privacy-lawsuit warning, Delta hasn't been updating its mobile applications lately. Combined with the company's recent decision to drop PINs for passwords -- which appears to be a work in progress -- does the airline currently have more technology challenges on its plate than the company's developers can handle?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1234301472779
50%
50%
ANON1234301472779,
User Rank: Apprentice
12/7/2012 | 4:44:25 PM
re: Calif. Sues Delta For App Privacy Violations
Delta has more technology challenges on its plate than Management can handle. They're doing well with refusing to board passengers carrying buggy-whips, however.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!