Risk
7/3/2012
09:56 AM
50%
50%

Facebook Joins California Mobile App Privacy Program

Apple, Amazon, and Microsoft have already agreed to abide by the program, which requires all apps to clearly detail in their privacy policies which user data is collected, used, or shared.

Facebook has agreed to abide by California guidelines that are meant to protect the privacy of mobile application users.

In a letter to California's attorney general, the company said that its Facebook App Center, launched last month, would abide by a joint agreement that the state announced earlier this year with key mobile app distributors.

"The App Center provides a centralized place where our users can learn more about participating Facebook apps, read their privacy policies, and, where necessary, report problems," wrote Erin M. Egan, Facebook's chief privacy officer, in the letter. "We are committed to building transparency, control, and accountability into all of our products, and we believe that the App Center empowers users to learn about the policies that will apply to data collected when they use mobile apps included in the Facebook App Center and to make informed choices about which apps they wish to use."

The privacy announcement is significant, given the potential reach of Facebook's new app store. "Facebook will require all software applications ('apps') offered through the App Center to provide a clear link to its privacy policy," said Brian Karp, an attorney at Baker Hostetler, in a blog post. "Given Facebook's increasingly large user base and existing third-party app infrastructure, the App Center is likely to have an impact of significance on the global mobile application marketplace."

[ Federal Trade Commission is weighing in on the privacy debate. See FTC Sets Consumer Data Collection Limits. ]

California launched its mobile app privacy program in February 2012, just one day before the White House announced its proposed Consumer Privacy Bill of Rights. From the outset, the state announced that the six companies with the biggest mobile app market platforms--Amazon, Apple, Google, HP, Microsoft, and Research In Motion--had agreed to participate. "The joint statement resulted from the AG's [attorney general's] collaborative review of mobile application compliance with the California Online Privacy Protection Act and the AG's opinion that the act 'requires mobile applications that collect personal data from California consumers to conspicuously post a privacy policy,'" said Karp.

"The joint statement does not impose legal obligations [but] rather is an effort between the mobile app market companies and the AG to increase transparency and control over personal data in the mobile marketplace 'without unduly burdening innovative mobile platforms and application developers,'" said Karp, referencing the text of the joint statement.

The program isn't legally binding. Rather, it's more of a voluntary code of conduct--and one which only applies to California--with participants agreeing to make clear exactly how "personal data is collected, used, and shared" by any mobile app, he said. It also promises to provide consumers with a mechanism to report any apps that fail to provide a clear privacy policy or break their promises.

Karp said businesses shouldn't treat California's mobile app privacy protection program as an outlier, as the state "and its robust tech community often serve as a thought leader providing legislation other states choose to implement." In addition, he said, the fact that Facebook, Apple, Microsoft, and other technology giants have chosen to work with the state's attorney general signals that the technology industry is now taking "a proactive approach to consumer privacy legal compliance."

In part, that may be because states--and especially California--are getting much more proactive about consumers' online privacy rights, not least after revelations in recent years regarding the full extent to which online advertisers have been secretly tracking consumers.

New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.