Risk
7/3/2012
09:56 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Joins California Mobile App Privacy Program

Apple, Amazon, and Microsoft have already agreed to abide by the program, which requires all apps to clearly detail in their privacy policies which user data is collected, used, or shared.

Facebook has agreed to abide by California guidelines that are meant to protect the privacy of mobile application users.

In a letter to California's attorney general, the company said that its Facebook App Center, launched last month, would abide by a joint agreement that the state announced earlier this year with key mobile app distributors.

"The App Center provides a centralized place where our users can learn more about participating Facebook apps, read their privacy policies, and, where necessary, report problems," wrote Erin M. Egan, Facebook's chief privacy officer, in the letter. "We are committed to building transparency, control, and accountability into all of our products, and we believe that the App Center empowers users to learn about the policies that will apply to data collected when they use mobile apps included in the Facebook App Center and to make informed choices about which apps they wish to use."

The privacy announcement is significant, given the potential reach of Facebook's new app store. "Facebook will require all software applications ('apps') offered through the App Center to provide a clear link to its privacy policy," said Brian Karp, an attorney at Baker Hostetler, in a blog post. "Given Facebook's increasingly large user base and existing third-party app infrastructure, the App Center is likely to have an impact of significance on the global mobile application marketplace."

[ Federal Trade Commission is weighing in on the privacy debate. See FTC Sets Consumer Data Collection Limits. ]

California launched its mobile app privacy program in February 2012, just one day before the White House announced its proposed Consumer Privacy Bill of Rights. From the outset, the state announced that the six companies with the biggest mobile app market platforms--Amazon, Apple, Google, HP, Microsoft, and Research In Motion--had agreed to participate. "The joint statement resulted from the AG's [attorney general's] collaborative review of mobile application compliance with the California Online Privacy Protection Act and the AG's opinion that the act 'requires mobile applications that collect personal data from California consumers to conspicuously post a privacy policy,'" said Karp.

"The joint statement does not impose legal obligations [but] rather is an effort between the mobile app market companies and the AG to increase transparency and control over personal data in the mobile marketplace 'without unduly burdening innovative mobile platforms and application developers,'" said Karp, referencing the text of the joint statement.

The program isn't legally binding. Rather, it's more of a voluntary code of conduct--and one which only applies to California--with participants agreeing to make clear exactly how "personal data is collected, used, and shared" by any mobile app, he said. It also promises to provide consumers with a mechanism to report any apps that fail to provide a clear privacy policy or break their promises.

Karp said businesses shouldn't treat California's mobile app privacy protection program as an outlier, as the state "and its robust tech community often serve as a thought leader providing legislation other states choose to implement." In addition, he said, the fact that Facebook, Apple, Microsoft, and other technology giants have chosen to work with the state's attorney general signals that the technology industry is now taking "a proactive approach to consumer privacy legal compliance."

In part, that may be because states--and especially California--are getting much more proactive about consumers' online privacy rights, not least after revelations in recent years regarding the full extent to which online advertisers have been secretly tracking consumers.

New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-5522
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6025. Reason: This candidate is a reservation duplicate of CVE-2014-6025. Notes: All CVE users should reference CVE-2014-6025 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-5523
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5524. Reason: This candidate is a duplicate of CVE-2014-5524. Notes: All CVE users should reference CVE-2014-5524 instead of this candidate. All references and descriptions in this candidate have been removed to prevent acciden...

CVE-2014-5575
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2014-5665
Published: 2014-09-22
The Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio