Risk
8/17/2011
02:11 PM
Connect Directly
RSS
E-Mail
50%
50%

Smartphone Data Collection From Kids Draws FTC Fine

W3 Innovations agrees to pay $50,000 for failing to provide a clear privacy policy or secure parental consent before gathering personal information on tens of thousands of children.

On Monday, the Federal Trade Commission announced that mobile application developer W3 Innovations had agreed to pay a $50,000 fine for its failure to create clear privacy policies for its smartphone applications, as well as for improperly collecting and sharing information on at least 30,000 children under the age of 13.

The FTC complaint--made against W3 Innovations, as well as company owner and president Justin Maples--alleged that they violated the Children's Online Privacy Protection Act of 1998 (COPPA). The law, which the FTC enforces, prohibits the collection of personal information on children under the age of 13 without a parent's prior consent. The law also requires websites to post complete, clear, and understandable privacy policies.

Legal experts said this is the first FTC case to involve smartphone applications. But as more people embrace smartphones, tablets, and other mobile devices to meet their computing needs, don't expect it to be the last.

According to the complaint, W3 Innovations "allowed children to publicly post information, including personal information, on message boards. These interactive apps send and receive information via the Internet, and are online services covered by the COPPA Rule." Furthermore, said the FTC, "the defendants did not provide notice of their information-collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children," which violated COPPA.

W3 Innovations, which does business under the name Broken Thumbs Apps, bills itself on LinkedIn as "a small, family-owned and operated mobile device app developer based out of Silicon Valley," and according to its website, has four employees. The 40-odd mobile applications it's developed for Apple iOS feature titles such as "Emily's Dress Up and Shop," "Santa's Run," "Beer Toss," and "Zombie Duck Hunt."

Several of the company's applications, including six "Emily"-themed applications--first released in February 2010 and collectively downloaded more than 50,000 times--drew the FTC's attention since they were designed for children. According to the FTC, "the Emily apps encouraged children to email 'Emily' their comments and submit blogs to 'Emily's Blog' via email, such as 'shout-outs' to friends and requests for advice." But, according to the FTC complaint, W3 Innovations "collected and maintained thousands of email addresses from users of the Emily apps," without first obtaining parental consent.

As part of its settlement, W3 Innovations agreed to not violate COPPA, as well as to delete all information it collected in violation of COPPA rules.

This isn't the first time that the FTC has fined a company for COPPA violations. Notably, in 2006, blogging community Xanga paid a $1 million fine for improperly collecting, using, and disclosing information relating to children under the age of 13.

According to Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum, the FTC has lately been taking a tougher stance on privacy, including website privacy policy clarity. "I think it's clearly more aggressive in the area of privacy," he said in a recent telephone interview. "I think the FTC has a sensitivity to the value of data in our information society, they're not allergic to the use of data." Furthermore, he said, "I think they've been relatively cautious in their enforcement actions." But expect that to change.

Where smartphone applications are concerned, there's room for improvement. "In the app world, which often implicates cloud computing, there is a serious question of how app developers will handle privacy," according to a recent post to the Hogan Lovells Chronicle of Data Protection blog.

Notably, a study conducted earlier this year by the Future of Privacy Forum tested 30 leading smartphone applications for Android, BlackBerry, and iOS, and found that 24 of them "lacked even a basic privacy policy." On a related note, Sen. Al Franken, D-Minn., in May wrote to Apple and Google, requesting that they require developers of smartphone applications that collect location data to specify how that data will be used, in their privacy policies.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.