Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Calif. Sues Delta For App Privacy Violations

California attorney general opens suit after Delta ignores warnings about its nonexistent app privacy policy. This may be a small part of the airline's larger technology problems.

Has Delta's smartphone app program been left to fly on autopilot?

That's one possible explanation for why Delta failed to address a written notice from California, sent in October, which warned that unless the airline updated its mobile apps within 30 days to include a privacy policy, the state would sue it for violating privacy laws.

As promised, California's attorney general, Kamala D. Harris, Thursday filed a groundbreaking civil lawsuit against the airline in San Francisco state court. The lawsuit accuses Delta of violating both the 2004 California Online Privacy Protection Act and California's Unfair Competition Law by failing to post a conspicuous privacy policy for its mobile "Fly Delta" app, which debuted in 2010. By conspicuous, the state means that the privacy policy should be "reasonably accessible to consumers within the apps."

According to the lawsuit, "despite collecting substantial personality identifiable information (PII) such as a user's full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, the Fly Delta application does not have a privacy policy." As a result, it said, "users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed or sold."

[ Privacy seems to be an antiquated concept. Read Social Networks Continue Push For Control. ]

"Losing your personal privacy should not be the cost of using mobile apps, but all too often it is," Harris said in a statement. "California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information."

The state's lawsuit seeks to prohibit Delta from distributing its mobile app until it posts a privacy policy, and requests a $2,500 fine for every non-compliant app that's been downloaded by consumers. "FlyDelta has been downloaded over 1 million times on Google Play store alone. That's $2.5 billion in potential penalties," said Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, via Twitter.

A Delta spokesman didn't immediately respond to an emailed request for comment about how the airline intends to respond to the lawsuit.

What's perplexing about this case is that the lawsuit could have easily been avoided. Harris first began warning about the state's mobile-app privacy policy enforcement plans in February, when she announced a legal settlement with the six largest mobile app distribution platforms. That settlement included a set of privacy principles that will allow consumers to review an app's privacy policy without having to first download or install the app.

Subsequently, the state began directly cautioning mobile-app developers who failed to post a privacy policy both online and in their app. In letters dated Oct. 29, Harris notified numerous businesses -- which collectively develop as many as 100 different mobile apps -- that they were breaking California privacy law, and had 30 days "to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected."

On Oct. 31, Delta spokeswoman Chris Kelly Singley confirmed to InformationWeek via email, "We have received the letter from the attorney general and intend to provide the requested information."

More than 30 days later, what accounts for Delta's failure to include a privacy policy in its Fly Delta app, which is available for Android, BlackBerry, iOS and Windows Phone devices? Interestingly, every platform version of the app has recently garnered withering reviews for its slow response time, as well as for requiring a PIN code, which Delta previously issued to all new website users. But while Delta has discontinued issuing new PIN codes, its mobile app still requires one. That led one reviewer at the iTunes store to note of the app: "Will only let you login with a pin, and the Delta website says they've switched from pins to passwords (login will only let you continue with a pin). I'm deleting this app immediately."

User reviews also note that the Windows Phone version of the app remains incompatible with Windows Phone 8, which was released more than a month ago. Likewise, some BlackBerry users with recently released handsets said the BlackBerry version of the app fails to work on their device.

In other words, irrespective of the California privacy-lawsuit warning, Delta hasn't been updating its mobile applications lately. Combined with the company's recent decision to drop PINs for passwords -- which appears to be a work in progress -- does the airline currently have more technology challenges on its plate than the company's developers can handle?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1234301472779
50%
50%
ANON1234301472779,
User Rank: Apprentice
12/7/2012 | 4:44:25 PM
re: Calif. Sues Delta For App Privacy Violations
Delta has more technology challenges on its plate than Management can handle. They're doing well with refusing to board passengers carrying buggy-whips, however.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...
CVE-2019-10062
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
CVE-2020-23995
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.