In a case against Compete, a web analysis company that uses web tracking software (Compete Toolbar) to collect personal data without disclosing the extent of what it collects the FTC has ordered that in future the company must obtain consumers express consent. The company captured: usernames and passwords; searches conducted; credit card and financial account information, security codes and expiry dates; social security number and more.
In another recent case the FTC found seven “rent to own” firms using DesignerWare software spied on their renters by using so called “location tracking software” that captured screen shots, key stroke logging and activated and took web can pictures of users all without notice or consent. The software also contained a “kill switch” that could be used to disable the computer if payments were late.
Even Google got caught in September 2012 and had to pay a record setting penalty of $22.5M to the FTC over circumventing Apple’s Safari browser (iPad, iPhone and Mac) by placing cookies which delivered targeted advertisements to users. “No matter how big or small all companies must abide by FTC orders… and keep their privacy promises…” See iTwire story
So serious is the FTC that they have just fined developers of Path, a social networking app US$800,000 for collecting personal information from children without parental consent by interrogating users mobile address books. FTC has a special US Children’s Online Privacy Protection Act (COPA) that helps to protect children under 13 years.
The FTC is now looking at privacy issues for mobile apps (smartphones and tablets). The issue has only started since smart mobile computing devices have virtually dominated phone sales. See iTWire story
Staff have prepared a string of recommendations titled “Building Trust Through Transparency” which if implemented would ensure that smart phones include a “do not track” feature. The majority of recommendations are about informing the consumer what information is collected to allow them to make an informed decision – do you care if location data is collected to give you a list of local restaurants?
Implementing the FTC policy won’t be easy. At the top end it will require mobile phone OS makers (Apple, Google, Microsoft and Blackberry) to secure the system API’s against data leaks from geolocation, contact lists, calendar information and photos etc. API’s will need to inform the user if an App is trying to access such data. A great suggestion was that the OS makers develop a dashboard system that analyses what Apps access and to provide a “one button” do not track facility.
At the next tier the App developers, advertising networks and analytics companies will most likely lose access to the data that has made them a lot of money. Recommendations included having a plain simple disclosure policy – what is collected and what it is used for. Apps would also be required to alert the user and obtain “just in time” consent before use.
Even ISP’s and Telco’s will be drawn into the web needing to ensure compliance.