FTC’s Brill sees consumer consent as key for health, finance apps

When normal people use a new app, they don’t wade through hidden service terms. Many just click “OK” and hope for the best. This might be fine for a game of Candy Crush, but it can be risky in the case of apps that monitor things like your bank account or heartbeat.

On March 18, you can find out why from FTC Commissioner Julie Brill, a leading authority on privacy in the age of apps, and one of our guests at Structure Data in New York City.

Brill told me in Washington last week that her agency is concerned about gaps in existing privacy law, especially in how data is stored and sold.

“When it comes to hospitals, insurers and doctors, we have a law that’s well known and well used [i.e. HIPAA],” she said. “Outside of that, when it comes to health tech and wearables, there’s a lot of deeply sensitive information that can be analyzed.”

Brill pointed to an FTC study of 12 health and fitness apps released last spring. It showed how the apps can lead to personal health data, which is normally kept in closed loops of the medical community, trickling out to analytics and advertising companies. Here’s an FTC slide that illustrates the point:

ftc screenshot

A similar information sprawl can occur with financial apps, which many consumers use to track spending or obtain rewards.

The result, Brill said, is that data gathered for one purpose, such as counting steps or tracking spending, can get used for another without the consumer’s knowledge. In a worst-case scenario, the data could become a means for insurance companies or employers to discriminate against those who have experienced health or financial trouble.

One way to prevent this, she said, involves improving the consent and transparency process for apps that deal in sensitive data, such as those that collect health or financial information, or precise geo-locations. In these cases, Brill sees a potential solution in encouraging app makers to obtain affirmative consent if they want to use a consumer’s data out of context.

“So if the consumer downloads an app to monitor some of her vital statistics, and the health information is being used to provide that information to the consumer herself – to monitor her weight or blood pressure  – that is part of the context that the consumer understands when she downloads the app, and affirmative consent is not needed,” Brill stated in a follow-up email. “However, if the company is going to share this health information with third parties, like advertising networks, data brokers or data analysts, then that is a collection and use that is outside the context of the relationship that the consumer understood, and affirmative consent should be required.”

The challenge, of course, is for the Federal Trade Commission to find a way to improve privacy protection without subjecting vibrant parts of the economy to pointless or burdensome regulations. Brill said she’s aware of this and, in any event, formal rules or laws (including a Privacy Act like that proposed last week by President Obama) may be a long time coming.

“I believe industry can do lots before any legislation happens,” she said. “Legislation will take a long time, and this industry is taking off — so if industry can do best practices, it will allow appropriate business practices to flourish.”

To hear more about how (and if) the FTC can find a practical way to protect consumers, come join us on March 18-19 at Structure Data, where you’ll meet other leaders of the data economy, including executives from Google, Twitter, BuzzFeed and Amazon.

An earlier version of this story misspelled HIPAA as HIPPA. It has since been corrected.

Decentralized webmail outfit Mailpile scraps beta program for now

When I wrote about the decentralization movement a year back, one of the big pro-privacy hopes was Mailpile, which is ambitiously trying to build a user-friendly yet rock-solid encrypted webmail system with a hybrid desktop/in-browser approach. On Friday, Mailpile’s Bjarni Rúnar Einarsson announced the rejection of the Mailpile beta, saying feedback had led the team to go back to the drawing board. One key issue was unsurprisingly related to making “all that crypto stuff completely seamless.” Iceland-based Einarsson is taking a break to get married (mazel tov) and, with the back-end providing most of the problems, front-end designer Brennan Novak has “moved on to other things for now.” Here’s hoping Mailpile gets back on track when development resumes next month.

AT&T’s privacy plan may be short-lived and may not even be as bad as we think

AT&T hit a nerve with its privacy-eroding Internet Preferences Plan, which lets customers surf the web at gigabit speeds but also lets the telecom giant see what sites they visit in order to serve up relevant ads. AT&T’s plan may be short-lived, however, if the FCC takes action under its new neutrality rules and, in any case, AT&T may catch less of your web surfing than you fear.

If you’re unfamiliar, the issue arose back in December of 2013 when AT&T launched its GigaPower service in Austin with a footnote in its press release noting that in exchange for giving up their privacy, AT&T gives subscribers a $29 discount. That’s now how AT&T sells its GigaPower plan, which is currently offered in Austin, Texas; Dallas and Fort Worth, Texas; and Raleigh-Durham and Winston-Salem markets; as well as parts of Kansas City, Kansas and Missouri.

But AT&T’s sales pitch deserves a bit more scrutiny. First, the idea that gigabit service should come with a privacy clause that you must opt-into by paying an extra fee each month rubs many people the wrong way. (AT&T charges people $70 a month for its privacy eroding Internet Preferences plan, but $99 a month plus extra fees that eventually totaled $44 a month for a standard plan that lets you surf unseen by Ma Bell.)

The good news is that under Section 222 of Title II of the Communications Act that the FCC recently decided to implement as part of its net neutrality order, the agency can do something about Ma Bell’s plan. Section 222 protects the private information of a customer that carriers are privy to given their position as the providers of telecommunications services, and lays out how that information can be used or shared. It’s not clear if the FCC will choose to implement Section 222, although in the original proposal it has planned on keeping it.

The next question is whether or not the FCC would use it in the case of AT&T’s plan. When I asked the agency, it confirmed that the terms and conditions of any ISP plan would have to be fully disclosed under the FCC’s transparency rules, and Section 222 will require broadband Internet access providers to protect the privacy of their customers. Cynics suggest that the net neutrality ruling took all of the political capital that the agency had, and now it will settle back into complacency, but I suspect that Wheeler has actually shifted his mindset entirely.

And if he has gone to seeing the Internet as a consumer sees it, then my gut says his agency couldn’t ignore a plan like this, especially if a consumer or consumer group filed complaints over AT&T’s plans. Wheeler would very likely take issue with the likely use of deep packet inspection by AT&T to watch where its customers are surfing, and use of economic incentives to essentially coerce customers into accepting this plan.

But, in the meantime, let’s take a look at what AT&T says about its plan to see how bad it really is. I asked AT&T if it was using deep packet inspection, which is the same tool that NebuAd and Phorm tried to use in 2008 here in the U.S. and led to a Congressional hearing. AT&T’s response was evasive.

[blockquote person=”” attribution=””]”As we said last time, we may use various methods to collect web browsing information, with clear customer consent for Internet Preferences.”

Note that, under AT&T’s own terms and conditions of the plan, it’s unclear how much of your web surfing Ma Bell can actually track in the first place since more sites have begun using the secure https protocol.

No matter what AT&T is using, it is clear that it will not collect information from secure web sites that use https. When I asked the spokesman relied: “We are not collecting information from secure or otherwise encrypted web sites.” This is actually helpful, because today, more sites outside of the traditional banks and e-commerce shopping carts are using https including Twitter, Google, Yahoo, Bing and Facebook. One reason might be because Google last year let the world know it would use https as a factor when determining how highly a page ranks in its search algorithms.

Still, large portions of the web, from Amazon’s general shopping pages to Wikipedia, as well as many major media sites are not using https, which can cost a lot of time and effort to implement. So while you perform a a search from many of the major search engines (including Duck Duck Go for the truly privacy conscious) you might avoid AT&T’s prying eyes under the plan, but once you land on a non-https page you’ll be back under its scrutiny.

To truly solve the issue, you can pay more and hope that your packets somehow avoid AT&T’s packet sniffing (or are you just avoiding the advertising emails?) or you can write the FCC a letter complaining that AT&T’s Internet Preference Plan invades your privacy in a way you think violates Section 222 of Title II. Or maybe you can hope John Oliver picks up on this story and calls Tom Wheeler a dingo again.

Updated: This post was updated on March 4 to add more cities with GigaPower availability.

Alarms sound over changes to EU roaming, net neutrality and privacy rules

The European Parliament’s liberal-centrist bloc has warned over changes being made by EU countries to incoming telecoms legislation, saying they will severely weaken efforts to introduce unified net neutrality rules and eliminate mobile roaming surcharges for people moving between member states.

The Council of the European Union, which represents member states, is expected to present its position on Wednesday regarding the Telecoms Single Market proposal – this follows the European Commission’s original proposal and changes made by the Parliament, and will trigger negotiations over the final text. The Alliance of Liberals and Democrats for Europe Group (ALDE) said Tuesday that the Council’s position is so watered down that it would undermine campaign pledges made by Commission president Jean-Claude Juncker and the Parliament that came in last year.

Meanwhile, digital rights groups have released leaked documents relating to the Council’s under-development position on a separate legislative package, the new General Data Protection Regulation. The version that left Parliament would introduce very tough new rules for companies and governments handling EU citizens’ personal data, but it appears member states have been agitating for these rules to be weakened.

Roaming rumble

The member states’ keenness to water down the net neutrality proposals is already well documented, with the countries apparently aiming for aspirational principles rather than tough new rules. However, the roaming aspect of the telecoms package is also contentious.

The Commission’s original proposal would have eliminated intra-EU roaming fees, allowing people to move around EU countries without having to pay more for mobile access than they would pay at home. This is integral to the European single market project – cross-border services won’t get anywhere if you can’t freely use them across borders.

However, the Council appears set to allow carriers to charge roaming surcharges for anything above a measly 5MB of data per day. The surcharges would be capped at the maximum wholesale rates charged between carriers, but they would still stymie the original intention of the legislation.

According to ALDE president Guy Verhofstadt:

This is a scandal. An end to roaming charges and the delivery of a genuine single market for telecoms was a campaign priority for all parties, many of whom are today responsible for blocking this measure…

To say this text lacks ambition is an understatement. Certainly our group will not accept this text, as the only winner from it is national telecoms operators themselves. Member States should hang their heads in shame.

Privacy shambles

As for the new data protection package, which is also intended to unify the disparate rules of the 28 EU member states, the rights groups EDRi, Access, Privacy International and the Panoptykon Foundation have warned that the package is “becoming an empty shell”.

On Tuesday the groups issued an analysis (PDF) of leaked documents about the Council’s position on the regulation. Here are the main points to worry about, according to EDRi et al:

  • Consent: The proposals would allow the failure of browser users to opt out of being tracked to be read as a form of consent for tracking and profiling. They would also weaken the limitations on what that consent can allow. “Germany undermines transparency still further by proposing that consent should cover unknown future uses of the data for ‘scientific’ purposes,” the analysis read.
  • Data subject rights: Gone is the article that would mandate “concise, transparent, clear and easily accessible policies” about data use. Governments would also be allowed to cite “national security, defence, public security and ‘other important objectives of general public interest'” as legitimate reasons for profiling people.
  • Fines and remedies: The new rules were supposed to introduce fines of up to five percent of annual turnover for serious data protection infringements, as a deterrent to the likes of [company]Google[/company], who shrug off today’s fines. The new proposals would lower that amount. The possibility of class action lawsuits would also be nixed, and individuals suing over data protection will only be able to take it to local regulators, not courts.
  • Data breach notifications: Companies would only have to tell people that their data has been stolen if the theft is “high risk”.
  • Cross-border complaints: There’s supposed to be an EU “one stop shop” for data protection complaints, which makes sense as the whole point of this regulation is to create a unified EU framework. But no, the Council would want multiple national data protection regulators to be brought in first to try reach consensus, because member states don’t want to cede control.

The deadline on this one is a bit further out, with the Council expected to produce its position on the data protection regulation in the summer, before commencing negotiations with the other legislative branches of the EU.

According to EDRi: “Unless something is done urgently, the Council will simply complete its agreement, at which stage only an absolute majority of the European Parliament would be the only way of saving Europe’s data protection reform.”

I have asked the Latvian presidency of the Council (it’s a rotating presidency) for comment on the leaks, but haven’t received a reply at the time of writing.

Signal secure comms app for iPhone gains TextSecure compatibility

Open Whisper Systems has released version 2 of its Signal secure calling app for iPhone. This is an important iteration, as it introduces secure text messaging that’s compatible with the outfit’s TextSecure app for Android — for now, Open Whisper Systems’ secure voice app for Android, RedPhone, remains separate from that, though everything will come together later this year in a Signal app that works across iOS, Android and the desktop. As secure communications operations go, Open Whisper Systems has good credibility, offering end-to-end crypto, auditable open-source code and decent identity verification. The TextSecure protocol has also found its way into WhatsApp, which is why Android-toting users of that Facebook-owned messaging app enjoy extra security these days.

BlackBerry shows off affordable, touchscreen-only Leap handset

BlackBerry has launched a touchscreen-only smartphone — its first since the Z3 a year ago — called the Leap. It will be reasonably affordable at $275 off-contract when it goes on sale this April.

The handset has a five-inch display and will reportedly go on sale in Europe and Asia first. BlackBerry is pushing the security angle pretty hard on this one, no doubt as a partial reaction to efforts by the likes of Blackphone and Jolla to appeal to privacy-conscious businesses and consumers.

“Companies and everyday consumers are finding out the hard way that mobile security is paramount. BlackBerry Leap was built specifically for mobile professionals who see their smartphone device as a powerful and durable productivity tool that also safeguards sensitive communications at all times,” BlackBerry devices chief Ron Louks said in a statement.

Indeed, the company also used Mobile World Congress in Barcelona to announce the BlackBerry Experience Suite, which is actually three suites of services that will work across rival platforms including iOS, Android and Windows. Two of the bundles will cover productivity and communications and collaboration, while the third will provide encryption and privacy controls for emails and documents.

Security aside, BlackBerry is promising that the Leap can take up to 25 hours of “heavy use” before its 2,800mAh battery gives up. It has an eight-megapixel rear camera and 16GB of internal storage with extra microSD support. As with other recent BlackBerry phones, the Leap also comes with the Assistant voice-and-text command feature and two app stores, BlackBerry World and the Amazon Appstore.

According to reports of the MWC unveiling of the device, Louks also briefly held up an unnamed handset with a slide-out keyboard that will properly appear later this year.


The internet of things will rock your business and here’s how

[soundcloud url=”https://api.soundcloud.com/tracks/193984180″ params=”color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]

The internet of things will disrupt the hell out of your business and you best start preparing your business to meet that change by preparing to deal in information as opposed to physical goods, according to Charlie Peters, an executive senior vice president at Emerson. This may be surprising coming from a top executive at a company know from process manufacturing and old-line systems, but Peters, laid down several hard truths in this week’s podcast about how the internet of things will change enterprises in his conversation with me.

He covered the three ways that IoT changes business, the hurdles that companies face from a technical perspective (and why that hurdle is driven in part by a business rationale on the part of companies responsible for driving the technical innovations we need.) Before Peters and I chat, my colleague David Meyer joined my on the show to share his thoughts on the connected home and how he thinks manufacturers might gain consumer trust when it comes to privacy and security. Tune in for his delightful accent and stay for some compelling content about Mobile World Congress and more.
Guests: Charlie Peters Senior Executive Vice President and director at Emerson

  • A european perspective on the smart home and privacy
  • Does the internet of things need a Trust-E or other seal of approval for privacy to communicate to the consumer?
  • The internet of things changes your business in three ways. Here they are.
  • The result of more information will be a few large successes and several mediocre businesses
  • Why wireless connectivity is a last hurdle for IoT that still isn’t solved.


Internet of Things Show RSS Feed

Subscribe to this show in iTunes

Download This Episode


How to design security into your connected product

Insurers may subsidize your smart home, but which device?

Let’s learn about blockname, a decentralized version of DNS

Connected apartments may be smarter than connected homes

This week’s podcast unravels the secrets of Thread and HomeKit

The internet of mi. Discussing Xiaomi, Yonomi and smart homes

Wall Street’s perspective on IoT and the plague of CES

Smart coffee makers, cheap light bulbs and better voice control

Hanging with my husband: His thoughts on our smart home

Exploring Amazon’s Echo and the retailer’s home automation channel plans

Looking for an architecture for the internet of things? Try DNS.

Building networks that can expand and survive the internet of things, plus some tips on crowdfunding

Silent Circle shows off more powerful Blackphone 2 privacy phone

The secure mobile company Silent Circle, which last week raised $50M and bought out the joint venture behind its Blackphone handset, has unveiled a new version of that device — though prospective customers have a bit of a wait on their hands.

The Blackphone 2 will appear in the second half of this year, providing much better specs than the initial handset that was made by Geeksphone, the joint venture partner that is now out of the picture. It will have an 8-core processor and 3GB of RAM (the quad-core original had 1GB) and will also be substantially larger, with a 5.5-inch screen (up from 4.7 inches).

Apart from making the privacy-first phone more desirable as a handset, Silent Circle has also previewed the Blackphone+ tablet, which will come later this year. Both devices will of course use version 1.1 of the PrivatOS Android fork, which features an OS-level virtualization feature for keeping sensitive material away from less-private apps, as well as a privacy-focused app store.

[youtube https://www.youtube.com/watch?v=E1dyWsWJOms&w=560&h=315]

While its security track record is not entirely unblemished, U.S.-based Silent Circle is a very credible player, coming from people such as PGP encryption pioneer Phil Zimmermann. It offers its privacy-focused communications apps separately from the Blackphone as well as bundled with it, and it’s part of the Dark Mail Alliance that’s trying to build the successor to email.

However, it may face a challenge from a newly announced partnership between Finnish handset-maker Jolla and security outfit SSH Communications Security, which are working on a secure version of Jolla’s Android-compatible Sailfish OS, with great emphasis on the fact that theirs is a homegrown European alternative to Android-based mobile operating systems (surely a dig at Silent Circle, among others).

Jolla and SSH push Sailfish Secure as “European alternative” mobile OS

I’ve got to hand it to Jolla – despite significant teething problems, the upstart Finnish mobile-maker has clung on, using crowdfunding campaigns and general community-mindedness to maintain interest around its alternative OS, Sailfish.

And now Jolla has done something really clever: at Mobile World Congress in Barcelona, it’s revealed a partnership with SSH Communications Security – the Finnish firm behind the widely used Secure Shell crypto protocol — to develop a “security-hardened” version of Sailfish OS for governments, businesses and privacy-conscious consumers.

Sailfish OS may be Android-compatible, but it isn’t an Android fork. This means the secure version, if it works out, will provide a real alternative to Silent Circle’s Android-based Blackphone, which targets a similar set of customers.

The positioning is none too subtle: Jolla’s Monday statement points out that Sailfish Secure would provide a “European alternative” to “Android or other U.S.-based operating systems.” Silent Circle is of course based in the U.S., as are Apple et al. Here’s what Jolla chairman Antti Saarnio said in that statement:

It is evident that the world needs a secure, transparent and open mobile solution alternative, which is not controlled by any country or major industry player. Together with leading security expert SSH Communications Security we are aiming to create an open European mobile solution running on Sailfish OS. We are also inviting other industry players to join the initiative.

Interestingly, Jolla and SSH say governments and large corporations will be able to “adapt” Sailfish Secure to different hardware configurations. Together with the Android compatibility of today’s Sailfish OS, that suggests it will be able to run on Android hardware, though I’ve asked Jolla for confirmation of that.

Jolla may be small fry, but it doesn’t have a lot of competition in the European mobile OS stakes. It’s smart for the company to capitalize on that, particularly given the mistrust many in the region have about U.S.-based technology, and given how EU politicians are desperate to find local players they can champion. Nasdaq-listed SSH is a serious player, too, so there’s credibility to this push.


Here’s a draft of the consumer privacy “Bill of Rights” act Obama wants to pass

The White House has released a draft of the Consumer Privacy Bill of Rights Act of 2015. It outlines the steps companies need to take to tell people what data they’re collecting and what they’re doing with that information. It also suggests data opt-out options for identifying details like email addresses and passport numbers. The bill also mandates that companies give people information about how they store the data they collect, for how long, and how consumers can view those details.

Here are some of the key points:

  1. Employee data is excluded from these disclosure requirements, as is information collected to fend off a cybersecurity threat.
  2. Companies must give people information for who they can contact at the organization regarding any privacy questions.
  3. If a person withdraws his or her consent for data collection, the company has 45 days to delete the specific information on the user.
  4. Companies need to thoughtfully design their privacy notifications for users, considering everything from the size of the device displaying the notification to the timing when these notices appear.
  5. Companies must delete user data after it has fulfilled its purpose.
  6. Smaller businesses which have five or fewer employees are exempt from these requirements.

There’s plenty more to parse in the 24-page document, which is chock-full of words like “clear” “transparent” and “individual control.” Some politicians have already spoken out against the draft, saying it puts consumers at risk by lessening, not increasing their protections. The Hill reported that one Democratic official argued that the White House’s bill takes away some of the Federal Trade Commission’s power to prosecute companies that abuse consumer data.

This is an early draft that will go through several revisions before being voted on by the House and Senate. If passed, it will hold tech companies accountable for the way they treat consumer privacy. The FTC, state attorney generals, and people who use the technology will have the power to bring civil suit against those organizations that violate the bill.