Privacy and Security TidBits

Smart Phones, Trojan Horses and Data Protection.

During the Senate Judiciary Committee hearing on mobile privacy, held on May 10, Senator Whitehouse asked Rich (FTC) and Weinstein (DOJ) if mobile apps were like “Trojan Horses” of consumer info.

What is a Trojan Horse?

According to Wikipedia,The Trojan Horse is a tale from antiquity.

“In one version, after a fruitless 10-year siege of Troy, the Greeks constructed a huge wooden horse, and hid a select force of 30 men inside. The Greeks pretended to sail away, and the Trojans pulled the horse into their city as a victory trophy. That night the Greek force crept out of the horse and opened the gates for the rest of the Greek army, which had sailed back under cover of night. The Greek army entered and destroyed the city of Troy, decisively ending the war.”

The contemporary meaning of Trojan Horse, according to GSMA, is

“a specific form of malware [link to malware entry in ]. Like the Trojan Horse of Greek mythology, Trojan Horse programs trick a user into installing them on their phone or computer by masquerading as genuinely useful applications. Once installed however, the Trojan Horse will perform some unauthorised and malicious activity on the computer or phone. Trojan Horses are one reason why you should only install software on your phone or PC if you are confident that you can trust the source of this software. Trojan Horse programs differ from Viruses and Worms [link to appropriate entries in ] because Trojan Horse programs are unable to replicate themselves. Installing anti-virus software on your mobile phone can help to protect against this threat.”

From the context of the hearing, it would seem that Senator Whitehouse was referring to the original, albeit metaphorical meaning of “Trojan Horse”: the mostly free mobile apps are waiting in the app store to be downloaded by smartphone owners on their mobile phone; once the app is “inside” the phone, it “opens all the information gates” for the app developers, Apple, Google, advertisers, ad networks, the entire marketing ecosystem and a garden variety of hackers and stalkers.

Is this legal?

The consensus during the hearing seemed to be that it is. At least within the US.

Justin Brookman, director Consumer Privacy for the Center of Democracy and Technology, gave a comprehensive summary of relevant laws and an analysis of their application to today’s location- enabled mobile devices.

He concluded that “current law allows companies to share data however they wish so long as they don’t do something they previously promised not to, which would be a violation of the Federal Trade Commission Act.”

In other words: Except in certain sectors, like healthcare and finance, and except in a couple of states like Massachusetts and California, the personal data of smartphone (and general internet) users can legally be shared with anyone, without the data subject’s consent.

But the mobile world is global and flat, and does not distinguish between smartphone (or internet) users, depending on their geographical location: it tracks them all the same. Except that outside the U.S., many countries have strict data protection rules that make mobile (and general internet) tracking illegal, unless a list of conditions are met.

The European Data Protection Laws, and the national data protection laws of the EU member states, for example, require, among many others, notice and informed consent for tracking of all personal data, and explicit consent for tracking of sensitive data, relating to health, religious beliefs, political opinions, sexual orientation, race, and membership of organizations.

The current overhaul of the 16 year old EU Directive 95/46EC has exactly this global world in mind.

Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, recently declared in the context of the EU Data Protection Law overhaul that “To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers,”… “Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.”

Apple is already under investigation by data protection officials in Germany, France, Italy and Switzerland for possible breach of their national data protection laws.

Last year, Mexico joined the ranks of more than 50 countries that have enacted global data privacy laws by enacting a “Federal Law on the Protection of Personal Data Held by Private Parties” that for a large part copies the EU model.

More recently, India issued final regulations implementing parts of the Information Technology (Amendment) Act, 2008. These strict privacy rules also take after the EU data protection model and the penalties for non-compliance include imprisonment and fines.

Global companies like Apple and Google should take into account that an increasing number of their worldwide business partners’ and customers’ personal data are covered by national data protection laws, even though the personal data of their own poor fellow countrymen are not.