FTC Touts Mobile Security Concerns, Hears Platform Perspectives at Workshop
The FTC is placing a high priority on security in the mobile computing space, FTC Chairwoman Edith Ramirez said during an agency workshop on mobile security Tuesday. Ramirez said the agency will coordinate with law enforcement agencies, engage in consumer and business education and work on policy approaches -- including Tuesday’s workshop -- to combat mobile security issues. “This series of policy dialogues reflects the high priority we place on ensuring that the FTC itself, industry, consumer groups and other stakeholders are all fully attuned to the” issues in the mobile security sphere, she said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Ramirez outlined the steps the agency has taken in the mobile security sphere as an “outgrowth of the FTC’s broad mandate to protect consumers.” In addition to bringing a case against HTC America over failure to protect its mobile consumers’ data (CD Feb 25 p3) and the maintenance of online education portal OnGuardOnline.gov, the FTC is working to ensure that it has the technological capabilities to detect and respond to mobile security concerns. The agency has “brought in distinguished technologists” and “created a mobile unit to ensure that we are alert to mobile issues,” she said. “There’s no room for complacency from any of us” in this area.
Mobile security is more complex than other realms because “mobile devices can have security flaws at any layer,” said Steve Bellovin, FTC chief technologist. “We as the defenders have to protect them all.” Security flaws can happen at the operating system level, the device manufacturer level, the carrier level and the app level, as well as at the level of the third parties with which the app is interacting, he said. “It’s a much more complicated picture in the mobile device world,” he said. “The attacker can attack anywhere, the victim has to defend everywhere."
Representatives from platform operators discussed the ways in which they communicate with users about what information apps are collecting and when. Apple Director of Global Privacy Jane Horvath said Apple’s iOS 6 tells users when information is being collected “at just the time of access” and provides app developers with a “purpose string,” or an “option of saying why they want to access” the information, “which makes it much more clear for the users.” BlackBerry has “tried to establish more context, in terms of what the applications are doing,” said Adrian Stone, director of the company’s security response program. The company tries to make it “seamless” for the users, he said. “As we look at the threat curve over time, we'll go back and we'll reevaluate."
Mozilla also values considering “how does the user make the decision of when to share data with applications, and what do they understand when they're making that decision,” said Michael Coates, director-security assurance. “For [application programming interfaces] that access sensitive information,” the company wants to “present it to the user in a way they understand so they can make an informed decision and let the market evolve from there,” he said. Coates questioned the ability of users to process and meaningfully consent to collection when information about that collection is presented all at once, including at the time of download. “Unfortunately, I think a lot of users just click ‘OK,'” he said. Geir Olsen, principal program manager for Microsoft’s Windows phone engineering, compared users who have to process multiple dialogue boxes to mother bears looking to get to their cubs. “Most users just basically tap through those dialogues. They want what’s on the other side,” he said.
Allowing developers to provide language about the data their apps will collect may be problematic, said Adrian Ludwig, manager for Android security at Google. Information provided by the platform may be more beneficial to users who perceive it as “something that’s trusted because it’s provided by the platform,” he said. Additionally, due to the widespread, global nature of the Android operating system, all the language associated with an app has to be able to be translated into any language that’s used where the app is available. It may be unreasonable “to expect that a developer could do that and then reach a global audience,” he said. Ludwig said he’s interested to see data about whether developer-provided information will produce more transparency.
Facebook will engage with app platforms with users who are also Facebook users, said Head of Product Security Alex Rice during a later panel. “We go wherever our customers are … at varying levels.” Rice said the potential security vulnerabilities in the mobile space are different than those on computers, which have more “well understood and tackled problems.” The “sandboxing” that occurs on mobile devices -- or the separation of each running application -- can have privacy vulnerabilities “when those sandboxes have holes in them for whatever reason,” he said. Facebook is especially aware of the cross-sandbox interaction between apps because users can elect to have many apps interact with the Facebook app, he said.