Lawsuit reveals Airline apps. are spying on customers.
California's attorney general has sued Delta Air Lines for failing to include a privacy policy within the company's mobile application, an alleged violation of the state's Online Privacy Protection Act.
The lawsuit, filed in Superior Court of San Francisco on Thursday, marks the first time the state has taken legal action to enforce the privacy law, which was enacted in 2004, according to a news release from Attorney General Kamala D. Harris. Delta also violates California's Unfair Competition Law, the lawsuit alleged.
Since 2010, Delta has distributed a mobile application called "Fly Delta" that allows people to manage their bookings, according to the suit. The application collects information such as a person's name, phone number, birth date, email address, frequent flyer account number and pin code, photo and geo-location data. It is alleged in the lawsuit that Delta customers do not know how their data is collected or used by the airline.
Delta could face a penalty of US$2,500 for each time a non-compliant mobile application is downloaded, the attorney general's office said. The application has been downloaded millions of times from Google's Play and Apple's iTunes application markets, according to the lawsuit.
Harris had been aggressive in pushing companies to comply with the law. Earlier this year, she created the Department of Justice's Privacy Enforcement and Protection Unit, which is charged with enforcing the Online Privacy Protection Act, federal privacy laws and those relating to personal data and data breaches.
In October, Harris warned companies and developers of the 100 most popular applications that did not have a privacy policy, including Delta.
https://www.networkworld.com/news/2012/120712-california-sues-delta-airlines-for-264887.html
Epic Marketplace used a browser flaw to see if visitors were pregnant.
An advertising network that served banners on cnn.com, orbitz.com, and 45,000 other sites has settled federal charges that it illegally exploited a decade-old browser flaw that leaks the history of websites users visit.
Epic Marketplace used data mined from the history sniffing exploit to assign interests to visitors so the ad network could deliver targeted ads, according to a complaint filed by the Federal Trade Commission. Interest categories included "pregnancy-fertility getting pregnant," "incontinence," "memory improvement," and "arthritis." The FTC brought the case against New York City-based Epic Marketplace after the practice was revealed by Stanford University researcher Jonathan Mayer in July 2011.
Epic Marketplace settled the charges by agreeing to destroy the data it gathered and to curb the practice in the future, according to a release issued on Wednesday. The settlement also bars the company from making misrepresentations about the data it collects about people browsing the Web.
Until about two years ago, a weakness built into every major browser made it trivial for websites to compile detailed lists of other webpages viewed by their visitors. The sniffing technique worked by analyzing the color of links browsers use to show which URLs a user already clicked on. Mozilla Firefox was the first major browser to plug the leak. All other major browser makers have since followed suit.
Epic Marketplace isn't the only Web company accused of exploiting the vulnerability. In 2010, researchers at the University of California at San Diego said they caught YouPorn.com and 45 other sites pilfering users' browser history to determine if they visited other pornographic sites. Browser history attacks typically deploy JavaScript to analyze CSS settings in a browser.
The FTC announced a settlement with Epic Marketplace, an online advertising company that had abused a security flaw in popular web browsers in order to covertly “sniff” other websites visited by consumers.
The specific security vulnerability exploited by Epic, dubbed “CSS browser fingerprinting” by security experts, relies on the fact that web browsers use different colors to represent links to sites that have been previously visited. By writing special code that detects or “sniffs” the color of a link to a particular 3rd party site, a malicious website can determine whether or not someone visiting that site has visited other 3rd party sites.
Stanford researcher Jonathan Mayer revealed that online advertising company Epic Marketplace was abusing the same browser history sniffing technique. A subsequent investigation by the FTC led to Epic Marketplace abandoning the practice. The company has also agreed to a 20-year consent order with the FTC prohibiting it from lying to consumers about its online tracking activities or engaging in further browser fingerprinting. The company apparently laid off all of its staff this summer and has shut down, so the FTC’s settlement may be the final nail in the coffin. http://arstechnica.com/security/2012/12/online-marketer-tapped-browser-flaw-to-see-if-visitors-were-pregnant/