When I first read about this issue where California is suing Delta Airlines over privacy concerns with their mobile app, I thought to myself, “Oh man, this is going to be good! What are they leaking? What application security lesson can we drive home with this pertinent and fresh example??” (I’ll be honest… I was a bit excited.) Instead, it seems like a fairly “mundane” issue. California requires a privacy policy for applications that collect personally identifiable information (PII) so that users know what's done with that data. This is, in reality, A Good Thing™. Apps that take in, and corporations that receive, store, and use such data SHOULD tell users where it goes, how they use it, and how they store it! I’m tired of breach disclosures telling us that a company stored too much data, in a poorly chosen place, with insufficient protection measures. So, I have to say that I think California’s legislation on this topic is a pretty good step in the right direction. Back to the issue at hand: the Delta App collects some PII, yet has no privacy policy posted. It could be as simple as Delta needs to post one. Let’s be honest, who reads those things besides security geeks and lawyers? However, the paranoid part of me asks, if it was so simple to resolve, why doesn’t Delta just include it? Could it be that they are misusing the data and not performing due diligence on their end to protect it? I hope not… but if that’s the case, expect a follow up blog along the lines of what I was thinking in the first paragraph… Maybe they are scrambling to resolve the issue at this moment. Or maybe they are wondering why a Georgia based company needs to bow down to the “rantings” of the State of California. Either way, it would be good to know what is done with that data and how it is used and stored. Is it worth a lawsuit paid for by tax payers, in a state with a pretty hefty deficit, with "$2500 fine per download" fine? Might be a bit overboard, but might get the message out as well. I think sorting out how many people from California downloaded the app in order to calculate the fine might be an interesting task too… References: http://www.pcworld.com/article/2018966/california-sues-delta-airlines-over-app-privacy-policy.html http://www.newsfactor.com/news/Calif--Sues-Delta-Over-App-Privacy/story.xhtml?story_id=0220026ZFX7G
