IBM settles lawsuit over data privacy of Weather Channel app

August 21, 2020

IBM, the owner of the Weather Channel mobile app, has reached a settlement with the Los Angeles city attorney’s office after a 2019 lawsuit alleged that the app was deceiving its users in how it was using their geolocation data.

According to AP News, City Attorney Mike Feuer alleged that app users were misled when they agreed to share their location information in exchange for personalized forecasts and alerts. Instead, the lawsuit claimed users were unaware they had surrendered personal privacy when the company sold their data to third parties.

“Users will now clearly know that they have the choice to provide access to their locations,” Feuer said at a news conference, adding he hopes other companies will follow the app’s model for transparency. “It shows that we don’t have to sacrifice our privacy for things of value.”

Generally, end users "trust" their phones as well as the apps on their phones, says Setu Kulkarni, Vice President, Strategy & Business Development at WhiteHat Security, a San Jose, Calif.-based provider of application security. He adds, “ However, these apps have unprecedented access to explicit, and more importantly, implicit user info such as location. I mean who thinks about their own location when using the app? But that implicit and implied insight is gold for apps who serve up paid content and paid features based on your location whether you want it or not, and whether you like it or not. The average end user of mobile apps need not, and should not, know how a particular mobile app works under the hood. It’s time that end users are simply informed in a easy to understand way what the app does and does not do. Not through 10s of pages of EULAs and T&Cs. Moving forward, we must make confirmation of apps less technical and more user friendly - today the average use just accepts the default settings, without knowing any better.”

Stephen Banda, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, notes there is always a balance to strike between respecting user privacy and providing valuable functionality to end users. He adds, "Location is a delicate matter and consumers need to understand how their location is being used and to what extent their data is being shared. A quick look at an app’s permissions on the Google Play store will show if exact or precise location is used. Regrettably, beyond this information, the responsibility is on the end-user to further validate the privacy policy details and how their data is being used before accepting the usage terms

"Fortunately, in recent years, regulations such as CCPA and GDPR have raised the bar for organizations to safeguard the personal data of their employees and customers," notes Banda. "These privacy regulations are definitely raising public awareness and will continue to drive progress in how businesses safeguard user privacy and communicate their privacy practices. In fact, a recent update to CCPA now requires companies that sell personal information to include a ‘Do not sell my personal information’ link on their website home page and related mobile apps. So it's encouraging to see that progress is steadily being made in the area of respecting user privacy."

Ali Golshan, CTO and co-founder at StackRox, a Mountain View, Calif.-based leader in security for containers and Kubernetes, says, “Considering the volume and range of data being collected from services and users, targeting and reaching the user has become a very personal experience. Due to development timelines, developers often have to delay building granular privacy permissions into their applications. Such permissions enable individual customers to define how their data can be used, or the right to be forgotten. One key feature for data privacy is ensuring up-to-date controls and configurations around access. To ensure data is protected from unauthorized access, systems need controls such as identity and authentication of users. Limits to access must also extend to developers of platforms as well.”

According to Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management, the requirement for maintaining data privacy has increased as privacy regulations have been adopted by many more jurisdictions since they were first announced. "Fines for breaching data privacy regulations have multiplied, and penalties can be more severe than fines. Increased public awareness and media interest have led to commercial and reputational consequences for non-compliance. The risk of private data being compromised has amplified as systems are ever more accessible via connected devices and vulnerable to cyber-attacks," says Durbin. "With a focus on breaches and the loss of personal data, it is reasonable that the main attention for businesses today has shifted to data privacy. We are seeing progress in legislative requirements to protect personal information along with the related fines and sanctions for non-compliance.”

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.