GDPR, User Data, Privacy, and Your Apps
1 like219 views
The document discusses the General Data Protection Regulation (GDPR) which takes effect in May 2018 and imposes strict rules and heavy fines on companies regarding the collection and processing of users' personal data. It outlines several principles of GDPR including rights to access, correct and delete personal data. The document also provides strategies for app developers to comply with GDPR such as determining if all collected personal data is necessary, encrypting data, and informing users about data collection and sharing.
GDPR, User Data, Privacy, and Your Apps
- 1. User Data, App Development, GDPR, Ethics and you CocoaCoders April 26th, 2018
- 2. Disclaimer • I am not a lawyer • Viewer discretion advised
- 3. Interactivity This is not supposed to be me lecturing Stop me and ask questions or interject
- 4. Disclaimer
- 5. What is GDPR? • European Union regulation on Privacy (more detail later) • Takes effect May 25th 2018 • Penalties: The greater of €10 million or 2% of global annual revenue
- 6. Does this matter here? Some people think so
- 7. Will (something like) this come to U.S.? What do you think?
- 8. What Data is Affected? • Basic identity information such as name, address and ID numbers • Web data such as location, IP address, cookie data and RFID tags • Health and genetic data • Biometric data • Racial or ethnic data • Political opinions • Sexual orientation https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
- 9. GDPR Principles (1/4) • "Easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way."
- 10. GDPR Principles (2/4) • "A right to data portability: it will be easier to transfer your personal data between service providers."
- 11. GDPR Principles (3/4) • "A clarified 'right to be forgotten': when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be delete."
- 12. GDPR Principles (4/4) • "The right to know when your data has been hacked: For example, companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.” • (“The 72-hour reporting window that the GDPR requires makes it especially important that vendors know how to properly report a breach.") https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
- 13. New Apple APIs • Providing User Access to CloudKit Data • https://developer.apple.com/documentation/cloudkit/ providing_user_access_to_cloudkit_data/ • Responding to Requests to Delete Data • https://developer.apple.com/documentation/cloudkit/ responding_to_requests_to_delete_data/
- 14. GreyKey Cracks a phones passkey Provides complete Keychain contents…
- 15. Blue’s Suggestions •I recommend Apple's WWDC privacy sessions for Best Practices on obvious(?) concepts such as transparency, consent, and user control. The videos also cover ways to re-think data collection, trading firehoses for eye-droppers (and/or muddy water). For instance ... •"Privacy and Your Apps" (2017) https://developer.apple.com/videos/play/wwdc2017/702/ •"Engineering Privacy for Your Users" (2016) https://developer.apple.com/videos/play/ wwdc2016/709/ •The first video includes discussion (6:15) of how to back-away from raw data in order to get just the information you need. •The second video has a nice description (14:00) of Differential Privacy: adding noise to collected data.
- 16. Strategies • 1. Determine whether the app really needs all the requested personal data • 2. Encrypt all personal data and inform users about it • 3. Think OAUTH for data portability • 4. Enforce secure communications through HTTPS • 5. Inform users about and encrypt personal data from ‘contact us' forms https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant-apps
- 17. Strategies (cont) • 6. Make sure sessions and cookies expire and are destroyed after logout • 7. Do not track user activity for business intelligence • 8. Tell users about logs that save location or IP addresses • 9. Store logs in a safe place, preferably encrypted • 10. Security questions should not turn on users' personal data https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant-apps
- 18. Strategies (cont) • 11. Create clear terms and conditions and make sure users read them • 12. Inform users about any data sharing with third parties • 13. Create clear policies for data breaches • 14. Delete data of users who cancel their service • 15. Patch web/dependency vulnerabilities https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant-apps
- 19. Get Apple’s data on you • https://www.cnbc.com/2018/04/25/how-to-download-a-copy-of-apple- data-about-me.html
- 20. Since We’re on the Subject Big Data is Everywhere…
- 21. Further Reading • https://www.prnewswire.com/news-releases/lookout-report-84-of-it- executives-expect-data-accessed-on-mobile-to-cause-gdpr- violations-300555381.html • https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant- apps • http://europa.eu/rapid/press-release_IP-15-6321_en.htm • https://www.schneier.com/blog/archives/2018/03/greykey_iphone_.html • https://www.wsj.com/articles/how-europes-new-privacy-rules-favor-google- and-facebook-1524536324