IBM will pony up $1 million worth of technology to the city of Los Angeles for COVID-19 contact tracing, and The Weather Channel app will change its privacy practices regarding use of user location data.
The changes come with the settlement of a lawsuit that accused the app of misleading users as to how their information was being used.
“The requirement for maintaining data privacy has increased as privacy regulations have been adopted by many more jurisdictions since they were first announced” and that fines for violations “have multiplied” and are often accompanied by other “severe” penalties, said Steve Durbin, managing director at Information Security Forum (ISF).
The app, owned by IBM and operated by TWC Product and Technology LLC, asked users to share geolocation data to receive personalized weather forecasts and other alerts. But Los Angeles City Attorney Mike Feuer argued in the 2019 suit that users had been deceived about how their data would be used – ultimately it was sold to third-party companies.
“End users generally ‘trust’ their phones as well as the apps on their phones. I mean who thinks about their own location when using the app?” said Setu Kukarni, vice president of strategy and business development at WhiteHat Security. “But that implicit and implied insight is gold for apps who serve up paid content and paid features based on your location whether you want it or not, and whether you like it or not.”
The Weather Channel said it "has always been transparent about its use of location data," according to a spokesperson's statement. "We fundamentally disagreed with this lawsuit from the start, and during the case we showed that the claims were baseless."
But IBM agreed to donate technology to support COVID-19 tracing and relief "in recognition of [its] long-standing relationship with Los Angeles."
Calling location “a delicate matter,” Stephen Banda, senior manager, security solutions, at Lookout, said that the responsibility for understanding how location data is being used and shared, as well as validating privacy policy details, typically have fallen to the end user.
The rush to bring apps to market to meet business objectives and gain competitive advantage often finds privacy getting short shrift. “Due to development timelines, developers often have to delay building granular privacy permissions into their applications,” said StackRox CTO and co-founder Ali Golshan. “Such permissions enable individual customers to define how their data can be used, or the right to be forgotten.”
But regulations such as the California Consumer Privacy Act and General Data Protection Regulation – and the fines and penalties they bring – “have raised the bar for organizations to safeguard the personal data of their employees and customers,” said Banda.
Companies, too, are heeding the increased public awareness and media interest that “have led to commercial and reputational consequences for non-compliance,” Durbin added.
