Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
UK data protection regulator reviews popular apps for privacy compliance
The ICO identifies areas of concern in the compliance of mobile apps with data protection and privacy laws.
The Information Commissioner’s Office (ICO) has recently published the results of its detailed review into 21 popular mobile apps, in which it assessed compliance with UK data protection and privacy laws. The ICO is keen to make sure that compliance is not overlooked by app developers, given the huge popularity of apps in our day to day lives and the amount of personal information that apps collect.
In 2013, the ICO published its guidance for app developers on privacy in mobile apps, covering the areas of the Data Protection Act 1998 and other privacy laws that need to be considered at the development stage and through the life of the app. This guidance is of great importance to developers, given the risk of a data breach damaging an app business’s reputation and attracting a fine of up to £500,000.
In its review of the 21 apps, the ICO identified the following issues:
- Three of the apps used unencrypted connections to transmit personal data, which means that it would not be difficult for a hacker to spy on communications transmitted through the app and access usernames and passwords.
- Of the apps that were using encrypted connections, a handful did not adequately check digital certificates. A digital certificate is an electronic ‘passport’ used in encryption, that verifies the identity of a message sender. The ICO discovered this oversight by undertaking an ethical hack, successfully using a fake digital certificate to perform a ‘man-in-the-middle’ attack and intercept what should have been secure connections.
- Other areas of concern identified include the use of default passwords and weak password requirements, transmission of passwords in the URL, and the setting of cookies without obtaining user consent.
The ICO has written to the relevant app developers about these issues, and has worked with the developers to ensure that the necessary changes have been made. It also intends to undertake further reviews, and has already started to look at some FinTech and HealthTech apps.
App developers would be wise to consider the ICO guidance to ensure that their app complies with the relevant requirements and would stand up to scrutiny by the ICO in future reviews.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.