[Owasp-leaders] APPS Act of 2013

Jason Johnson jason.johnson at owasp.org
Sun Feb 24 21:40:43 UTC 2013


Some more are coming... :)
On Feb 24, 2013 3:37 PM, "Mr UV" <tonyuv at owasp.org> wrote:

>  Yes, heard this was coming and will keep everyone abreast on its
> developments.  Thanks for bringing this to light.  Will see what
> involvement the local chapter can have here in support of Johnson's efforts.
>  ------------------------------
> From: Jim Manico <jim.manico at owasp.org>
> Sent: 2/25/2013 4:35 AM
> To: owasp-leaders at lists.owasp.org; Tony UcedaVelez <tonyuv at owasp.org>
> Subject: APPS Act of 2013
>
> Discussion draft of a bill in the US congress about app security. Ping to
> OWASP Atlanta - this is coming from your state.
>
> This Act may be cited as the “Application Privacy, Protection, and
> Security Act of 2013” or the “APPS Act of 2013”
>
> Aloha,
> Jim
>
> ***
>
>
>
>
> [DISCUSSION DRAFT]
>
> 113th CONGRESS
> 1st Session
>
> H. R. __
>
> To provide for greater transparency in and user control over the treatment
> of data collected by mobile applications and to enhance the security of
> such data.
>
> IN THE HOUSE OF REPRESENTATIVES
>
> Mr. Johnson of Georgia introduced the following bill; which was referred
> to the Committee on ______________
>
> A BILL
>
> To provide for greater transparency in and user control over the treatment
> of data collected by mobile applications and to enhance the security of
> such data.
>
> Be it enacted by the Senate and House of Representatives of the United
> States of America in Congress assembled,
>
> SECTION 1. Short title.
>
> This Act may be cited as the “Application Privacy, Protection, and
> Security Act of 2013” or the “APPS Act of 2013”.
>
> SEC. 2. Transparency, user control, and security.
>
> (a) Consent to terms and conditions.—
>
> (1) IN GENERAL.—Before a mobile application collects personal data about a
> user of the application, the developer of the application shall—
>
> (A) provide the user with notice of the terms and conditions governing the
> collection, use, storage, and sharing of the personal data; and
>
> (B) obtain the consent of the user to such terms and conditions.
>
> (2) REQUIRED CONTENT.—The notice required by paragraph (1)(A) shall
> include the following:
>
> (A) The categories of personal data that will be collected.
>
> (B) The categories of purposes for which the personal data will be used.
>
> (C) The categories of third parties with which the personal data will be
> shared.
>
> (D) A data retention policy that governs the length for which the personal
> data will be stored and the terms and conditions applicable to storage,
> including a description of the rights of the user under subsection (b) and
> the process by which the user may exercise such rights.
>
> (3) ADDITIONAL SPECIFICATIONS AND FLEXIBILITY.—The Commission shall by
> regulation specify the format, manner, and timing of the notice required by
> paragraph (1)(A). In promulgating the regulations, the Commission shall
> consider how to ensure the most effective and efficient communication to
> the user regarding the treatment of personal data.
>
> (4) DIRECT ACCESS TO DATA BY THIRD PARTIES.—For purposes of this Act, if
> the developer of a mobile application allows a third party to access
> personal data collected by the application, such personal data shall be
> considered to be shared with the third party, whether or not such personal
> data are first transmitted to the developer.
>
> (b) Withdrawal of consent.—The developer of a mobile application shall—
>
> (1) provide a user of the application with a means of—
>
> (A) notifying the developer that the user intends to stop using the
> application; and
>
> (B) requesting the developer—
>
> (i) to refrain from any further collection of personal data through the
> application; and
>
> (ii) at the option of the user, either—
>
> (I) to the extent practicable, to delete any personal data collected by
> the application that is stored by the developer; or
>
> (II) to refrain from any further use or sharing of such data; and
>
> (2) within a reasonable and appropriate time after receiving a request
> under paragraph (1)(B), comply with such request.
>
> (c) Security of personal data and de-identified data.—The developer of a
> mobile application shall take reasonable and appropriate measures to
> prevent unauthorized access to personal data and de-identified data
> collected by the application.
>
> (d) Exception.—Nothing in this Act prohibits the developer of a mobile
> application from disclosing or preserving personal data or de-identified
> data as required by—
>
> (1) other Federal law (including a court order); or
>
> (2) except as provided in section 6, the law of a State or a political
> subdivision of a State (including a court order).
>
> SEC. 3. Application and enforcement.
>
> (a) General application.—The requirements of this Act and the regulations
> promulgated under this Act apply, according to their terms, to those
> persons, partnerships, and corporations over which the Commission has
> authority pursuant to section 5(a)(2) of the Federal Trade Commission Act
> (15 U.S.C. 45(a)(2)).
>
> (b) Enforcement by Federal Trade Commission.—
>
> (1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of this Act or a
> regulation promulgated under this Act shall be treated as a violation of a
> regulation under section 18(a)(1)(B) of the Federal Trade Commission Act
> (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
>
> (2) POWERS OF COMMISSION.—The Commission shall enforce this Act and the
> regulations promulgated under this Act in the same manner, by the same
> means, and with the same jurisdiction, powers, and duties as though all
> applicable terms and provisions of the Federal Trade Commission Act (15
> U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any
> person who violates this Act or a regulation promulgated under this Act
> shall be subject to the penalties and entitled to the privileges and
> immunities provided in the Federal Trade Commission Act.
>
> (c) Actions by States.—
>
> (1) IN GENERAL.—In any case in which the attorney general of a State, or
> an official or agency of a State, has reason to believe that an interest of
> the residents of such State has been or is threatened or adversely affected
> by an act or practice in violation of this Act or a regulation promulgated
> under this Act, the State, as parens patriae, may bring a civil action on
> behalf of the residents of the State in an appropriate district court of
> the United States to—
>
> (A) enjoin such act or practice;
>
> (B) enforce compliance with this Act or such regulation;
>
> (C) obtain damages, restitution, or other compensation on behalf of
> residents of the State; or
>
> (D) obtain such other legal and equitable relief as the court may consider
> to be appropriate.
>
> (2) NOTICE.—Before filing an action under this subsection, the attorney
> general, official, or agency of the State involved shall provide to the
> Commission a written notice of such action and a copy of the complaint for
> such action. If the attorney general, official, or agency determines that
> it is not feasible to provide the notice described in this paragraph before
> the filing of the action, the attorney general, official, or agency shall
> provide written notice of the action and a copy of the complaint to the
> Commission immediately upon the filing of the action.
>
> (3) AUTHORITY OF COMMISSION.—
>
> (A) IN GENERAL.—On receiving notice under paragraph (2) of an action under
> this subsection, the Commission shall have the right—
>
> (i) to intervene in the action;
>
> (ii) upon so intervening, to be heard on all matters arising therein; and
>
> (iii) to file petitions for appeal.
>
> (B) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING.—If the
> Commission or the Attorney General of the United States has instituted a
> civil action for violation of this Act or a regulation promulgated under
> this Act (referred to in this subparagraph as the “Federal action”), no
> State attorney general, official, or agency may bring an action under this
> subsection during the pendency of the Federal action against any defendant
> named in the complaint in the Federal action for any violation of this Act
> or such regulation alleged in such complaint.
>
> (4) RULE OF CONSTRUCTION.—For purposes of bringing a civil action under
> this subsection, nothing in this Act shall be construed to prevent an
> attorney general, official, or agency of a State from exercising the powers
> conferred on the attorney general, official, or agency by the laws of such
> State to conduct investigations, administer oaths and affirmations, or
> compel the attendance of witnesses or the production of documentary and
> other evidence.
>
> SEC. 4. Regulations.
>
> Not later than 1 year after the date of the enactment of this Act, the
> Commission shall promulgate regulations in accordance with section 553 of
> title 5, United States Code, to implement and enforce this Act.
>
> SEC. 5. Safe harbor.
>
> The developer of a mobile application may satisfy the requirements of this
> Act and the regulations promulgated under this Act by adopting and
> following a code of conduct for consumer data privacy (insofar as such code
> relates to data collected by a mobile application) developed in a
> multistakeholder process convened by the National Telecommunications and
> Information Administration, as described in the document issued by the
> President on February 23, 2012, entitled “Consumer Data Privacy in a
> Networked World: A Framework for Protecting Privacy and Promoting
> Innovation in the Global Digital Economy”.
>
> SEC. 6. Relationship to State law.
>
> This Act and the regulations promulgated under this Act supercede a
> provision of law of a State or a political subdivision of a State only to
> the extent that such provision—
>
> (1) conflicts with this Act or such regulations, as determined without
> regard to section 2(d)(2);
>
> (2) specifically relates to the treatment of personal data or
> de-identified data; and
>
> (3) provides a level of transparency, user control, or security in the
> treatment of personal data or de-identified data that is less than the
> level provided by this Act and such regulations.
>
> SEC. 7. Definitions.
>
> In this Act:
>
> (1) COMMISSION.—The term “Commission” means the Federal Trade Commission.
>
> (2) DE-IDENTIFIED DATA.—The term “de-identified data” means data from
> which particular individuals cannot be identified.
>
> (3) DEVELOPER.—The term “developer” shall have the meaning given such term
> by the Commission by regulation.
>
> (4) MOBILE APPLICATION.—The term “mobile application” means a software
> program—
>
> (A) that runs on the operating system of a mobile device; and
>
> (B) with which the user of the device directly interacts.
>
> (5) MOBILE DEVICE.—The term “mobile device” means a smartphone, tablet
> computer, or similar portable computing device that transmits data over a
> wireless connection.
>
> (6) PERSONAL DATA.—The term “personal data” shall have the meaning given
> such term by the Commission by regulation, except that such term shall not
> include de-identified data.
>
> (7) STATE.—The term “State” means each of the several States, the District
> of Columbia, each commonwealth, territory, or possession of the United
> States, and each federally recognized Indian tribe.
>
> SEC. 8. Effective date.
>
> This Act shall apply with respect to any collection, use, storage, or
> sharing of personal data or de-identified data that occurs after the date
> that is 30 days after the promulgation of final regulations under section 4.
>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130224/9e01c805/attachment.html>


More information about the OWASP-Leaders mailing list