Dick, you raise good questions, a few of which I can provide some information about. The bulk of them should be answered by HQ staff.

I did review and offer a number of edits to the Nxtbook contract a year ago that provided for web hosting of digital QST. It had at the time optional services that we could request for Apple applications. My review of that contract was not with respect to the deal points, which were negotiated by others, but with respect to protecting ARRL contractually.

There is a need for an online privacy policy to supplement ARRL's general privacy policies that we have had in place for some time. I am working on that now with Bob Inderbitzen, Maria Somma, Mike Keane, Harold Kramer and Magdalena Owczarska.

They tell me that the information collected is as follows:

o “Session cookies” are used to store information as users navigate the online store (i.e. adding items to the shopping basket), membership application, and many other forms and applications used throughout the site. Session cookies are removed at the end of the activity…such as completing an online publication order. Some of our website services will not work at all unless a user permits the use of session cookies.

o “Persistent cookies” are used to help the website ‘remember’ user information and settings when visited in the future. While users can delete these cookies from their computer or device at any time, any settings such as stored username and login information will have to be reentered when they return to the site.

· Individual IP addresses are collected and used in aggregate for website analytics. These are never associated with any personal information. This data makes it possible for ARRL to measure, understand and optimize web usage. We use Google Analytics for much of our website analytics.

With that understanding we have created an online privacy policy draft that is now being modified and reviewed for accuracy. We can send it round to the Board for review before putting it online if you wish.

73, Chris W3KD

Christopher D. Imlay
Booth, Freret, Imlay & Tepper. P.C.
14356 Cape May Road
Silver Spring, Maryland 20904-6011
(301) 384-5525 telephone
(301) 384-6384 facsimile
W3KD@ARRL.ORG

-----Original Message-----
From: dick <dick@pobox.com>
To: arrl-odv <arrl-odv@arrl.org>
Sent: Fri, Nov 2, 2012 6:47 pm
Subject: [arrl-odv:21167] Potential Security Issues With Apple iOS... Details (long)

2 NOV 2012 - 1747 CDT

To all ARRL Officers, Directors, and Vice Directors:

Even though I am a heavy user of Information Technology, I have never been
a user of Apple devices of any type. Therefore, it has taken more time than
I planned to research the potential security issues with the Apple iOS
digital QST application.

This message consists of two parts; a brief discussion of the issues,
followed with a series of questions that should be answered before any
decision is made to publicly release and support the use of our Apple
iOS digital QST application.

Potential Security Issues With Apple iOS Digital QST Application

1. According to Harold Kramer, the Apple iOS QST App does send tracking
   information to somebody. It is assumed that this information is
   de-identified, only includes the current geographic location of the
   user, and is sent to Apple.Com, or an Apple contractor. Without a
   verified, detailed description (from Apple?) of all of this data,
   there is no way of making a proper judgement of the user's data
   security when using this application.

2. I understand the default setting of this "data tracking feature" is ON.
   It can be turned OFF, but the labeling and wording used to control this
   "feature" is not clearly understood. At the least, I suggest the
   default setting for this tracking process should be OFF with a warning
   displayed when the user chooses to activate it.

3. When the user stops using this QST App, it is still active and could
   continue to send data as long as the user's device is turned on. I
   think most iOS users do not know this is going on.

4. There is at least one Apple iOS hacking program available at
    http://www.iphonetracker101.com/iphone-tracking-app that can be
   used to view and record keystrokes and phone audio. I suspect there
   are also one or more Apple iOS hacking programs that enable the
   insertion of program (trojans) that will command the targeted Apple
   iOS device send specified data to anonymous third party(s) without
   the knowledge of the device user.

Questions That Should Be Answered Before Releasing the Apple iOS Digital
QST Application

1. Harold Kramer told me that Chris Imlay has vetted this contract, but
   I still don't know who is the contractor. Who is the contractor?
   What are we paying for this application?

2. What data is being collected? I can understand pages-read data that
   would be of used by ARRL staff to improve magazine content. The same
   goes for clicks on active links to track advertising response.

   But if things like the reader's current location, the reader's use of
   other applications, any financial or personal transactions by the reader,
   the reader's keystrokes, etc. are being sent out... the ARRL should not
   be receiving this information. We already have the user's ARRL membership
   and ham radio license data. What more do we need?

3. Is this application is sending data to third parties - without the user's
   knowledge or agreement? Depending on the data being sent, the ARRL
   could be held liable for damages.

4. Is there a clearly worded, easily accessed, option allowing the user to
   permanently stop this data collecting?

I have probably missed some points and I welcome comments and suggestions
on these issues. Here is one final question for my fellow directors.

5. Do you think the ARRL Board of Directors should formally approve this
   IT project? In view of our past IT problems, I believe we should vote
   on releasing and supporting this Apple iOS digital QST application.

73 - Dick Isely, W9GIG

_______________________________________________
arrl-odv mailing list
arrl-odv@reflector.arrl.org
http://reflector.arrl.org/mailman/listinfo/arrl-odv