Dick, you raise good questions, a few of which I can provide some information about. The bulk of them should be answered by HQ staff. I did review and offer a number of edits to the Nxtbook contract a year ago that provided for web hosting of digital QST. It had at the time optional services that we could request for Apple applications. My review of that contract was not with respect to the deal points, which were negotiated by others, but with respect to protecting ARRL contractually. There is a need for an online privacy policy to supplement ARRL's general privacy policies that we have had in place for some time. I am working on that now with Bob Inderbitzen, Maria Somma, Mike Keane, Harold Kramer and Magdalena Owczarska. They tell me that the information collected is as follows: Cookies o “Session cookies” are used to store information as users navigate the online store (i.e. adding items to the shopping basket), membership application, and many other forms and applications used throughout the site. Session cookies are removed at the end of the activity…such as completing an online publication order. Some of our website services will not work at all unless a user permits the use of session cookies. o “Persistent cookies” are used to help the website ‘remember’ user information and settings when visited in the future. While users can delete these cookies from their computer or device at any time, any settings such as stored username and login information will have to be reentered when they return to the site. · Individual IP addresses are collected and used in aggregate for website analytics. These are never associated with any personal information. This data makes it possible for ARRL to measure, understand and optimize web usage. We use Google Analytics for much of our website analytics. With that understanding we have created an online privacy policy draft that is now being modified and reviewed for accuracy. We can send it round to the Board for review before putting it online if you wish. 73, Chris W3KD Christopher D. Imlay Booth, Freret, Imlay & Tepper. P.C. 14356 Cape May Road Silver Spring, Maryland 20904-6011 (301) 384-5525 telephone (301) 384-6384 facsimile W3KD@ARRL.ORG -----Original Message----- From: dick <dick@pobox.com> To: arrl-odv <arrl-odv@arrl.org> Sent: Fri, Nov 2, 2012 6:47 pm Subject: [arrl-odv:21167] Potential Security Issues With Apple iOS... Details (long) 2 NOV 2012 - 1747 CDT To all ARRL Officers, Directors, and Vice Directors: Even though I am a heavy user of Information Technology, I have neverbeen a user of Apple devices of any type. Therefore, it has taken moretime than I planned to research the potential security issues with the Apple iOS digital QST application. This message consists of two parts; a brief discussion of theissues, followed with a series of questions that should be answered beforeany decision is made to publicly release and support the use of ourApple iOS digital QST application. Potential Security Issues With Apple iOS Digital QSTApplication 1. According to Harold Kramer, the Apple iOS QST App does sendtracking information to somebody. It is assumed that thisinformation is de-identified, only includes the current geographic locationof the user, and is sent to Apple.Com, or an Applecontractor. Without a verified, detailed description (from Apple?) of all ofthis data, there is no way of making a proper judgement of the user'sdata security when using this application. 2. I understand the default setting of this "data trackingfeature" is ON. It can be turned OFF, but the labeling and wording used tocontrol this "feature" is not clearly understood. At theleast, I suggest the default setting for this tracking process should be OFF witha warning displayed when the user chooses to activate it. 3. When the user stops using this QST App, it is still active andcould continue to send data as long as the user's device is turnedon. I think most iOS users do not know this is going on. 4. There is at least one Apple iOS hacking program available at http://www.iphonetracker101.com/iphone-tracking-app that can be used to view and record keystrokes and phone audio. Isuspect there are also one or more Apple iOS hacking programs that enablethe insertion of program (trojans) that will command thetargeted Apple iOS device send specified data to anonymous third party(s)without the knowledge of the device user. Questions That Should Be Answered Before Releasing the Apple iOSDigital QST Application 1. Harold Kramer told me that Chris Imlay has vetted this contract,but I still don't know who is the contractor. Who is thecontractor? What are we paying for this application? 2. What data is being collected? I can understand pages-read datathat would be of used by ARRL staff to improve magazinecontent. The same goes for clicks on active links to track advertisingresponse. But if things like the reader's current location, thereader's use of other applications, any financial or personal transactionsby the reader, the reader's keystrokes, etc. are being sent out... the ARRLshould not be receiving this information. We already have theuser's ARRL membership and ham radio license data. What more do weneed? 3. Is this application is sending data to third parties - without theuser's knowledge or agreement? Depending on the data beingsent, the ARRL could be held liable for damages. 4. Is there a clearly worded, easily accessed, option allowing the userto permanently stop this data collecting? I have probably missed some points and I welcome comments and suggestions on these issues. Here is one final question for my fellowdirectors. 5. Do you think the ARRL Board of Directors should formally approvethis IT project? In view of our past IT problems, I believewe should vote on releasing and supporting this Apple iOS digitalQST application. 73 - Dick Isely, W9GIG _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org http://reflector.arrl.org/mailman/listinfo/arrl-odv