‘Serious Doubts’ Remain After Senate Mobile Privacy Hearing, Says Franken
Senate Privacy Subcommittee Chairman Al Franken, D-Minn., said he still has “serious doubts” that Google and Apple are respecting the privacy rights of consumers, during a mobile privacy hearing held by the subcommittee Tuesday. The companies both said they would consider adjusting their privacy policies after lawmakers closely scrutinized the way each company tracks and uses consumer location data. This was the subcommittee’s first-ever hearing but Franken said it would not be the last to examine mobile privacy issues.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Americans want stronger privacy protections and current federal laws are insufficient to protect their personally identifiable data, Franken said. A balance must be established to protect the public’s right to privacy while still encouraging the development of innovative mobile products and services, he said. “The answer to this problem is not ending location-based services,” said Franken. “No one wants to stop the incredible things you do. You guys are brilliant. Today is about finding a balance between all those wonderful benefits and the public’s right to privacy.”
Lawmakers began their inquiry into mobile privacy last month after two researchers discovered that devices using Apple’s iOS 4 software update were “intentionally” recording and storing each user’s latitude and longitude coordinates along with a time stamp (CD April 22 p6). Franken called for the hearing after learning that mobile location data could facilitate tracking of the millions of children and teens that use iPhones and iPads (CD April 26 p5).
Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., will “soon” present legislation that updates the Electronic Communications Privacy Act (ECPA), he said. Though the 25-year-old law protects wire, oral and electronic communications while in transit and contains commercial disclosure provisions, it does not mandate privacy policies for mobile providers. “I think it’s a very important act, and I'm concerned that it does not apply to the mobile applications currently available,” said Leahy.
Apple reiterated that it does not track users of its iPhone, iPad or iPod touch devices. “Apple has never done so and has no plans to ever do so,” said Bud Tribble, vice president of software technology. The company does anonymously collect, use and share location data, to provide location-based services through its devices, but it gives consumers clear notice of its privacy policies and allows users to exercise control over their devices, he said. Apple requires express customer consent when any application requests location-based information for the first time, and also gives customers the ability to turn off all location-based service capabilities with a simple “On/Off” toggle switch, he said.
Lawmakers scrutinized the Apple “On/Off” toggle switch due to the revelation that iOS 4 devices continued to collect and store user location information even when its location services were disabled (CD April 28 p5). Franken asked Jessica Rich, deputy director of the FTC’s Bureau of Consumer Protection, if Apple’s tracking of location data even after consumers had turned off the service constituted a deceptive trade practice. Rich wouldn’t say whether Apple deceived customers but said if the company was indeed lying, that would constitute a deceptive practice. Apple said last month that a software bug was responsible for storing location logs even after users turned off their iPhone’s location services and the company had fixed the bug in a recent software update.
Apple sounds duplicitous when it says it doesn’t track consumers, said Rep. Ed Markey, D-Mass, co-chairman of the House Bi-Partisan Congressional Privacy Caucus, in statement released Tuesday. “I remain concerned about the apparent contradiction between Apple’s assertion that it does not track consumers and its explanation that it maintains a database of Wi-Fi hotspots and cell towers around a user’s current location,” he said. “Such a distinction does not make much difference to consumers whose location could be pinpointed with great accuracy.” Markey asked the company to submit more details on its third-party data sharing arrangements and urged greater transparency over its data policies.
While Google’s Android platform does track location information, it offers all users an affirmative opt-in option right out of the box, said Alan Davidson, the company’s director of public policy. Google learned from the ill-fated launch of its Google Buzz social network and was bound to protect consumers by FTC privacy oversight rules agreed to in March, he said. Davidson emphasized the importance of consumer trust with the Android platform and said the company would never sell its users’ personally identifiable information. Google anonymizes location information and requires third-party applications to notify users that they access location services before they download an app, Davidson said.
Lawmakers also directed their focus to app privacy. Sen. Charles Schumer, D-N.Y., pressed representatives from Google and Apple for refusing to remove “dangerous” applications from their app stores that reveal DUI checkpoints. Schumer said he was disappointed that Google and Apple had not pulled the apps from their stores and asked them how they could justify “putting the public at serious risk.” Google and Apple officials told lawmakers said they do take down applications that encourage unlawful activity while acknowledging that they hadn’t taken down many of the drunk driving applications mentioned by Schumer.
Davidson said Google’s policy of openness prevented it from immediately removing the drunk driving apps, and said he would discuss the topic with company executives after the hearing. Apple is examining such apps, and it’s often “difficult to determine” the intent of apps, Tribble said. If apps intend to help people break the law, Apple typically removes them, but some of the apps merely republish checkpoint information that is publicly available on police websites, he said.
Both Tribble and Davidson said they'd consider amending the privacy requirements of applications in their mobile app stores. All Apple apps are scrutinized for privacy compliance before they are approved, and the company conducts random audits to ensure that the apps are doing what they promised to do, said Tribble. He went a step further and said there should be icons and notifications in the user interface to “make it clear to people what is happening to their information.” Apple currently has a purple arrow icon on its mobile devices to indicate when location services are being used. Google has a different approach to applications, and does not ensure that every app does what it says it will do, Davidson said. The company tries to maximize the openness of the mobile environment and tries not to be a “gatekeeper,” he said.
Implementing privacy-by-design mechanisms is key to ensuring the privacy of mobile users, said the FTC’s Rich. Mobile providers should also streamline consumer choice about their privacy policies and increase overall transparency in the mobile environment, she said. The Google Buzz consent agreement was a positive step because it included strong oversight and injunctive relief to protect mobile users, she said.
There’s not enough public awareness of mobile tracking of consumers, said Jason Weinstein, deputy assistant attorney general of the Justice Department’s criminal division. Nor are there restrictions to prevent providers from sharing data with third parties, he said. DOJ advocated legislation to prevent criminals from targeting mobile devices for theft and other threats. Weinstein also said that mobile providers need to develop clearer privacy agreements.