Analysis of the Senate Hearings on Mobile Privacy

Sunday, May 22, 2011

David Navetta


Article by Nicole Friess

On May 10, 2011 the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing entitled Protecting Mobile Privacy: Your Smartphone, Tablets, Cell Phones and Your Privacy.

The hearing focused on the privacy concerns raised by mobile devices, location-based mobile services, and check-in applications.

Senator Leahy opened the hearing, reflecting on the benefits of mobile devices, apps, and social networks, as well as the risks these new technologies pose to consumer privacy.

Leahy expressed that he is “deeply concerned” that smartphones may be tracking and storing data without users’ consent, that sensitive user data may be maintained by providers in unencrypted formats, and that companies are involved in the sale of location data without consumer knowledge resulting in the receipt of unsolicited ads by third parties.

Subcommittee Chairman Al Franken’s opening remarks focused on the increasing number of entities whose business model is to collect and maintain information on consumers under consumers’ radar.

Franken noted the many benefits of location-based services, making a point to emphasize that “the existence of this business model is not a bad thing.”

“The answer is not ending location-based services,” Franken said, “what today is about is trying to find a balance” between the benefits of these services and the public’s right to privacy.

The first panel of testifying witnesses consisted of two government representatives from their respective agencies. Here are some highlights from their testimony:

Jessica Rich, Deputy Director, Bureau of Consumer Protection, FTC

  • The rapid growth of mobile products and services raises several concerns: mobile devices are always on and always with the consumer, mobile devices contain information that is highly personal in nature, and companies have the ability to track consumers who use mobile devices, including children and teens.
  • The FTC has called on the industry to develop simplified disclosures embedded in each mobile interaction so that consumers know when and how their data is being used, rather than rely on privacy policies that are difficult to access using a mobile device.
  • Companies should implement privacy by design principles in the development of their products and services, making it easier for consumers understand and choose how their data is used.

Jason Weinstein, Deputy Assistant Attorney General, Criminal Division, DOJ

  • Three major threats mobile devices pose to consumers include (1) cyber criminals such as identity thieves, stalkers, and hackers who access and exploit information without authorization; (2) the collection and disclosure of location data by service providers themselves - including app providers; and (3) the use of mobile devices by criminals to facilitate their own crimes.
  • While the ECPA restricts providers from sharing location data with the government, it does not restrict them from sharing such information with other private entities.
  • Companies are not currently required to retain the data they collect, which impedes the DOJ’s ability to investigate and prosecute crimes.

The second panel consisted of five non-government witnesses – from privacy advocates to representatives from major mobile market players. Here are some highlights from their testimony:

Ashkan Soltani, Independent Researcher and Consultant

  • The most serious threat mobile devices pose today is that consumers are repeatedly surprised by the information mobile device platforms and apps are accessing.
  • Mobile devices and apps don’t only collect location data - they also transmit consumers’ phone numbers and information from their address books, text messages, contact lists, etc.

Justin Brookman, Director of the Project on Consumer Privacy, Center for Democracy and Technology

  • Only a patchwork of outdated and insufficient laws applies to mobile service providers, leaving consumers inadequately protected.
  • While companies can’t affirmatively lie about how they protect consumer data, they can decline to make any representations to consumers regarding their data privacy and security practices, thereby avoiding FTC enforcement.
  • The default rule for service providers is that they can disclose location data without notifying consumers and obtaining their consent. They only things providers can’t do are things the providers have promised they won’t do.

Guy L. "Bud" Tribble, Vice President of Software Technology, Apple Inc.

  • Apple does not track users’ locations and “has never done so,” nor do Apple devices transmit data back to Apple that is unique to any particular consumer.
  • Apple controls the apps available to consumers by contract – if apps don’t meet Apple’s privacy requirements then those apps are not made available in Apple’s app store.
  • Apple conducts “random audits” and “examines network traffic produced by applications” to ensure that available apps are properly protecting the privacy of Apple consumers.

Alan Davidson, Director of Public Policy, Americas, Google Inc.

  • Google makes location-based services opt-in only. If a consumer doesn’t opt-in, his or her mobile device will not transmit any location data back to Google.
  • Every third party app must notify users that the app will access location data and the user consent before the app is installed on the user’s device.
  • Google believes in providing users with highly transparent information regarding its information practices, requiring opt-in consent before location data is collected, and implementing high security standards to anonymize data once it’s collected.

Jonathan Zuck, President, Association for Competitive Technology

  • Mobile apps are made predominantly by small businesses - to protect consumer privacy without unduly burdening innovation, concerns about privacy must be dealt with holistically rather than from a technology-specific perspective.

Chairman Franken closed the hearing by noting that current laws don’t provide consumers with sufficient privacy protections - legislation and agency enforcement hasn’t kept up with the pace of technology.

Franken restated his belief that consumers have a “fundamental right” to know what personal information is collected about them, and when and with whom their information is shared. Franken noted that these rights are particularly important when sensitive information – data from mobile devices – is involved.

To view the hearing on the U.S. Senate Committee on the Judiciary website, click HERE.

Cross-posted from InfoLawGroup

Possibly Related Articles:
PDAs/Smart Phones
Privacy Mobile Devices Smart Phone FTC Congress Tracking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.