Wednesday, May 11, 2011

Sen. Franken Holds Hearings on Mobil Device Tracking, Justice Dept. Wants More of It

As you probably are aware, a few weeks ago security researchers discovered that Apple's iPhone keeps track of EVERYWHERE you go – and saves every detail of it to a secret file on the device which is then copied to the owner's computer when the two are synchronized.

As I have written here before, the fact that Americans are losing their privacy as they travel through public space due to location-based technologies isn't debatable. The question, as is so often the case when it comes to issues at the intersection of privacy and technology, is what kind of say do we have in the matter and what kind of rules are in place protecting our privacy rights?

To help answer questions like these, Senator Al Franken decided to hold hearings on the topic yesterday - inviting Google, Apple, and the Justice Department to participate. The Senator also sent a letter to Apple a few weeks back questioning why it included the feature in its software in the first place. The letter reads, “The existence of this information — stored in an unencrypted format — raises serious privacy concerns,” He later emphasized the information — which could be “accurate to 50 meters or less” — also applies to iPhones and iPads owned by children, and could easily be exploited by “criminals and bad actors.”

Franken also asked Steve Jobs to explain whether the location data has been disclosed, and whether the same technology is also included as part of the operating system software that runs on the company’s popular MacBook laptops.

Yesterday's hearing is particularly significant in that it demonstrates a heightened interest in Congress in reforming federal laws on privacy, tracking and surveillance. But what stood out to me in Tuesday's hearings wasn't the ardent claims of "innocence" by Google and Apple, but rather, the asserted desire from the Justice Department that such companies should be mandated to store MORE consumer data, not less.

So, before I get to the specific arguments over the devices themselves, and Franken's comments, let me direct you to the article in CNet that details the bold, and disconcerting position of the Justice Department itself - a position completely, at least seemingly, at odds with the theme and purpose of the hearings themselves.

Declan McCullagh reports:

The U.S. Department of Justice today called for new laws requiring mobile providers to collect and store information about their customers, a proposal that pits it against privacy advocates and even other federal agencies.

Jason Weinstein, the deputy assistant attorney general for the criminal division, picked an odd place to describe the department's proposal: a U.S. Senate hearing that arose out of revelations about iPhones recording information about owners' locations, and, in some cases, transmitting those data to Apple without consent.


...

The Justice Department's suggestion conflicts with what the Federal Trade Commission--which also sent a representative to today's hearing--has recommended. A company should adopt a policy of "not collecting or retaining more data than they need to provide a requested service or transaction," said Jessica Rich, deputy director of the FTC's bureau of consumer protection.


"I believe that consumers have a fundamental right to know what data is being collected about them," Franken said. That can be, he said, "really sensitive information that I don't think we're doing enough to protect."

It should be noted that Weinstein didn't elaborate on whether the government wanted to require wireless providers to record location information as well - but it certainly seems likely they would view that as valuable too.

In related news, Sen. Ron Wyden is currently working on legislation that could become part of the chamber’s larger effort to set new rules for how and when federal law enforcement can access consumers’ location data. Something I believe - clearly after yesterday's hearing and the comments by Weinstein - is needed.

In that past, we had services such as EZ Pass (allows you to bypass stopping to pay the bridge toll), Google Latitude, the GPS tracking of cellphones, the right of police and government to track our whereabouts (both by phone and car), transit cards, social networking sites, WiFi networks, and more, all opening up a brave new world of real time, locational tracking of Americans.

We shouldn't view any of this as that big of a surprise then. A recent study by the Worcester Polytechnic Institute (WPI) in Massachusetts found that mobile social networks are giving data about users' physical locations to tracking sites and other social networking services. Researchers reported that all 20 sites that were studied leaked some kind of private information to third-party tracking sites.

As the report notes, "The combination of location information, unique identifiers of devices, and traditional leakage of other personally identifiable information all conspire against protection of users' privacy."

I addition, we also know that the FBI uses 'dragnet'-style warrantless cell phone tracking. In other words, there are more and more ways, through more and more devices, that can track and store our location, and that data is worth more and more money.

As for Apple, as a result of these recent revelations, the company is facing at least two lawsuits by consumers who allege the company violated federal computer fraud laws by capturing data information about their locations. In addition, Apple and Google face separate lawsuits by mobile users who allege that the companies transmitted their devices' unique identifiers with outside companies.

With that, let me get to some of what was discussed in the hearings. ZDNet reports:

....Davidson affirmed that Google never sells “users’ personally identifiable information

Even though users have the choice to opt-in to location sharing, there are plenty of unanswered questions left. Google execs haven’t provided information as to how long the data is stored, nor how this data might be used either by Google or third parties in the future.


The USA Today has more: 

"People have the right to know who is getting their information and how (it) is shared and used. I still have serious doubts those rights are being respected in law or in practice," said Sen. Al Franken, D-Minn., who chaired the hearing. "This is an urgent issue."

Franken scheduled the hearing of the Judiciary panel's subcommittee on privacy, technology and the law after recent incidents showed risks for consumers' data. In addition to researcher reports that mobile apps on Apple and Google devices shared location-based data with third parties, network breaches at Sony and Epsilon put customers' personal and financial information at risk.

"Federal laws do far too little to protect this information. … No one wants to stop Apple or Google from producing their products," Franken said, but Congress must "find a balance between all of those wonderful benefits (from devices) and the public's right to privacy."


Guy Tribble, Apple vice president of software technology, told Franken that Apple's devices gather and store location data only about nearby cell towers and Wi-Fi hot spots. Apple, he said, "does not share personally identifiable information with third parties for their marketing purposes without our customers' explicit consent … (and) Apple does not track users' locations. Apple has never done so and has no plans to ever do so."

Tribble added that a coming software upgrade will encrypt the location data on devices.


In all, I give kudos to Senator Franken for bringing this issue out into the open. He appeared to get both companies to admit that a "clearer and more understandable" privacy policy is necessary. But then, who reads privacy policies?

As I wrote in a prior post, "A constantly monitored citizenry used to conjure up images of totalitarian states - not Google and I-Phones. And granted, now technology does the surveillance — generally in the name of being helpful and entertaining, not to stifle dissent or oppress the public.

This fact does not mean that these technologies can't still be used in ways that don't reduce freedoms, play into the hands of overly aggressive and/or oppressive governments, or invade privacy by using our personal information to maximize corporate profit. Perhaps its time for a serious conversation about how much of our privacy of movement we want to give up - and how much control do we get over that decision?"

No comments: