The Mobile Privacy Hearings: Senators Prod, Apple And Google Defend

When researchers Alasdair Allan and Pete Warden announced at the Where 2.0 Conference in Santa Clara a few weeks ago that iPhones and 3G iPads are storing records of where their users are and where they’ve been, the news created quite a stir. Google also stores a similar list on Android devices, so naturally questions have swirled in the last few weeks around how both Apple and Google are collecting and using this location data and to what extent it encroaches on user privacy.

Yesterday, representatives from both companies were called before a senatorial subcommittee to answer questions from the likes of Senators Al Franken (Minn.) and Patrick Leahy (Vt.) on whether or not our mobile devices are becoming Big Brother 2.0.

During the testimony, the senators were careful to say that the government is well aware of the many benefits of the technology created by both companies and is in no way eager to stifle innovation or create knee-jerk legislation. That being said, in the words of Senator Leahy, while the “digital age can do some wonderful, wonderful things for all of us … American consumers and businesses face threats to privacy like no time before.”

Naturally, even without the information that has recently come to light, there has been a growing concern among lawmakers and consumers alike that both Google and Apple are not doing enough to become guardians of the user’s personal data rather than wholesalers. Leahy told the representatives that he was “deeply concerned” about the reports that iPhones and Android devices were “collecting, storing, and tracking user location data without the user’s consent”.

“I am also concerned about reports that this sensitive location information may be maintained in an unencrypted format, making the information vulnerable to cyber thieves and other criminals”, the Senator said.

As to the basic allegations that lay before the two giants of the mobile space, Apple has previously stated that, though it is partly at fault for not educating its users to fully understand the technical issues with providing fast and accurate location information, the company does not (nor has it ever) tracked the location of a user’s iPhone.

At the time, Apple explained that, while it did find a few bugs in the architecture, it was adamant that it is using the location data stored on its devices to maintain and improve upon a crowdsourced database of WiFi hotspots and cell towers — not to keep a log of a user’s prior location. The geo-tagged data from iPhones, for example, is used to help build data about WiFi networks and cell tower locations, which let location-based services work even when GPS/satellite positioning isn’t available or functioning seamlessly.

Be that as it may, Senator Franken noted that consumers remain confused, so he posed the question directly to Apple’s VP of Software Technology Bud Tribble: “does this data indicate anything about the user’s location, or doesn’t it?”

Tribble’s response was to reiterate the main message to the average consumer: that the data is a record of the location of cell towers and WiFi hotspots, it does not contain any customer information. It is anonymous. However, that comes with a nuance. When a portion of that database is downloaded onto your phone, your phone knows which hotspots and towers it can transmit through, so the combination of the location of those towers and your phone knowing which towers it can transmit through, allows the phone to give you a basic location without GPS.

So, he is essentially saying, yes of course Apple tracks your location. That’s what GPS and WiFi and cell tower positioning are designed to do, and yes it does store location-based information on its devices in order to do that, but no it isn’t keeping a full history of your locations, and while it does know where you are, it doesn’t necessarily know who you are.

Though Apple doesn’t seem to be doing anything intentionally nefarious with this information, the point remains that the laws of this country have not yet come anywhere near to adequately addressing the capabilities of modern technologies. In an earlier panel, Jason Weinstein, deputy assistant attorney general of the Criminal Division of the U.S. Justice Dept, told the subcommittee that once companies have access to consumer info (if you give Apple or Google permission to use your location or something similar), they can legally share that data with third-party businesses.

Only when companies have previously promised not to share something, like your location, can they be held accountable in court. As Justin Brookman, the Director for the Center of Democracy & Technology’s Project on Consumer Privacy, said, “the default law in this country for the sharing of data is that you can do anything you want”, with the exception being any prior promise the company has made not to share specific data.

Franken also asked the representatives from the two companies about the fact that they run the biggest app stores in the world, yet require no privacy policy for their apps, and so asked them if they would consider adding a privacy policy.

Alan Davidson, Google’s director of public policy, said that Google has relied on a permission-based model which requires users to give permission before any sharing takes place, but that the next step is important for Google to consider and is “a very good suggestion”. He said that he would “take that issue back to leadership”. And for Apple, Tribble said that Apple contractually requires third-party developers to disclose if they’re going to do anything with user information, but does not integrate an over-arching privacy policy. He then continued on to say that a general privacy policy would not be enough, that true transparency goes beyond what’s in the privacy policy and needs to be integrated into the user interface of an app, designing feedback to the user about what’s happening to the information into the actual app.

Franken then asked Tribble about why Apple only asks users if they want to share location with an app, while Google asks the user if they want to share location, address book information, contacts, and so on. Tribble responded by saying that a long checkmark box of opt-in sharing options would only confuse the user and be unwieldy both to present and read on a mobile device.

There’s no doubt that Tribble makes two valid points here, but Ashkan Soltani, an independent researcher who has worked with the Wall Street Journal on mobile-privacy investigations, shortly thereafter quickly cut to the heart of the matter. He told the senators that the biggest privacy threat to mobile users today is the simple fact that “consumers are repeatedly surprised by the information that apps and app platforms are accessing”. Users are entrusting their phones and computers with a great deal of personal information, he said, and these platforms are not taking adequate steps to make clear to the consumer that third-parties have access to this information.

Not only that, but the other issue is that platform providers, too, are often caught off-guard as to the types (or amount) of information they’re gathering. Soltani cited the examples of Google Street View collecting WiFi information during Street View surveys and this recent example of Apple’s location storage cache.

So, it seems that not only are lawmakers and legislation slow to catch up to the uses and capabilities of modern technology, so too are the providers themselves. Going forward, Soltani suggested, we will need to begin to formulate solid definitions to questions as fundamental as “What does ‘opt-in’ mean?” and further define oft-used concepts like location. Is a user’s location defined within 4 feet or 100 miles? What is “anonymous” going to mean in a location-crazy world, and how are we going to define “third-party” and what those “third-parties” rightly have access to?

The legislative process is just beginning here, and may well be glacial in its progress. Though there is certainly some questionable thinking to be found coming from these two companies in how they’re thinking about privacy, it’s great to see evidence of their willingness to work with the government to find the best solution for enterprise — and more importantly, the consumer — going forward.

Kudos to the senators and the subcommittee for asking the right questions.

Top Photo: Reuters