During the maiden hearing of the Senate Judiciary Committee’s new Subcommittee on Privacy, Technology, and the Law chaired by Senator Franken, committee members pressed Google and Apple on how the companies use, collect, and share their customers’ location data, the notices they provide consumers, and the privacy standards they apply to third party applications. Online and mobile privacy issues have become Hill mainstays, but Franken scheduled his first hearing –Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy – in the wake of revelations that Apple’s iOS4 operating system for its iPhones and iPads collected and stored users’ location information even when they tried to turn off location services.
Among other things, the hearing helped underscore the extent to which the Hill has been long awaiting a specific proposal on reforms of the Electronic Communications Privacy Act (“ECPA”), which would be expected to address concerns such as those underlying these involving location data. In fact, Senator Leahy, Chairman of the Judiciary committee, indicated at the hearing that he would “soon” introduce an ECPA update to address some of these issues.
Ms. Rich, while recognizing the key challenge for mobile of small screens, insisted that consumers should be told about data sharing that may occur “before it happens.” In addition, she suggested that too often, companies share more data than is needed to support their business needs. Rich, and David Weinstein, Deputy General Counsel of the DOJ’s criminal division, agreed that privacy agreements need to be more clear and that consumers are woefully unaware of the “layers of sharing going on behind the scene.”
For their part, Guy L. “Bud” Tribble, Apple’s Vice President of Software Technology, repeated CEO Steve Jobs’ recent explanation that location data is only used to provide info for crowd sourced databases and that the purpose of cached information is only to identify a phone’s location. Tribble acknowledged the data stored on devices was not encrypted but said it was not accessible to other apps, though Apple plans to add encryption in the next software update. However, other witnesses called Apple’s claims into question. For example, Ashkan Soltani, an independent researcher and consultant, said that although Apple’s location tracking might not pinpoint an individual user’s location in rural areas with few towers, it was accurate enough to track him to within 20 feet when he tested it in the Senate building’s lobby.
Similarly, Alan Davidson, Director of Public Policy for Google, asserted anyone can opt out of sharing location information by simply turning off their device’s location services, that any data sent to Google is anonymized, and that third party applications must notify users of location data collection before an app is installed. But Senator Blumenthal criticized Google’s recent backpedaling when it initially claimed it was not collecting user’s information but then changed its stance, saying it only collected the location information unintentionally.
Ultimately, if there was one thing on which there seemed to be some unanimity, it was a view that current laws do not adequately address these mobile privacy concerns. Some urged that a comprehensive law is needed to give consumers choice and to require companies to delete data when appropriate. In that connection, Senator Leahy voiced concern that ECPA’s definitions and provisions may not clearly apply to protect mobile users. “I think it’s a very important act, and I’m concerned that it does not apply to the mobile applications currently available.” Leahy added that he would “soon” introduce an update to ECPA that will rectify that problem.