Home

April 16-22: Privacy

April 16-22: Privacy

Although the biggest news of the week may be AT&T's filing at the Federal Communications Commission on the acquisition of T-Mobile, we have to admit that, like many other people in DC, we're still reading through it to see how, as AT&T claims, 1) the transaction will benefit consumers and the economy and 2) the transaction will preserve and promote competition. So, instead, some brief notes on the issue of privacy. In the digital age, are consumers empowered to reveal and conceal information about themselves selectively?

Of course, much like chocolate and peanut butter, it is hard to keep two great issues separate in Washington (DC), so it may not be a surprise that privacy is an issue in the AT&T|T-Mobile merger. The Center for Digital Democracy believes the government should consider protecting consumers from location-based mobile ads as part of its review of the deal. CDD argues that the merger would give the combined entity access to a wealth of information about users' locations and mobile browsing habits that the firm could then use to target advertisements without consumers' consent.

On April 15, the Administration released the National Strategy for Trusted Identities in Cyberspace seeking to improve security in cyberspace and e-commerce. The Strategy’s vision is: Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation. The Federal Government is initiating two short-term actions to implement the Strategy These are to:

  • Develop an Implementation Roadmap that identifies and assigns responsibility for actions that the Federal Government can perform itself or by which the Federal Government can facilitate private-sector efforts
  • Establish a National Program Office (NPO) for coordinating the activities of the Federal Government and its private-sector partners The NPO will be hosted at the Department of Commerce and accountable to the President, through the Secretary of Commerce

At the release of the Strategy, Leslie Harris, President and CEO of the Center for Democracy & Technology, wrote: "We’re pleased to see the National Strategy for Trusted Identities in Cyberspace has made individuals its first priority. The Administration must remain firmly dedicated to an identity ecosystem that is voluntary, protective of privacy, affords users a wide variety of choices for whether and how they will convey their identity online, and compliant with a full set of Fair Information Practice Principles. This effort must also be built on the foundation of comprehensive privacy legislation. We encourage the Administration to incorporate its existing support for baseline privacy legislation with the Strategy’s implementation. Finally, the Strategy recognizes that anonymity and pseudonymity -- crucial elements of our privacy and First Amendment rights -- are and must remain vital characteristics of the Internet alongside any new identity ecosystem.

Past the Administration's efforts, privacy is seen as a bipartisan issue in Washington and an area this Congress may take action. A number of bills are vying for consideration. But a lot of politics stands between the talk and actual movement on legislation. Having bipartisan bills in the House and Senate is a key step forward, said Justin Brookman, a privacy expert from the Center for Democracy and Technology. That at least gives this week’s bills a chance to move along, he said. Even that, though, might not be enough. “[B]ills have an overwhelming amount of momentum, but my enthusiasm is tempered by the calendar, given the looming election season,” said Amy Mushahwar, a lawyer and privacy expert at Reed Smith law firm.

But every week, it seems, a new privacy violation is revealed and this week was no different. Two security researchers have discovered a simple way to map out where iPhone and iPad users have been almost anywhere in the world -- without any hacking involved. The information comes from a location cache file found within the iPhone's backups on a Mac or PC. Then another researcher disclosed that the existence of the location database -- which tracks the cellphone towers your phone has connected to -- has been public in security circles for some time. While it's not widely known, that's not the same as not being known at all.

Two Members of Congress were quick to react to this news. Sen Al Franken (D-MN) and Rep Ed Markey (D-MA) have both issued sets of questions for Apple CEO Steve Jobs. Rep Markey asks if Apple complies with Section 222 of the Communications Act, which "requires express prior customer authorization for the use, disclosure of, or access to the customer's location information for commercial purposes." Apple responded to this issue last year, saying that Apple is not subject to Section 222 but that "the privacy protections described in detail in this letter are consistent with the intent of Section 222." Rep Markey also wants to know if iPhone users can really disable the cell tower and WiFi logging, and he follows Franken's lead in asking about widespread use of iPhone and iPads by minors. "Is Apple concerned that the wide array of precise location data logged by these devices can be used to track minors, exposing them to potential harm?" he asks.

Sen Franken's letter includes this list of questions:

  • Why does Apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?
  • Does Apple collect and compile this location data for laptops?
  • How is this data generated? (GPS, cell tower triangulation, Wi-Fi triangulation, etc.)
  • How frequently is a user's location recorded? What triggers the creation of a record of someone's location?
  • How precise is this location data? Can it track the users location to 50 m, 100 m, etc.?
  • Why is this data not encrypted? What steps will Apple take to encrypt the data?
  • Why were Apple consumers never affirmatively informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?
  • Does Apple believe that this conduct is permissible under the terms of its privacy policy?
  • To whom, if anyone, including Apple, has this data been disclosed? When and why were these disclosures made?

While Franken's letter requests a "prompt" response, Rep Markey wants answers "within fifteen business days."