Key Updates Live From Senate Mobile Privacy Hearing [Final Update 12:39 PM]

This morning, Senate Judiciary Subcommittee SD-226 convened to hold a hearing entitled, “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones, and Your Privacy.” Hearing Chairman Al Franken (D-Minn.) says this subcommittee is “about addressing a fundamental shift over the past 40 or 50 years about who has our information and what they’re doing with it.”

Senator FrankenSenator Franken speaking at the Senate privacy hearing

Citing the recent Epsilon email database hack issue from a few weeks ago, Senator Franken’s introduction went through what he feels are and aren’t the issues. “I love that I can use Google Maps for free.” He cited how great he felt it was that emergency responders can use this technology to locate us when we’re in trouble. “Today in this hearing we’re looking at a specific kind of sensitive information that I don’t think we’re doing enough to protect,” Senator Franken stated.

“The answer to this problem is not ending location-based services,” according to Senator Franken. “Today is about trying to find a balance between all those wonderful benefits and the public’s right to privacy.”

The second panel today includes testimony from Google and Apple, specifically Apple’s own Bud Tribble, who has been with the company — and with Steve Jobs at NeXT — for decades. We’ll be here watching the hearing (and possibly some paint dry, to keep things interesting) throughout the day and will provide you with relevant updates as they happen.

[Update 10:34 AM] Deputy Assistant Attorney General Jason Weinstein makes a good point: “The Electronic Communications Privacy Act (ECPA) puts restrictions on how privacy data can be shared with the government, but in a general sense companies are free to share that data with other non, governmental entities.”

[Update 10:51 AM] In a conversation between Weinstein and Senator Patrick Leahy (D-Vermont), Leahy (the lead Senate author of ECPA) indicated that the current privacy requirements of ECPA only apply to electronic communication service (“ECS”) and remote computing service (“RCS”) providers. Depending on how you look at it, Google or Apple or other mobile application providers might not fall into either of those definitions. That could mean the government could get data from Apple or Google simply by subpoena and without having to obtain a search warrant. Leahy says he’ll be introducing a bill to update ECPA shortly. 

[Update 11:08 AM] Franken noted that Apple’s iPhone user agreement states that disabling Location Services on the iPhone will stop Apple from being able to track you. He also noted that, up until a week ago (and the release of iOS 4.3.3), this was not true. He asked Deputy Directory of the FTC’s Bureau of Consumer Protecion Jessica Rich if this constituted a deceptive trade practice. Rich replied, “If a statement is made by a company that is false, it’s a deceptive practice.” She added, “we agree there is no perfect security and we do apply a reasonableness standard.”


[Update 11:15 AM] Panel 2 has begun. Senator Franken has introduced Bud Tribble from Apple, Ashkan Soltani, listed as “Independent Researcher and Consultant,” Jonathan Zuck, President of Association for Competitive Technology, Alan Davidson, Director of Public Policy for Google, and Justin Brookman from the Center for Democracy and Technology.

[Update 11:25 AM] Ashkan Soltani spoke to his research that found Android devices and Apple’s iPhones were sending location data back to Google and Apple (respectively). He also explained that this data could also be passed directly to downstream advertising partners in some cases. Justin Brookman took his introductory opportunity to explain that there are no strong laws or other regulatory controls that cover mobile privacy. Bud Tribble began his introductory comments making the cast that Apple is committed to privacy. He also said that Apple has strong privacy controls in place over its developers. “Apple does not track customer location data and has never done so.” This is all similar to what Apple has already publicly said on this issue.

[Update 11:30 AM] Bud Tribble made the case that Apple has never tied a unique identifier to any location data the company collected, and that Apple has had privacy controls in place that allowed parents to opt-out of location services for their kids’ iPhones. He said that the location data caching “bug” that was uncovered late in April has been fixed (which was also known). Alan Davidson from Google said that his company has made location data collection opt-in only. He called it “privacy by design,” and said that Google products were always designed from the ground up with this in mind.

[Update 11:32 AM] In the TMO Towers here we couldn’t help but notice that Bud Tribble’s opening remarks came across as very defensive. Dr. Tribble was fairly well-spoken, but it had that, “hey, we’re NOT the bad guys here” feel to it. Certainly the remarks were written and vetted by many people at Apple, but Tribble’s delivery of them was that of a programmer defending his work, wondering why everyone was picking on him.

[Update 11:38 AM] Mr. Davidson described a very nice chain of events required for Android users to opt-in to location data collection. “We strongly support your involvement here,” and Google hopes that privacy will be strengthened by efforts such as Senator Franken’s hearing. Jonathan Zuck discussed the app market, and talked about all the nifty things one can do with mobile apps. “to focus on a particular new form of data collection is cutting off our nose to spite our face.” In other words, new technologies come and go, and there’s not much point trying to reign in any particular new one at any time. He instead asked the Senate subcommittee to focus on the data itself, and not the collection methods. What should companies be able to do with that data?

[Update 11:45 AM] Senator Franken offered a couple of quotes from CEO Steve Jobs and Apple itself and called them contradictory. Mr. Jobs said that cell towers don’t tell you anything specific about where you are, but Apple claimed its data collection as key to providing accurate location information. Which is it, he wanted to know. Dr. Tribble explained that it’s a combination of cell tower and WiFi hotspots that is used to determine location, and that Apple never applied that unique identifier to the data collected in the first place. Mr. Brookman was asked if it was true that companies could share location data with anyone they want. He said that this, in essence, true. Once the data is collected, there is no law saying that they cannot share it. “The default law with data in this country,” he said, “is you can do with it whatever you want. The only thing you can’t do is what you promise NOT to do.”

[Update 11:52 AM] Senator Franken asked Bud Tribble, “Would you be willing to require that all apps in your stores have a clear, understandable privacy policy?” Mr Tribble replied, “We require app developers to sign an agreement to notify the user if you’re going to do anything with their data.” He also explained that Apple has in place a notification tool whenever location services is in use, and that its privacy agreement explains this.

[Update 12:59 AM] Senator Richard Blumenthal (D-CT), another member of the subcommittee, asked Google’s Mr. Davidson why Google had filed for a patent on a patent on a method for collecting location data that included payload data that could possibly identify a user’s specific router, a concept directly at odds with what he had said Google was committed to not doing. Mr. Davidson was clearly taken off guard by this question in that he wasn’t familiar with the patent application, and that his company files for hundreds of patents that don’t necessarily get used in Google products and services. Bud Tribble, Mr. Davidson, and researcher Ashkan Soltani then all agreed that the concept covered in the patent app wasn’t all that valuable anyway.

[Update 12:02 PM] Dr. Tribble was asked how Apple knows that its developers weren’t misusing location data. He said that Apple curates its apps, and that’s how consumers knew iOS apps weren’t misbehaving, too. He added, “Once apps are in the app store we do random audits on applications. We don’t audit every single one just like the federal government doesn’t audit every tax return.” He also said that, “One of the things we look at is the network traffic to ensure it’s not violating our privacy terms or our specific location-handling terms.” Dr. Tribble also indicated Apple monitors blogs and developer communities for commentary on apps that may violate this.

[Update 12:09 PM] Mr. Davidson of Google said that his company doesn’t curate apps, but does react to reports of violations of its policies on privacy. Senator Sheldon Whitehouse of Rhode Island described all the ways that companies have to disclose side effects and repercussions from using a product. His point was that consumers should always know when their data is being used. He asked Mr. Davidson if Google users can change their mind on participating in location data collection once they’ve opted-in. Mr. Davidson said yes, they can.

[Update 12:20 PM] Senator Charles E. Schumer (D-NY) took the floor, discussing his recent request that Apple and others remove apps that allow drunk drivers to avoid police checkpoints. RIMM pulled the apps down and Schumer expressed disappointment that Apple and Google didn’t do the same. Google’s Alan Davidson responded by saying that this is something they’re actively discussing internally, but also cited Google’s open platform.

But Tribble replied, “as a physician who’s worked in an emergency room I’ve seen the tragedy that can come about from drunk driving, so we’re in agreement.” He indicated that Apple is investigating this, but, “what we’ve found is that some of these Apps are publishing data that is published by police departments themselves. Not all of them do that, and there’s variances on that. He cited seeing such things happen in downtown San Francisco.

Schumer replied that this was a “weak read. I don’t know of a police department that, in real time, would publish where ALL of the checkpoints would be.” Tribble argued that these checkpoints provide a deterrant effect.

In the end, Schumer told Google and Apple that he wants an answer within one month on their decision about these apps. Neither company replied in any way to this request.

[Update 12:30 PM] Franken to Tribble, “When you download an app on Android you get a notification about location, contact list, and calendar. iOS only tells the user about apps that will access location data. Will Apple change that policy?”

Tribble said their policy requires the application asks for that data, but from a technical standpoint doesn’t do that for anything other than location. According to Tribble, “Our priority has been to provide technical measures for privacy of location. In the case of other (also personal) information, we require the app to give notice, but we do not have a technical means to require that. We think that’s especially difficult because when you start to do that for every little piece of information the screen that the user is confronted with would be more complex than we would prefer.”

Franken followed up, asking how many apps Apple has removed from the App Store because those apps shared information from third parties without user’s consent.

From Tribble, “Our first defense is to not put them there in the first place. If we find an app, we investigate, we work with the developer to provide proper notice and if they don’t comply, they’re off the store within 24 hours.” To Tribble’s knowledge, all developers have complied and they have not had to remove any.

[Final Update 12:39 PM] Franken closed by thanking everyone and adjourned the hearing. Discussion and reactions follow in the comments to this article below. Thanks for following along!

 

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

Mr. Davidson just blurted “App Store” then corrected himself.

prl53

This whole thing is such a joke, just like signing up for anything at a store or getting a credit card. Once you’re done that, they sell your name and you can never get rid of them. The whole do-not-call list is so full of exceptions it’s useless. Jumping down Apple and Google’s throats over location data isn’t any worse than all the garbage they allow current advertisers and companies to do. Why pick on these guys?

If any of these politicians knew anything, they would be able to look at the data Apple is collecting and see that it is not “specific” enough to determine exactly where you were standing but good enough to get within the ballpark. Of course, Google maps plots you on the road you’re driving on. I don’t believe Apple saves that information in the location.db but I wonder how much of it is sent back to Google for their use.

Bosco (Brad Hutchings)

Schumer seems to be completely ignorant of court decisions and varying state laws that often require public notification of DUI checkpoints. What a giant asshat.

gnasher729

Schumer seems to be completely ignorant of court decisions and varying state laws that often require public notification of DUI checkpoints. What a giant asshat.

Worse than that. In many US states DUI checkpoints are just plain illegal. And no matter how you look at it, this doesn’t have anything to do with privacy, so it shouldn’t have been even mentioned on a hearing about privacy.

Lee Dronick

Once upon a time in California law enforcement was required to publish locations of DUI checkpoints. That law was rescinded, but at least here in San Diego the cops usually announce when and where they are going to have the checkpoints. Note, that does not stop a number of DUI drivers from getting caught. Then there was this recent DUI incident where two guys challenged the checkpoint.

webjprgm

Then there was this recent DUI incident where two guys challenged the checkpoint.

I hope those drivers get busted.  I’m pretty sure there was a statement in the drivers license (or was it car registration?) form that said by signing you agree to provide identification to officers and comply with DUI checkpoints.  Unless that isn’t true anymore, I don’t see how those guys have any case.

webjprgm

?The default law with data in this country,? he said, ?is you can do with it whatever you want. The only thing you can?t do is what you promise NOT to do.?

I suppose you could make a law that flips it around.  In that case, companies would not be allowed to do anything with the data (share, collect, process, etc.) except what they specifically said in user agreements that they would do.

I like the idea of government requiring a search warrant to get the data too.

Mike Sax

Why is everyone talking about App developers not with them? Most of these companies are small businesses and imposing insurance requirements or complicated regulatory requirements on them will make it very hard for them to keep focused on building great software. It’s good they invited Jonathan Zuck of ACT  to speak on behalf of App developers but I would like to see more interest from the Senators on the app developer perspective. Most of these people have the very best intentions and build great software that users love.

Bosco (Brad Hutchings)

Schumer replied that this was a ?weak read. I don?t know of a police department that, in real time, would publish where ALL of the checkpoints would be.?

Schumer obviously didn’t watch this video:

http://www.youtube.com/watch?v=kuDz-Dm09pE&feature=player_embedded

There actually are police departments collaborating with the makers of one of these apps precisely because they understand that the information can be a deterrence to impaired people getting behind the wheel.

Oh, and I love how Canada, errrrrr RIM, went French Surrender Monkey on this. Basically the equivalent of the NHL playoffs not having any Canadian teams. America’s Hat indeed!

Log-in to comment