This morning, Senate Judiciary Subcommittee SD-226 convened to hold a hearing entitled, “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones, and Your Privacy.” Hearing Chairman Al Franken (D-Minn.) says this subcommittee is “about addressing a fundamental shift over the past 40 or 50 years about who has our information and what they’re doing with it.”
Senator Franken speaking at the Senate privacy hearing
Citing the recent Epsilon email database hack issue from a few weeks ago, Senator Franken’s introduction went through what he feels are and aren’t the issues. “I love that I can use Google Maps for free.” He cited how great he felt it was that emergency responders can use this technology to locate us when we’re in trouble. “Today in this hearing we’re looking at a specific kind of sensitive information that I don’t think we’re doing enough to protect,” Senator Franken stated.
“The answer to this problem is not ending location-based services,” according to Senator Franken. “Today is about trying to find a balance between all those wonderful benefits and the public’s right to privacy.”
The second panel today includes testimony from Google and Apple, specifically Apple’s own Bud Tribble, who has been with the company — and with Steve Jobs at NeXT — for decades. We’ll be here watching the hearing (and possibly some paint dry, to keep things interesting) throughout the day and will provide you with relevant updates as they happen.
[Update 10:34 AM] Deputy Assistant Attorney General Jason Weinstein makes a good point: “The Electronic Communications Privacy Act (ECPA) puts restrictions on how privacy data can be shared with the government, but in a general sense companies are free to share that data with other non, governmental entities.”
[Update 10:51 AM] In a conversation between Weinstein and Senator Patrick Leahy (D-Vermont), Leahy (the lead Senate author of ECPA) indicated that the current privacy requirements of ECPA only apply to electronic communication service (“ECS”) and remote computing service (“RCS”) providers. Depending on how you look at it, Google or Apple or other mobile application providers might not fall into either of those definitions. That could mean the government could get data from Apple or Google simply by subpoena and without having to obtain a search warrant. Leahy says he’ll be introducing a bill to update ECPA shortly.
[Update 11:08 AM] Franken noted that Apple’s iPhone user agreement states that disabling Location Services on the iPhone will stop Apple from being able to track you. He also noted that, up until a week ago (and the release of iOS 4.3.3), this was not true. He asked Deputy Directory of the FTC’s Bureau of Consumer Protecion Jessica Rich if this constituted a deceptive trade practice. Rich replied, “If a statement is made by a company that is false, it’s a deceptive practice.” She added, “we agree there is no perfect security and we do apply a reasonableness standard.”
[Update 11:15 AM] Panel 2 has begun. Senator Franken has introduced Bud Tribble from Apple, Ashkan Soltani, listed as “Independent Researcher and Consultant,” Jonathan Zuck, President of Association for Competitive Technology, Alan Davidson, Director of Public Policy for Google, and Justin Brookman from the Center for Democracy and Technology.
[Update 11:25 AM] Ashkan Soltani spoke to his research that found Android devices and Apple’s iPhones were sending location data back to Google and Apple (respectively). He also explained that this data could also be passed directly to downstream advertising partners in some cases. Justin Brookman took his introductory opportunity to explain that there are no strong laws or other regulatory controls that cover mobile privacy. Bud Tribble began his introductory comments making the cast that Apple is committed to privacy. He also said that Apple has strong privacy controls in place over its developers. “Apple does not track customer location data and has never done so.” This is all similar to what Apple has already publicly said on this issue.
[Update 11:30 AM] Bud Tribble made the case that Apple has never tied a unique identifier to any location data the company collected, and that Apple has had privacy controls in place that allowed parents to opt-out of location services for their kids’ iPhones. He said that the location data caching “bug” that was uncovered late in April has been fixed (which was also known). Alan Davidson from Google said that his company has made location data collection opt-in only. He called it “privacy by design,” and said that Google products were always designed from the ground up with this in mind.
[Update 11:32 AM] In the TMO Towers here we couldn’t help but notice that Bud Tribble’s opening remarks came across as very defensive. Dr. Tribble was fairly well-spoken, but it had that, “hey, we’re NOT the bad guys here” feel to it. Certainly the remarks were written and vetted by many people at Apple, but Tribble’s delivery of them was that of a programmer defending his work, wondering why everyone was picking on him.
[Update 11:38 AM] Mr. Davidson described a very nice chain of events required for Android users to opt-in to location data collection. “We strongly support your involvement here,” and Google hopes that privacy will be strengthened by efforts such as Senator Franken’s hearing. Jonathan Zuck discussed the app market, and talked about all the nifty things one can do with mobile apps. “to focus on a particular new form of data collection is cutting off our nose to spite our face.” In other words, new technologies come and go, and there’s not much point trying to reign in any particular new one at any time. He instead asked the Senate subcommittee to focus on the data itself, and not the collection methods. What should companies be able to do with that data?
[Update 11:45 AM] Senator Franken offered a couple of quotes from CEO Steve Jobs and Apple itself and called them contradictory. Mr. Jobs said that cell towers don’t tell you anything specific about where you are, but Apple claimed its data collection as key to providing accurate location information. Which is it, he wanted to know. Dr. Tribble explained that it’s a combination of cell tower and WiFi hotspots that is used to determine location, and that Apple never applied that unique identifier to the data collected in the first place. Mr. Brookman was asked if it was true that companies could share location data with anyone they want. He said that this, in essence, true. Once the data is collected, there is no law saying that they cannot share it. “The default law with data in this country,” he said, “is you can do with it whatever you want. The only thing you can’t do is what you promise NOT to do.”
[Update 12:59 AM] Senator Richard Blumenthal (D-CT), another member of the subcommittee, asked Google’s Mr. Davidson why Google had filed for a patent on a patent on a method for collecting location data that included payload data that could possibly identify a user’s specific router, a concept directly at odds with what he had said Google was committed to not doing. Mr. Davidson was clearly taken off guard by this question in that he wasn’t familiar with the patent application, and that his company files for hundreds of patents that don’t necessarily get used in Google products and services. Bud Tribble, Mr. Davidson, and researcher Ashkan Soltani then all agreed that the concept covered in the patent app wasn’t all that valuable anyway.
[Update 12:02 PM] Dr. Tribble was asked how Apple knows that its developers weren’t misusing location data. He said that Apple curates its apps, and that’s how consumers knew iOS apps weren’t misbehaving, too. He added, “Once apps are in the app store we do random audits on applications. We don’t audit every single one just like the federal government doesn’t audit every tax return.” He also said that, “One of the things we look at is the network traffic to ensure it’s not violating our privacy terms or our specific location-handling terms.” Dr. Tribble also indicated Apple monitors blogs and developer communities for commentary on apps that may violate this.
[Update 12:09 PM] Mr. Davidson of Google said that his company doesn’t curate apps, but does react to reports of violations of its policies on privacy. Senator Sheldon Whitehouse of Rhode Island described all the ways that companies have to disclose side effects and repercussions from using a product. His point was that consumers should always know when their data is being used. He asked Mr. Davidson if Google users can change their mind on participating in location data collection once they’ve opted-in. Mr. Davidson said yes, they can.
[Update 12:20 PM] Senator Charles E. Schumer (D-NY) took the floor, discussing his recent request that Apple and others remove apps that allow drunk drivers to avoid police checkpoints. RIMM pulled the apps down and Schumer expressed disappointment that Apple and Google didn’t do the same. Google’s Alan Davidson responded by saying that this is something they’re actively discussing internally, but also cited Google’s open platform.
But Tribble replied, “as a physician who’s worked in an emergency room I’ve seen the tragedy that can come about from drunk driving, so we’re in agreement.” He indicated that Apple is investigating this, but, “what we’ve found is that some of these Apps are publishing data that is published by police departments themselves. Not all of them do that, and there’s variances on that. He cited seeing such things happen in downtown San Francisco.
Schumer replied that this was a “weak read. I don’t know of a police department that, in real time, would publish where ALL of the checkpoints would be.” Tribble argued that these checkpoints provide a deterrant effect.
In the end, Schumer told Google and Apple that he wants an answer within one month on their decision about these apps. Neither company replied in any way to this request.
[Update 12:30 PM] Franken to Tribble, “When you download an app on Android you get a notification about location, contact list, and calendar. iOS only tells the user about apps that will access location data. Will Apple change that policy?”
Tribble said their policy requires the application asks for that data, but from a technical standpoint doesn’t do that for anything other than location. According to Tribble, “Our priority has been to provide technical measures for privacy of location. In the case of other (also personal) information, we require the app to give notice, but we do not have a technical means to require that. We think that’s especially difficult because when you start to do that for every little piece of information the screen that the user is confronted with would be more complex than we would prefer.”
Franken followed up, asking how many apps Apple has removed from the App Store because those apps shared information from third parties without user’s consent.
From Tribble, “Our first defense is to not put them there in the first place. If we find an app, we investigate, we work with the developer to provide proper notice and if they don’t comply, they’re off the store within 24 hours.” To Tribble’s knowledge, all developers have complied and they have not had to remove any.
[Final Update 12:39 PM] Franken closed by thanking everyone and adjourned the hearing. Discussion and reactions follow in the comments to this article below. Thanks for following along!