Senate Judiciary Chair Plans Privacy Bill Amid Growing Concern Over Smartphones

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

Senate Judiciary Chairman Patrick Leahy (D-Vt.) May 10 said that he hopes to introduce legislation soon to update the Electronic Communications Privacy Act, a 1986 privacy law that limits data-sharing by communications service providers.

The announcement came in remarks prepared for a subcommittee hearing examining reports that popular smartphones--Apple Inc.'s iPhone and Google Inc.'s Android--have been tracking and sharing the location of users.

“The collection, use and storage of location and other sensitive personal information has serious implications regarding the privacy rights and personal safety of American consumers,” Leahy said. “As this committee considers important updates to the ECPA and other federal privacy laws, it is essential that we have full and accurate information about the privacy impact of these new technologies on American consumers and businesses.”

The hearing was the first held by the new Senate Judiciary Subcommittee on Privacy, Technology, and the Law, chaired by Sen. Al Franken (D-Minn.).

At the hearing, Franken said that his goal for the subcommittee is to help members understand the benefits and privacy implications of new technology; to educate the public; and, if necessary, to take legislative action in order to ensure that privacy protections for consumers are keeping pace with technology.

“[W]e have some protections here and there, but we're not even close to protecting all of the information that we need to,” he said. “I believe that consumers have a fundamental right to know what data is being collected about them. I also believe that they have a right to decide whether they want to share that information, and with whom they want to share it and when. And I think we have those rights for all of our personal information.”

Holes Seen in Current Law.

Franken noted that both Apple and Google have come under fire in recent weeks because of reports that iPhones and Androids have secretly been keeping track of users' location data. Under current law, the companies are free to disclose location data and other sensitive information to “almost anyone they please,” without the consumer's consent, he said.

Deputy Assistant Attorney General Jason Weinstein told the panel that ECPA places a “great deal” of restriction on a communications service provider's ability to furnish location information to the government, but the law imposes virtually no limitations on data-sharing with other parties.

Jessica Rich, deputy director of the Federal Trade Commission's Bureau of Consumer Protection, said the rapid growth of mobile devices presents opportunities for consumers, but also raises “real privacy concerns.”

Currently, the FTC relies on its authority under the FTC Act, which prohibits unfair or deceptive trade practices, to address mobile privacy issues, Rich said.

“This law applies regardless of whether a company is marketing offline, through your desktop or telephone, or using a mobile device,” she explained.

While the commission's public law enforcement efforts in the mobile arena are still in the early stages, the agency is moving forward quickly and has already brought cases against major industry players, including Twitter, Rich noted. A number of mobile investigations are still in the pipeline, and many of them are expected to be completed in coming months, she added.

Privacy Recommendations Under Way.

Meanwhile, the FTC is also examining mobile issues as part of a larger effort to develop recommendations for strengthening U.S. consumer privacy protections. A preliminary staff report, published in December, called for firms across the business community to build privacy protections into their everyday practices--a so-called privacy-by-design approach.

The report also proposed that firms provide consumers with simpler privacy choices. In addition, it recommended that companies obtain affirmative express consent before collecting or sharing sensitive consumer information, such as “precise geolocation data.”

“Misuse of that kind of data can have real consequences for consumers,” Rich said. “If it falls into the wrong hands, [location data] can be used for stalking ... You can also know what church somebody has gone to, what political meeting they've gone to ... So, that is sensitive data that requires special protection.”

Apple, Google Defend Privacy Policies.

Representatives of Apple and Google assured the subcommittee that the companies are committed to protecting the privacy of consumers.

Guy Tribble, vice president for software technology at Apple, said in his written testimony, for example, that the firm does not share personally identifiable information with third parties for marketing purposes without consent, and third-party application developers are required to agree to specific restrictions. He added that Apple does not track users' locations and has no plans to ever do so, echoing a recent public statement from the company.

Similarly, Alan Davidson, director of Public Policy at Google, said the company does not collect any location information through Android devices unless the user specifically chooses to share such data. However, the company does not control the behavior of third-party applications, including how they handle location information and other user data obtained from the device, even though they are “strongly encouraged” to abide by best practices.

Ashkan Soltani, a privacy researcher and consultant, told the subcommittee that mobile applications currently do not provide consumers with sufficiently detailed notices about how their location and other sensitive information will be collected and used.

“While user consent is typically required before applications are allowed access location information, the purpose may not always be apparent to the user, and the user may have no indication that this information will subsequently be disclosed to third parties,” he said in prepared remarks.

Soltani added that data sharing is not limited to location information. “Applications can access and transmit data which includes text messages, emails, phone numbers, contacts stored, and even browser history stored on the device, as well as any information users knowingly enter in the process of using the app,” he said.

By Alexei Alexis


Witness testimony is available at http://judiciary.senate.gov/hearings/hearing.cfm?id=5157.