A Lively Senate Hearing on Mobile Privacy
Following up on the concerns he raised about Apple's gathering of location data from iPhone users, Senator Al Franken (D-Minn.) on Tuesday chaired the Senate Judiciary Subcommittee meeting called "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones, and Your Privacy." Bud Tribble, Apple vice-president of software technology, and Alan Davidson, Google's director of government relations and public policy, provided testimony, along with a number of industry and government witnesses.
Franken kicked off the hearing by assuring those in attendance that the aim of the proceedings was not to bring an end to location services. Instead, Franken suggested that the purpose of the discussions was to ensure that customers are protected as the U.S. moves forward with mobile technology.
The first panel—which included Jessica Rich, deputy director of the Federal Trade Commission's Bureau of Consumer Protection, and Jason Weinstein, deputy assistant attorney general of the Criminal Division of the U.S. Justice Dept.—addressed existing legal and legislative consumer protections and what gaps need to be filled to ensure better consumer protection.
Weinstein noted that once companies have access to consumer info (once permission is granted to Apple to use your location info, for instance), there are currently no legal restrictions in place to prevent that data from being shared with other third-party businesses. (There are, however, restrictions preventing unjustified sharing with government agencies.) He also noted that federal law does not currently require a company to disclose a data breach, such as that recently experienced by Sony, and said that we need regulations that govern both situations.
Gathering and Disclosing Information
Rich emphasized that consumer privacy concerns should be tackled early on in product design. She stressed that companies should gather only the minimal amount of information needed and should keep it only when absolutely necessary. She expressed a need for clearer privacy agreements that users could more easily understand. Rich also suggested that visual cues such as icons could be used to make clear what's being shared—and when.
Tribble echoed that statement during the second panel. He suggested that, rather than requiring individual apps to provide privacy policies that users must read and agree to before they install an app, Apple preferred that apps display icons to indicate what information is being shared, and when. As an example, he cited the arrow that appears in an iPhone's menu bar when location services are being actively used.
The problem with this system is that it has to make compromises so that it doesn't confuse the user or clutter the interface. Franken asked Tribble why Apple didn't make users aware of all info being shared with apps, such as calendar and address book data, instead of just location data. Tribble said Apple felt that location data was particularly sensitive and that creating notices and visual cues for each type of data would quickly overwhelm the device UI.
Franken suggested that Apple implement a system by which users are presented with a screen that shows the user all the info an app will be sharing, which is what Google Android does. When asked, Davidson admitted that it did indeed work for Google. Tribble didn't respond.
Despite lots of back-and-forth among the tech-giant representatives and senators, the star of the show was arguably Ashkan Soltani, an independent researcher who has worked with the Wall Street Journal on mobile-privacy investigations. Soltani cut through the political posturing and corporate deflections to articulate clearly what's needed for mobile privacy regulation: more transparency and better definition of the concepts involved.
Soltani pointed out that not only are consumers repeatedly surprised by the information that apps and platforms are accessing, but platform providers themselves are also occasionally caught off-guard by info that they're gathering. (He cited Google's problems with collecting Wi-Fi info during Street View surveys, and Apple's location storage cache.) Platforms need to take adequate steps to make absolutely clear to themselves and to users what information is being gathered at any given time—and for what purpose. The concern, according to Soltani, is that there is no mechanism for Apple devices to disclose to users that it can share customer info with anyone once it has permission to gather it.
According to Soltani, we should focus on making clear what mobile privacy involves, even on the level of the wording used to describe it. How exactly do you define "opt-in?" Is it enough to provide users with a prechecked checkbox? Isn't that better described as "opt-out," as Franken suggested at the hearing? Also, how to define "location" and "anonymized?" Soltani noted that even though Apple says it only gathers anonymized data, it's technically not anonymous because police agencies have been able to use that info to identify suspects by associating it with their devices.
This is likely the opening salvo of a long, drawn-out process that will ultimately affect how users, platform providers, and app developers treat mobile data, including (but not limited to) location data. Political will is there. Judging from the responses made by Apple and Google representatives today, private enterprise is eager to be at the table, too, since allaying customer concerns is in its best interest. Here's hoping something productive comes of the apparent shared interest in the subject.
Also from GigaOM:
Privacy Legislation's Potential Impact on Online Media (subscription required)