Don’t get Al Franken wrong.
The Senate Democrat from Minnesota loves Google Maps and all the cool apps that help customers find restaurants, clueless drivers get around, and first responders arrive at the scenes of emergencies.
“You guys are brilliant,” Franken told executives from Google and Apple Tuesday morning, at the debut hearing by the new Senate Judiciary Subcommittee on Privacy, Technology and the Law.
But Franken and fellow lawmakers from both parties raised alarm over the frequency with which the makers and retailers of these apps are now harvesting, sharing, and selling data about the physical location of a given Blackberry, iPhone, Droid or iPad user – often without the user's knowledge or consent – along with sensitive medical and financial data, and information detailing the habits and physical routines of teenagers.
“Once the maker of a mobile app -- a company like Apple or Google, or even your wireless company -- gets your location information, in many cases under current federal law these companies are free to disclose your location information, and other sensitive information, to almost anyone they please, without letting you know,” Franken said. “And then the companies they share your information with can share and sell it to yet others -- again without letting you know.”
The number of smartphones in use in America has tripled over the last five years. While the technology is new, though, the phenomenon on display in Room 226 of the Dirksen Senate Office Building was not. As with guns, railroads, and broadcasting – to cite but a few examples – America can be slow to develop the proper legal and moral architecture around a surging, and widely beloved, new technology.
Judiciary Committee Chairman Sen. Patrick Leahy, D-Vt., who was a chief author of the Electronic Communications Privacy Act of 1986, announced at Tuesday's hearing that he plans to introduce an updated version of the law to account for new concerns about privacy in the age of smartphones, handheld devices, and tablet computers.
Already, however, at least one federal regulatory agency has moved against companies accused of improperly managing data collected through their online platforms. The Federal Trade Commission (FTC) has brought cases against “two of the largest players in the mobile ecosystem,” testified Jessica Rich, deputy director of the Federal Trade Commission’s Bureau of Consumer Protection.
The FTC’s case against Google alleged that the company deceived consumers by taking information from Gmail users and utilizing it to start and popularize a new social network: Google Buzz. In a separate case against one of the world’s most popular social networks – Twitter – the FTC charged that lax security measures made it possible for hackers to gain access to users’ private tweets and unlisted phone numbers.
In the Google case, the agency has proposed a settlement order that is not yet final.
In the Twitter case, the commission's order protects data that Twitter collects through mobile devices and requires independent audits of Twitter's practices for two decades. Violations by Twitter could expose the company to civil penalties of $16,000 per violation per day.
“These concerns stem from the always-on, always-with-you nature of mobile devices; the invisible collecting and sharing of data with multiple parties; the ability to track consumers, including children and teens, to their precise location; and the difficulty of providing meaningful disclosures and choices about data collection on the small screen,” Rich told the subcommittee.
Responding to a question posed by Sen. Franken, a top Justice Department official said federal law does not require companies to store data and conversely does not obligate them to protect it.
“I’m not aware, Mr. Chairman, of any legal requirement that a company that is in possession of your personal data – whether we're talking about location data, or financial data, or other data about…what you do online – secure that data in any particular way,” testified Jason Weinstein, a deputy assistant attorney general in the DOJ’s Criminal Division. “My understanding is that that’s essentially a decision made by the company, based on its own business practices and its assessment of risk.”
Still, Alan Davidson, a director of public policy for Google Inc., and Guy "Bud" Tribble, vice president of software technology for Apple Inc., defended their companies’ respective records on privacy and security. One lawmaker asked what steps Apple takes against vendors that improperly retail an iPhone or iPad user’s personal data.
“Our first defense is to not put them there in the first place,” Tribble replied. “We work with the [app] developer to get them to give proper notice and we tell them that at some point, if we find them violating, you're going to be off in twenty-four hours.” Tribble added that every vendor found to be in violation of Apple’s data policies has opted to reform rather than be yanked off the iPad platform.
The growth in derivative industries tied to mobile devices – app developers, advertisers, marketing firms, content and data aggregators – may require lawmakers to draw lines of personal responsibility for the users themselves. For every predatory data merchant, there is also a lazy or overly busy consumer who scrolls past all the legal mumbo-jumbo in the terms and conditions of a given platform or app, and clicks “I accept” or “I agree” – and thereby, in some cases, provides consent to personal data being stored, shared, or even sold.
Technology experts also cautioned Congress, as it considers new legislation in this field, to make a determined effort to distinguish between good corporate actors and bad ones.
“If I'm collecting data and anonymizing it and using best practices to give you relevant advertising so I can either give you hyper-personal or a hyper-local experience...or if I'm scraping your Facebook page when you happen to write a little post that says, ‘I just went to the doctor; I may have to have a heart valve replacement,’ and I sell that to an insurance company who might deny you coverage, all of that looks the same, because it's all computers, and it's all ones and zeroes,” said Shelly Palmer, host of “Living Digital.”
“We as a society are not mature enough with this technology to understand what it means to walk around with a computer in our hand,” Palmer said. “We’re literally walking around with Mr. Spock’s Tricorder. Everybody’s got an 8-megapixel or 5-megapixel camera that they can use to put a picture up instantly that’s visible worldwide – and we’ll know exactly where you were when that picture was taken, and what time it was posted. Wow! We’ve never had that capability, so we’ve never had to have this discussion.”
“Now it’s time for the discussion. Let’s just make sure we don’t do a knee-jerk reaction and shut down this really wonderful set of technologies before it gets a chance to show how good it can be for all of us.”