Following up on the concerns he raised about Apple gathering location data for iPhone users, Senator Al Franken (D-Minn.) chaired the Senate Judiciary Subcommittee meeting today called “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy.” Apple (s aapl) VP of Software Technology Bud Tribble and Google (s goog) Director of Government Relations and Public Policy Alan Davidson provided testimony, along with a number of other industry and government witnesses.
Sen. Franken kicked off the hearing by assuring those in attendance that the aim of the proceedings was not to bring an end to location services. Instead, Franken suggested that the purpose of the discussions was to ensure customers are protected as we move forward with mobile technology.
Limited Responsibility Surrounding Data Sharing
The first panel — which included Jessica Rich, deputy director of the FTC’s Bureau of Consumer Protection, and Jason Weinstein, deputy assistant attorney general of the Criminal Division of the U.S. Department of Justice — addressed existing legal and legislative consumer protections and what gaps need to be filled to ensure better consumer protection.
Weinstein noted that once companies have access to consumer info (once permission is granted to Apple to use your location info, for instance), there are currently no legal restrictions in place to prevent that data from being shared with other third-party businesses (there are, however, restrictions preventing unjustified sharing with government agencies). He also noted that federal law does not currently require a company to disclose a data breach, such as the one recently experienced by Sony (s sne), and that we need regulations governing both of these situations.
When to Gather Info, and How to Make Users Aware
Rich emphasized tackling consumer privacy concerns early on in product design. She stressed that companies should gather only the minimum necessary amount of information and keep it only when absolutely necessary. She also expressed a need for clearer privacy agreements that users could more easily understand. Rich also suggested that visual cues such as icons could be used to make clear what’s being shared when.
Tribble echoed that statement during the second panel. He suggested that, rather than requiring individual apps to provide privacy policies that users must read and agree to before they install the app, Apple preferred that apps use icons to indicate what information is being shared when. As an example, he cited the arrow that appears in an iPhone’s menu bar when location services are being actively used.
The problem with this system is that it has to make compromises so that it doesn’t confuse the user or clutter the interface. Sen. Franken asked Tribble why Apple didn’t make users aware of all info being shared with apps (like calendar and address book data), instead of just location data. Tribble said that Apple felt location data was particularly sensitive, and that creating notices and visual cues for each type of data would quickly overwhelm the device UI.
Franken suggested that Apple implement a system whereby users are presented with a screen that shows a user all the info an app will be sharing, which is what Google Android does. When asked, Davidson admitted that it did indeed work for Google. Tribble didn’t respond.
A Starting Point for Transparency
Despite lots of back-and-forth between the tech giant representatives and senators, the star of the show was arguably Ashkan Soltani, an independent researcher who has worked with The Wall Street Journal (s nwsa) on mobile privacy investigations. Soltani cut through the political posturing and corporate deflections to clearly articulate what’s needed for mobile privacy regulation: more transparency and better definition of the concepts involved.
Soltani pointed out that not only are consumers repeatedly surprised by the information apps and platforms have access to, but platform providers themselves are also occasionally caught off guard by info they’re gathering (he cited Google’s problems with collecting Wi-Fi info during Street View surveys, and Apple’s location storage cache). Platforms need to take adequate steps to make absolutely clear (to themselves and to users) what information is being gathered at any given time, and for what purpose. The concern, according to Soltani, is that there is no mechanism for Apple devices to disclose to users that it can share customer info with anyone once it has permission to gather it.
According to Soltani, we should focus on making clear what mobile privacy involves on the level of even the wording used to describe it. How exactly do you define “opt-in?” Is it enough to provide users with a pre-checked checkbox? Isn’t that better described as “opt-out,” as Sen. Franken suggested at the hearing? Also, how to definite “location” and “anonymized?” Soltani noted that even though Apple says it only gathers anonymized data, since police departments have been able to use that info to identify suspects by associating it with their devices, isn’t it technically not anonymous?
This is likely only the opening salvo of a long and drawn-out process that will ultimately affect how users, platform providers and app developers treat mobile data, including (but not limited to) location data. Political will is there, and judging by the responses made by Apple and Google representatives today, private enterprise is eager to be at the table, too, since allaying customer concerns are in their best interest. Here’s hoping something productive comes of the apparent shared interest in the subject.