Mobile Privacy Issues Come to Capitol Hill—Apple’s iOS4 to be Examined in Senate Hearing
Nancy K. Herther
Posted On May 9, 2011
Apple’s April 2010 press releases for iOS4 focused on the operating system’s multitasking, threaded email, and “over 100 new features that make it easier to interact with apps, manage email, read books, and more.” Apple’s iAd, “a breakthrough mobile advertising platform,” was also included in the announcements without any detailed descriptions for consumers. A year later, on April 20, 2011, technologists Alasdair Allan and Pete Warden set off a firestorm with their O’Reilly Radar blog post “Got an iPhone or 3G iPad? Apple is recording your moves.” The authors noted that Apple’s iOS4 operating system for the iPhone and 3G iPad included software that is “regularly recording the position of your device into a hidden file. We’re not sure why Apple is gathering this data, but it’s clearly intentional, as the database is being restored across backups, and even device migrations.”
Allan and Warden go on to say, from their research, that “what makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file,” called consolidated.db, “knows where you’ve been over the last year, since iOS 4 was released.”
Interestingly, it took Apple a week before officially acknowledging the issue—calling it a “design bug”—and providing information on an eventual software fix that will allow users to disengage the feature. The company released a Q&A in which it tried to assure users and others that “Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.”
The Q&A referred to the data as “a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location.” Jobs himself was interviewed for a follow-up article in The New York Times admitting mistakes by the company, but reassuring customers that “Apple would fix the mistakes in a free software update that it would release in the next few weeks.”
“I buy that explanation,” notes long-time Silicon Valley pundit Larry Magid, writing in the San Jose Mercury News, “but the result is that there is still an unencrypted file on the phone that discloses one’s approximate location. Calling it a ‘crowd-sourced database’ doesn’t change the fact that people can use this file to figure out approximately where you’ve been. It seems that Apple could have explained all this without resorting to what amounts to doublespeak. Personally, I’m OK with people knowing where I’ve been, but I can think of plenty of scenarios where this type of information could be misused.”
Powerful Information in Anyone’s Hands
A recent EDUCAUSE publication on potential mobile security risks notes that “knowing where individuals are—or where they are not—can be powerful information in the hands of stalkers, burglars, advertisers, and others.” The Orwellian aspects of this type of potential surveillance lit up the internet and headlined papers across the world. The very idea that any major technology company—let alone the industry’s innovative leader—would allow this type of encroachment or design error set off a firestorm that has reached the halls of Congress.
On Tues., May 10, 2011, the Senate Judiciary Subcommittee on Privacy, Technology, and the Law will meet on the theme of “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy,” having asked officials from various companies involved to testify. Al Franken (D-Minn.), subcommittee chair, wrote Apple asking for their participation. Guy L. “Bud” Tribble, Apple’s vice president of software technology, a long-time Apple manager, will appear on behalf of the company. Tribble, well-respected in the industry, managed software development for the Mac OS and user interface and went on to co-found NeXT.
Earlier this year, the market research firm Canalys announced that Google’s Android had surpassed Apple as the world’s leading smart phone platform. Android and Google’s other projects—such as Google Books—that have brought this industry giant into the cross-hairs of the same committee, earned them an invitation to the hearing as well.
Not the First Time or, Perhaps, the Last
In March 2011, before this latest privacy issue, Franken had sent a letter, co-signed by three other senators, to Facebook CEO Mark Zuckerberg asking the company to reconsider its plan to allow application developers to request and obtain Facebook users’ mobile phone numbers and home addresses.
Security and tracking were also addressed in 2010 by Congressman Edward Markey (D – Mass.), co-Chairman of the House Bi-Partisan Privacy Caucus, and Joe Barton (R – Texas) in a letter to Jobs dated July 2010. Apple’s 13-page response by Apple’s general counsel Bruce Sewell at that time clearly did nothing to assuage Congressional concerns or to raise red flags at Apple to re-examine, on their own, privacy issues concerning this iOS4 feature and its purpose/execution. In Apple’s 2010 response, Sewell closes his letter with the assurance that “Apple is committed to giving our customers clear notice and control over their information, and we believe our products do this in a simple and elegant way.” Some would beg to differ.
Determining Intent and Protecting the Consumer
In his letter to Steve Jobs, Franken makes note of the issues sure to be covered at Tuesday’s meeting: What is the intended purpose for collecting this information? Why it wasn’t, by design, automatically encrypted? Who are the intended users of the data and how would they be able to access it? Why there was no transparency with users, notifying them of this feature in the design of their product?
On the other side of the Capitol, Markey, co-chairman of the House Bipartisan Privacy Caucus, asks again whether the iOS4 product, in reality, is “an iPhone or an iTrack?”. “Collecting, storing and disclosing a consumer’s location for commercial purposes without their express permission is unacceptable and would violate current law,” he notes in his letter. “That’s why I am requesting responses to these questions to better understand Apple’s data collection and storage policies to make certain sensitive information can’t be left behind for others to follow.”
Today we have a mixture of industry standards and federal law that guide internet privacy: The 1991 Telephone Consumer Protection Act (P.L. 102-243), 1999 Wireless Communications and Public Safety Act (P.L. 106-81) and the 2003 Controlling the Assault of Non-Solicited Pornography and Marketing Act (P.L. 108-187). Consumers are also able to list their cell phones numbers on the National Do Not Call Registry. (For more detailed information see the Congressional Research Services Wireless Privacy and Spam: Issues for Congress report.)
CTIA-The Wireless Association, the major trade association in this area was contacted for comments, but declined to be interviewed. CTIA is known to support such consumer protections in this area, such as criminalizing fraudulently obtained cell phone records, but hasn’t stated a position on this latest Congressional investigation.
Commercial Privacy Bill of Rights
Earlier this year, Senators John McCain (R-Ariz.) and John Kerry (D-Mass.) introduced a Commercial Privacy Bill of Rights. This 44-page bill is intended to “establish a baseline code of conduct for how personally identifiable information and information that can uniquely identify an individual or networked device are used, stored, and distributed.” However this legislation is widely described as insufficient to protect consumer rights in this area.
Electronic Frontier Foundation’s Rainey Reitman, notes that “the bill's most glaring defect is its emphasis on regulation of information use and sharing, rather than on the collection of data in the first place.” The bill fails to offer customers any opt-out or Do Not Track features and takes away the right of consumers to sue for damages if their rights are violated. The bill doesn’t address the key issue of third-parties, who might be able to use or link to users as a way to gather information and also pre-empts most state online privacy laws, which would prevent litigation in state courts. The bill would require that consumers proactively contact offending companies individually in order to opt-out of receiving their unwanted postings, etc.
Even Senator McCain admits this bill is a compromise, “Our bill seeks to respect the ability of businesses to advertise, market, and recruit new customers while also respecting consumers’ personal information.” The bill is widely expected to fail this year’s Congress, which would be good news to the myriad of organizations that believe that “no bill is better than a bad bill”—including the Electronic Frontier Foundation, Consumer Watchdog, Centre for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse, Privacy Times, and the ACLU.
Robert Minch, business professor at Boise State University and wireless security expert notes that, “the U.S. has fewer location privacy laws than many other countries.” Minch believes that eventually we will see a mixture of remedies to these privacy issues: “It’s likely that there will be a mix of industry self-regulation and additional legislation in the future. One general approach that many consumers may find acceptable is the knowledge and consent model—a service provider collecting location information would assure that users are aware of what information is being collected, and consent to that collection. More complex issues will also arise concerning storage, future use, and sharing of that information with other parties.”
Freiwald sees the issue in a larger Constitutional framework: “As a consumer I am concerned about excessive data collection that yields an intimate picture of my activities. We should all be concerned about identity theft and there is a more remote but nonetheless real possibility of stalking and other crimes. I also worry that collected data can fall into the hands of government agents who may use it to conduct unlawful surveillance. I do not think that data mining, either by the government or private companies, is sufficiently regulated by law, and that should change. If the law does not catch up, then we risk becoming a surveillance society where power is abused. While a small number of people want to share their locations with others, most do not, and if detailed location information is too easily available, then we will feel inhibited in our movements and in the exercise of our freedoms.”
Consumer Protection in a Mobile World
PC Magazine’s William Fenton has provided step-by-step instructions to Apple users on “How to See the Secret Tracking Data in Your iPhone,” and his investigation found that “if you’re running iOS 4, your location-based data—latitude and longitude coordinates, coupled with timestamps—is stored on your phone.” However, he notes, “there’s no confirmation that that data is leaving your custody and no evidence that Apple’s harvesting it towards nefarious ends. More likely, it’s being used for two things: Apple’s reportedly tapping location information to build a database, which may actually be for your own good; and other apps, such as Maps, require geo-locational data to play.”
As Franken notes in his letter to Jobs, “the existence of this information—stored in an unencrypted format—raises serious privacy concerns.” Bloomberg reports that some state Attorneys General and legislatures are currently investigating these practices and that “lawsuits have been filed against the companies over the practice.”
All of this is happening just as Sony’s PlayStation Network is attacked by hackers who were able to access information on the estimated 77 million PlayStation gamers—including names, birth dates, and credit card information—from across the globe in what is clearly the largest such privacy breach in history.
In the past week, analysts noted the historic eclipsing of Apple over Microsoft in quarterly profits, further demonstrating the shift from traditional, PC-based systems to newer technologies and products that merge computing, communicating, and entertainment. This sea change has yet to be clarified by adequate regulatory or industry standards. Given the gravity of these issues, we all have reason to watch upcoming events closely.