Senate Subcommittee Holds Hearing on Mobile Privacy
On May 10, 2011 the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing entitled Protecting Mobile Privacy: Your Smartphone, Tablets, Cell Phones and Your Privacy. The hearing focused on the privacy concerns raised by mobile devices, location-based mobile services, and check-in applications.
Senator Leahy opened the hearing, reflecting on the benefits of mobile devices, apps, and social networks, as well as the risks these new technologies pose to consumer privacy. Leahy expressed that he is “deeply concerned” that smartphones may be tracking and storing data without users’ consent, that sensitive user data may be maintained by providers in unencrypted formats, and that companies are involved in the sale of location data without consumer knowledge resulting in the receipt of unsolicited ads by third parties.
Subcommittee Chairman Al Franken’s opening remarks focused on the increasing number of entities whose business model is to collect and maintain information on consumers under consumers’ radar. Franken noted the many benefits of location-based services, making a point to emphasize that “the existence of this business model is not a bad thing.” “The answer is not ending location-based services,” Franken said, “what today is about is trying to find a balance” between the benefits of these services and the public’s right to privacy.
The first panel of testifying witnesses consisted of two government representatives from their respective agencies. Here are some highlights from their testimony:
Jessica Rich, Deputy Director, Bureau of Consumer Protection, FTC
- The rapid growth of mobile products and services raises several concerns: mobile devices are always on and always with the consumer, mobile devices contain information that is highly personal in nature, and companies have the ability to track consumers who use mobile devices, including children and teens.
- The FTC has called on the industry to develop simplified disclosures embedded in each mobile interaction so that consumers know when and how their data is being used, rather than rely on privacy policies that are difficult to access using a mobile device.
- Companies should implement privacy by design principles in the development of their products and services, making it easier for consumers understand and choose how their data is used.
Jason Weinstein, Deputy Assistant Attorney General, Criminal Division, DOJ
- Three major threats mobile devices pose to consumers include (1) cyber criminals such as identity thieves, stalkers, and hackers who access and exploit information without authorization; (2) the collection and disclosure of location data by service providers themselves - including app providers; and (3) the use of mobile devices by criminals to facilitate their own crimes.
- While the ECPA restricts providers from sharing location data with the government, it does not restrict them from sharing such information with other private entities.
- Companies are not currently required to retain the data they collect, which impedes the DOJ’s ability to investigate and prosecute crimes.
The second panel consisted of five non-government witnesses – from privacy advocates to representatives from major mobile market players. Here are some highlights from their testimony:
Ashkan Soltani, Independent Researcher and Consultant
- The most serious threat mobile devices pose today is that consumers are repeatedly surprised by the information mobile device platforms and apps are accessing.
- Mobile devices and apps don’t only collect location data - they also transmit consumers’ phone numbers and information from their address books, text messages, contact lists, etc.
Justin Brookman, Director of the Project on Consumer Privacy, Center for Democracy and Technology
- Only a patchwork of outdated and insufficient laws applies to mobile service providers, leaving consumers inadequately protected.
- While companies can’t affirmatively lie about how they protect consumer data, they can decline to make any representations to consumers regarding their data privacy and security practices, thereby avoiding FTC enforcement.
- The default rule for service providers is that they can disclose location data without notifying consumers and obtaining their consent. They only things providers can’t do are things the providers have promised they won’t do.
Guy L. "Bud" Tribble, Vice President of Software Technology, Apple Inc.
- Apple does not track users’ locations and “has never done so,” nor do Apple devices transmit data back to Apple that is unique to any particular consumer.
- Apple controls the apps available to consumers by contract – if apps don’t meet Apple’s privacy requirements then those apps are not made available in Apple’s app store.
- Apple conducts “random audits” and “examines network traffic produced by applications” to ensure that available apps are properly protecting the privacy of Apple consumers.
Alan Davidson, Director of Public Policy, Americas, Google Inc.
- Google makes location-based services opt-in only. If a consumer doesn’t opt-in, his or her mobile device will not transmit any location data back to Google.
- Every third party app must notify users that the app will access location data and the user consent before the app is installed on the user’s device.
- Google believes in providing users with highly transparent information regarding its information practices, requiring opt-in consent before location data is collected, and implementing high security standards to anonymize data once it’s collected.
Jonathan Zuck, President, Association for Competitive Technology
- Mobile apps are made predominantly by small businesses - to protect consumer privacy without unduly burdening innovation, concerns about privacy must be dealt with holistically rather than from a technology-specific perspective.
Chairman Franken closed the hearing by noting that current laws don’t provide consumers with sufficient privacy protections - legislation and agency enforcement hasn’t kept up with the pace of technology. Franken restated his belief that consumers have a “fundamental right” to know what personal information is collected about them, and when and with whom their information is shared. Franken noted that these rights are particularly important when sensitive information – data from mobile devices – is involved.
To view the hearing on the U.S. Senate Committee on the Judiciary website, click HERE.
Kerry Releases Draft of "Privacy Bill of Rights"
A week after the Senate held a hearing on the state of online consumer privacy, Senator John Kerry (D-Mass) has published a draft of the "Commercial Privacy Bill of Rights Act of 2011." The Act, co-sponsored by Senator John McCain (R-Ariz.), directs the FTC to make rules requiring certain entities that handle information covered by the Act to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains. The Act aims to enhance individual privacy protections “in a balanced way that establishes clear, consistent rules,” and “will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad.” In this post, we take a look at the highlights of the Act.
Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.
Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”
Some information is always considered PII of the individual to whom it pertains, including:
- First name (or initial) and last name;
- Residential address;
- E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
- Telephone or mobile device numbers other than those considered work contact numbers;
- Social security numbers and other government-issued identification numbers
- Credit card numbers;
- Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
- Biometric data, including fingerprints and retina scans.
If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:
- Birth date, birth or adoption certificate number, or place of birth;
- Unique persistent identifiers (not limited to those used to identify a specific individual);
- Precise geographic location; and
- Any other information concerning an individual that may “reasonably be used to identify that individual.”
UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”
Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.
Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:
- The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
- The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
- The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.
The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.
Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.
Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.
A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.
Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:
- To process a transaction or service requested by that individual;
- To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
- To prevent or detect fraud or to provide for a secure environment;
- To investigate a possible crime or that is required by law or legal process;
- To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
- Necessary for the improvement of the transaction or service through research and development; or
- Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.
Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.
Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.
Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.
With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).
SearchSecurity.com Interview on the Data Accountabilituy and Trust Act
For those interested, I was recently interviewed by SearchSecurity.com concerning the Data Accountability and Trust Act ("DATA") passed in the House in December 2009. While I might not be cut out for a career in broadcasting, hopefully the information I provided is useful. If you would like more information, the Information Law Group has written several times on DATA and similar legislation pending in the Senate.
The Breach Notification Obligations in the Data Accountability and Trust Act
The Information Law Group has been following various Federal data security bills as they wind their way through the House and Senate. In December 2009, the Information Law Group commented on the passage of the Data Accountability and Trust Act ("DATA") by the House. I was recently asked by Data Protection Law and Policy (an excellent publication out of the UK focusing on data security and privacy issues) to take a closer look at the data breach obligations of the current version of DATA. The end result was my article entitled: "Potential changes to the US breach notice risk landscape".
In summary, my article discusses some of the similarities and differences between the current state-created breach notice regime and the system set forth under the proposed DATA law. DATA is interesting because it appears to create counter-opposing breach notice incentives. On the one had, there are mechanisms that could lead to less breach reporting, including:
- a "risk of harm" standard that is likely higher than many existing State laws;
- preemption of existing state law, which eliminates the "least common denominator" approach taken with respect to existing state law; and
- mandating call center and credit monitoring costs (e.g. these costs may be significant, and therefore encourage non-compliance, especially if enforcement is lax)
On the other hand, DATA allows for the imposition of civil penalties of up $11,000 per violation (capped at $5 million). Each failure to send the required notification to an affected individual is treated as a separate violation. Depending on how vigorously the law is enforced, the risk of significant civil penalties is likely to encourage compliance.
How these factors would play out is unclear and up for debate. However, what is even more unclear is whether DATA will ever be made into a law. The Senate is working on a similar bill, and assuming it passes the Senate it would still have to be reconciled with the House version. Consumer advocates will likely have concerns about the higher risk of harm threshold in the law. On the business side, I anticipate great resistance to call center and credit monitoring as mandatory costs. Moreover, the penalties for non-compliance may be problematic, especially for smaller and medium organizations. As such, should DATA become a law, it is likely to differ from this version.
