Senate Probes Privacy Practices of Google, Apple

Executives from Google and Apple defended their mobile privacy policies at a Congressional hearing Tuesday as Sen. Al Franken (D-Minnesota) called attention to recent reports that iPhones androids and other devices secretly collected user data and locations without permission.

Under current federal law, Franken said, creators of mobile phones are often “free to disclose your location information and other sensitive information to almost anyone they please without letting you know.”

Legislators on the Senate Judiciary Subcommittee on Privacy, Technology and the Law said that without sufficient privacy measures, mobile devices carry the genuine potential for security breaches, like the recent attacks on Sony and Epsilon, or criminal activity such as stalking. However, panel members also assured the testifying officials that their mission was not to end location-based services, but to create strong consumer protections as mobile technology continues to evolve.

“No one up here wants to stop Apple and Google from producing their products or doing the incredible things that you do,” Franken said as he opened the meeting, called Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy. “What today is about is trying to find a balance between all of those wonderful benefits and the public's right to privacy.”

After coming under scrutiny in recent weeks from consumers and legislators over its privacy policy, Apple denied that its handset tracks locations of iPhone and iPad users without permission and, instead, relies on “a database of WiFi hotspots and cell towers around your current location … to help your iPhone rapidly and accurately calculate its location when requested.”

Guy “Bud” Tribble, Apple's vice president of software technology, told the subcommittee that Apple does not share user information with third parties without permission and is “deeply committed to the privacy of all of our customers.” Tribble also said that Apple has never tracked location data “and has no plans to ever do so.”

“The PR hit that Apple took from that is really telling,” said Rebecca Jenschke, media relations director of the Electronic Frontier Foundation. The backlash showed that “people really do care about their privacy … you have this tracking beacon in your pocket and you don't really know what it does. These are a lot of people that you're trusting with really sensitive data.”

Similarly, Google responded to criticism over its privacy measures by pointing out that all location sharing on Android devices is “opt-in by the user … Any location data that is sent back to Google location servers is anonymized and not tied or traceable to a specific user.”

Alan Davidson, Google's director of public policy for the Americas, told the subcommittee that the opt-in selections are “in plain language” and can be turned off in the future. Davidson described Google's approach to location services as “highly transparent information for users about what is being collected, opt-in choice before the location information is collected and high security standards to anonymize and protect information.”

Sen. Richard Blumenthal (D-Connecticut) said the relationship between mobile operators and third-party app makers is a “wild West,” as the ever-changing technological landscape makes it difficult for legislators to create laws that protect consumers without stifling innovation. At least four bills attempting to navigate mobile and online privacy were introduced during this legislative session, but none have come to the forefront as being likely to pass.

Ashkan Soltani, an independent security researcher, said the best way to tackle mobile privacy was to increase transparency and create more specific guidelines for terms like “opt-in,” “third parties” and even “location.”

“If you imagine a historical trail of your whereabouts over the course of many days, it would be reasonably easier to deduce where you work, where you live and where you play,” Soltani said. “In many cases the location that this data refers to is the location of your device or somewhere near it … I would consider that my location.”

Franken ended the meeting on an open note. “As I said at the beginning of this hearing, I think that people have a right to know who is getting their information and a right to decide how that information is shared and used. After having heard today's testimony, I have serious doubts that those rights are being respected in law or in practice,” Franken said. “We need to seriously think about how to address this problem. And we need to address this problem now.”