On December 17, 2010, the Wall Street Journal published an article claiming that iPhone and Android apps were breaching the privacy of their users. They found that the iPhone version app Pandora sent information to eight trackers. It sent location data to seven of the trackers, a unique phone ID to three and demographic data to two.
The Pandora app is just the beginning. The Wall Street Journal investigation found that of 101 popular smartphone “apps” – games and other software- 56 of them transmitted the phone’s unique device ID to other companies without the users’ awareness or consent. 47 apps transmitted the phone’s location. Michael Becker of the Mobile Marketing Association explained that “In the world of mobile, there is no anonymity,” a cell phone is “always with us. It’s always on.”
In the last weeks of 2010, two class action lawsuits were filed against Apple, Inc. and mobile applications providers in California federal courts. The first lawsuit, Lalo v. Apple, Inc et al, was filed against Apple, Backflip, Dictionary.com, Pandora, and The Weather Channel. The second lawsuit was filed against the same defendants plus several other game app providers. Now in the “flood of lawsuits,” a third class action lawsuit was filed against Apple on January 27th, 2011.
Apple spokesperson Tom Neumayr said in response to the lawsuits that “We have created strong privacy protections for our customers, especially regarding location-based data. Privacy and trust are vitally important.”
One main point of iPhone and Android supporters is that the information isn’t linked to individuals. The ID numbers assigned to every phone are effectively “supercookies.” On iPhones the number is called the “UDID,” or the Unique Device Identifier. The IDs are set by phone makers, carriers, or makers of the operating system, and typically can’t be blocked or erased. This ID is how everything gets tracked because you can’t clear a UDID like you can a cookie on a computer.
The lawsuits of the beginning of 2011 accuse companies of violating federal privacy laws, including the wiretapping act, for their financial gain through the misappropriation of user’s private data by their popular apps. They also claim that the apps were accessing and transmitting UDIDs and other information about devices and their owners to third party ad networks.
The key issue is whether the UDID numbers are considered personal information. Before the cases can be evaluated, a few questions have to be answered about the UDIDs. "Does disclosing a unique ID actually disclose anything 'private' or otherwise legally protected?" Also, "Did the users expressly or impliedly consent to disclosures?" "Did any users suffer any legally considerable harm?"
Those who agree that the UDID numbers represent protected personal information refer to privacy under the California constitution. Andre Rado, a partner in Milberg LLP, the firm representing the plaintiff, explained that "Transmission of the UDID would allow the recipient to identify exactly what a user is browsing and, together with other information, where they are at any given time. In addiion, there are disclosure-based and contract-based claims in the action.
The key issue is whether the UDID numbers are considered personal information. Before the cases can be evaluated, a few questions have to be answered about the UDIDs. "Does disclosing a unique ID actually disclose anything 'private' or otherwise legally protected?" Also, "Did the users expressly or impliedly consent to disclosures?" "Did any users suffer any legally considerable harm?"
Those who agree that the UDID numbers represent protected personal information refer to privacy under the California constitution. Andre Rado, a partner in Milberg LLP, the firm representing the plaintiff, explained that "Transmission of the UDID would allow the recipient to identify exactly what a user is browsing and, together with other information, where they are at any given time. In addiion, there are disclosure-based and contract-based claims in the action.
The issue of online privacy has gotten the attention of Washington. The FTC recently released 123-page report regarding online privacy reprimanding online advertisers for privacy violations. The FTC recommended requiring an industry standard “Do Not Track” mechanism allowing individuals to restrict the delivery of their personal data to advertisers. The Department of Commerce also issued guidelines for balancing consumer privacy with online and mobile innovation.
The FTC's report established four principles that are currently non-binding to the industry. Those principles are:
Transparency and Consumer Control- Every website, including app providers, that uses behavioral targeting should clearly and concisely spell out what they're doing. The FTC recommends that users have a simple method to opt-out of the site's targeting tools.
Reasonable security, and limited data retention, for consumer data: Also, Companies should only retain data as long as is necessary to fulfill a legitimate business or law enforcement need.
Affirmative express consent for material changes to existing privacy promises: In other words, a company must keep its promises that it makes with consumers when it comes to protecting their data. If they get bought or merge with another company, those pledges still hold, unless consumers agree to the changes. If the company revises its policies on privacy, they must receive users' consent before implementing the new rules.
Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: If companies want to collect sensitive personal data, it must get users' permission before, not after, it starts collecting.
Guess we will have to wait and see if 2011 turns out to be the year of mobile privacy lawsuits.
Resources:
- www.adage.com
- http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html?KEYWORDS=mobile+privacy+Apple
- http://www.remodista.com/is-2011-the-%E2%80%9Cyear-of-the-mobile-privacy-lawsuit%E2%80%9D-bricks-mobile-2011/
Resources:
- www.adage.com
- http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html?KEYWORDS=mobile+privacy+Apple
- http://www.remodista.com/is-2011-the-%E2%80%9Cyear-of-the-mobile-privacy-lawsuit%E2%80%9D-bricks-mobile-2011/
Great post, Sabrina. The issue of mobile privacy is going to get a lot of attention with the the growth of smartphones and apps. Some of this tracking is definitely creepy. I appreciate you posting the FTC guidelines on this. Good research on this issue.
ReplyDeleteGrade - 5/5
BTW, I love reading your blog!
ReplyDelete