Apple, Google execs squirm before Senate privacy panel

Senators, privacy advocates demand improved privacy protection for mobile devices

Executives of Google and Apple were called to task for mistakes made in how they protect the privacy of consumers using location-based applications on their smartphones and tablets at a U.S. Senate subcommittee hearing Tuesday. Apple had to admit to a glitch in the iOS for Apple iPhones and iPads that stored location information when location services were supposedly blocked, and Google had to admit that it doesn’t require third party application providers to establish and disclose a privacy policy.

Sen. Al Franken
The two were among seven witnesses called before the Judiciary Subcommittee on Privacy, Technology, and the Law, chaired by Senator Al Franken, Democrat of Minnesota (photo provided by his office). The hearing sprang from recent disclosures that Apple had been saving information about users’ location in an unencrypted file on the Apple device and by news that Google has been saving information in a similar way. Microsoft was not called on the carpet for privacy issues with its new Windows Phone 7 mobile OS and the company disclosed that it does not save location information on WP7 devices or Microsoft servers. Still, any federal legislation developed out of this hearing will affect Microsoft just like the others.

At one point, Franken questioned whether Apple was contradicting itself with different statements on location tracking.

After listening to the hearing, I’ve come to the conclusion that despite Apple’s assurance that it “is deeply committed to protecting the privacy of all of our customers,” and Google’s pledge that it practices “privacy-by-design,” there are still big holes in privacy protection and that government regulations to protect privacy are outdated and inadequate in this modern era of mobile communications and computing.

Bud Tribble, vice president of software technology at Apple, testified that Apple does not track users’ locations on their iPads/iPhones without their permission and does not share “personally identifiable information” with third parties about its users. Tribble explained that it only tracks location indirectly by detecting the presence of wi-fi access points and/or cell towers nearby, creating an “anonymized crowdsourced database” of those locations.

That response seemed disingenuous to Ashkan Soltani, an independent researcher and consultant who tested mobile applications for a Wall Street Journal article from December 2010 that revealed that 47 of 101 smartphone apps it tested shared user location information with third parties without the user’s permission. In most cases, the device was found to be as few as 100 feet from a transmitter. Soltani also said he tested a location app in the hallway outside the hearing room and learned he was just 20 feet from a wi-fi access point.

“I would consider that my location,” Soltani testified.

Apple’s Tribble also had to admit Apple’s crowdsourced database was not as secure as it believed.

“While we were investigating the cache, we found a bug that caused this cache to be updated from Apple’s crowdsource database even when the location services switch had been turned off. This bug was fixed,” he said, and added that in the next major release of iOS, the cache will be encrypted by default. It was not, putting historical location data at risk on the device or on a computer to which the device may have been synced by the user.

Alan Davidson, director of public policy in the Americas for Google, sought to reassure senators that Google takes privacy protection seriously and that all its location services are opt-in, meaning the consumer has to proactively grant permission for apps to identify his or her location. But Franken asked Davidson that if Google was so serious about protecting privacy why it doesn’t require application developers to adopt and disclose their own privacy policies to end users. Franken asked him, as well as Apple’s representative, to commit to adopting a “clear, understandable privacy policy [for third party apps]. It wouldn’t fix everything but it would show your commitment to on this issue.”

Davidson gave Franken a “let me get back to you on that” dodge.

“I will take that issue back to our leadership. I think its a very good suggestion for us to take up,” he said.

From what I heard at the hearing, which also included testimony of privacy advocates and people from the Federal Trade Commission and Department of Justice (DOJ), the U.S. has no coherent privacy policy. The legal basis for much of the federal regulation is the Electronic Communications Privacy Act (ECPA), which was enacted in 1986, before the Internet, smartphone or tablets were even a gleam in Steve Jobs’ eye. The FTC is going after privacy violators on the vague premise of “deceptive business practices” while a representative of DOJ testified that a federal anti-stalking law requires that the stalker and victim be in different states (probably because of the interstate commerce clause). The threat from the use of mobile location tracking by stalkers came up several times.

The ECPA is in dire need of updating and Sen. Patrick Leahy (D-Vt.), who also spoke at the hearing and authored the original legislation, promised to do that soon. The hearing convinced me that updating privacy protection to keep pace with innovation is sorely needed.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey 2021: The results are in