Smartphone tracking apps raise security, privacy and legality questions

Tracking apps can be useful in a variety of ways, such as, letting consenting spouses know each other’s locations. However, location data from mobile devices can be highly personal

GAO analysys

When it comes to smartphone tracking applications that help parents or employers to track the location of their children or perhaps monitor them by intercepting communications, few would argue the merits of such as system. But when those same kinds of apps are used to surreptitiously monitor employee activities, or the behavior of your wife or boyfriend, well, things get a little creepy and possibly illegal.

+More on Network World: +

The watchdogs at the Government Accountability Office this waded into the smartphone tracking app quagmire and found lots of contradictory information on the topic by looking at 40 smartphone tracking apps and analyzing their websites.

“GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location. Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking. [Experts the GAO interviewed] also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking,” the GAO stated.

The GAO said that some experts it interviewed for the report believed the federal wiretap statute should be amended to explicitly include the interception of location data and Department of Justice has proposed amending the statute to allow for the forfeiture of proceeds from the sale of smartphone tracking apps and to make the sale of such apps a predicate offense for money laundering.

However some experts interviewed differed in their opinions on the applicability and strengths of the relevant federal laws and the need for legislative action, the GAO stated.

+More on Network World: +

Some of these stakeholders believed it was important to prosecute companies that manufacture surreptitious tracking apps and market them for the purpose of spying. Domestic violence groups stated that additional education of law enforcement officials and consumers about how to protect against, detect, and remove tracking apps is needed.

“Tracking apps can be useful in a variety of ways, such as, for example, allowing consenting spouses to know each other’s locations. However, location data from mobile devices can be highly personal, including information about where a person lives, goes to school, or attends church, or whether a person has visited a bar, a psychiatrist, an attorney, or a former boyfriend’s house. Moreover, certain tracking apps allow for the surreptitious collection and transmission of a person’s smartphone location information and, in some cases, also allow for the surreptitious interception of the person’s communications—such as texts, e-mails, and phone calls. Such monitoring can present a threat to a person’s safety and privacy and can be used as a tool that facilitates stalking,” the GAO stated.

Still others in the GAO report were concerned that legislative actions could be overly broad and harm legitimate uses of tracking apps. However, stakeholders generally agreed that location data can be highly personal information and are deserving of privacy protections, the GAO stated.

The GAO noted that several federal laws may be relevant to the issue of tracking apps, including:

The federal wiretap statute: This law makes it illegal, among other things, for an individual to intercept wire, oral, or electronic communications unless an exception applies, such as one of the parties to the communication has consented to the interception. It also makes it illegal to manufacture, sell, or advertise a device knowing that it is primarily intended for surreptitious interception of communications. This is both a civil and a criminal statute, providing individuals with a private right of action and DOJ with authority to enforce criminal violations of the statute.

FTC Act Section 5: The core consumer-protection authority in section 5 of the FTC Act enables FTC to bring cases against individuals and companies that it determines have engaged in unfair or deceptive acts or practices in or affecting commerce. FTC can seek injunctive relief in an administrative proceeding or in federal court. FTC may seek monetary relief in the form of restitution and disgorgement of a defendant’s proceeds from the alleged unfair or deceptive actor practice, but may not seek civil penalties under Section 5.

Computer Fraud and Abuse Act of 1986: This law makes it illegal for an individual to access a protected computer without or exceeding authorization, among other things. Federal courts have found that smartphones are considered computers under the act.

The federal stalking statute: This is a criminal statute, enforced by DOJ, that prohibits individuals from using electronic communications systems or services for stalking purposes, among other things. The statute was most recently amended by the Violence against Women Reauthorization Act of 2013 which includes provisions pertaining to sexual assault, domestic violence, dating violence, and stalking.

Other interesting facts gleaned form the GAO report include:

  • About one-third of the websites we reviewed (14 of 40) explicitly marketed their product as a surreptitious tracking app, specifically to track the location information and intercept the communications of children, employees, or intimate partners.
  • All current apps marketed as capable of surreptitious interception of communications and location tracking, however, can be used to secretly track an individual’s location alone.
  • The majority of the tracking apps we reviewed (31 of 40) were marketed to parents to monitor the location of their child’s smartphone or to intercept the phone’s communications. The websites discussed the safety aspects of tracking children. Of these websites, 17 apps were not marketed as surreptitious.
  • Fourteen of the 31 tracking app websites marketing to parents were marketing their app as surreptitious. These websites described their app’s ability to track a child’s smartphone’s location or the app’s ability to intercept a child’s smartphone’s communications without his or her knowledge.
  • The majority of the tracking apps we reviewed (31 of 40) were marketed to parents to monitor the location of their child’s smartphone or to intercept the phone’s communications. The websites discussed the safety aspects of tracking children. Of these websites, 17 apps were not marketed as surreptitious.
  • Almost half of the tracking apps we reviewed (19 of 40) were marketed to track an employee’s location or to intercept an employee’s smartphone’s communications. These websites touted their products’ ability to track the location of an employee’s smartphone; about half of the websites specifically mentioned using the app to ensure that employees were conducting company business. Of these websites, 7 were not marketed as surreptitious.
  • Of the 19 tracking apps we reviewed that were marketed toward employers, 12 were marketed as surreptitious. These apps marketed their ability to track the location of an employee’s smartphone without his or her knowledge or the ability to intercept the communications of an employee’s smartphone without his or her knowledge.
  • In September 2014, federal prosecutors at DOJ brought charges against the chief executive officer of the company that sold StealthGenie under section 2512 of title 18. The StealthGenie mobile app surreptitiously tracked the location data of phones on which it was installed and also surreptitiously intercepted communications to and from the phone, such as text messages and e-mails. DOJ successfully demonstrated that the defendant had advertised and sold a smartphone tracking app primarily used for the surreptitious interception of wire, oral, or electronic communications. After pleading guilty, the defendant was sentenced to time served and ordered to pay a fine of $500,000. Additionally, the defendant was ordered to surrender the tracking app’s source code to the U.S. government.
  • GAO analysis identified a number of companies that continue to manufacture and market tracking apps that surreptitiously intercept smartphone communications. While DOJ staff declined to indicate whether they had current tracking app cases or investigations, they stated that they are “active in this area.” Additionally DOJ officials stated to us that DOJ has prosecuted stalking behavior under the federal stalking statute that involved GPS tracking, but not GPS tracking on a smartphone.

Check out these other hot stories:

Sabotage? Rash of fiber cuts dog Verizon

NASA's planet hunter spots record 1,284 new planets, 9 in a habitable zone

DHS moves to bolster intrusion/detection for federal networks

FTC orders Apple, Google, Microsoft, Blackberry, Samsung to divulge mobile security practices

Ethernet: Are there worlds left to conquer?

Interop: NBase-T makes “low-speed” Ethernet splash

NASA, FAA showoff wireless aircraft communication technology

Meet EMILY, the robotic life-guard that may save you from drowning some day

NASA, FAA showoff wireless aircraft communication technology

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022