Location Privacy Bill Moves to Senate Floor
Latest effort to curb use of GNSS-derived and other location data without permission
U.S. Capitol photo by DAVID ILIFF. Wikimedia Creative Commons License: CC-BY-SA 3.0
December 18, 2012
Setting the stage for action in the next Congress, a Senate committee approved privacy legislation last Thursday (December 13, 2012) that would, with some exceptions, require companies using geolocation data for apps and navigation services to get express permission from users before collecting or sharing that information.
The bill not only applies to the apps now commonly found on smart phone and tablets but also specifically to “geolocation information services” and devices that are in or “part of a vehicle.”
Provisions in the Location Privacy Act of 2012 (S. 1223) would also give the U.S. attorney general and state attorneys general the power to enforce the bill and individual citizens the right to sue firms violating their privacy.
“Location information is extremely sensitive information,” the bill’s sponsor, Senator Al Franken, D-Minn., told the meeting of the Senate Judiciary Committee. “With GPS technology a smart phone will pinpoint its user down to 10 meters of accuracy. Someone who has this information doesn’t just know where you live; they know the roads you take to work, where you drop your kids off at school, the church you attend, and the doctors that you visit.”
“But the companies that collect our location information are not protecting it the way they should,” Franken said, noting that “half of the top apps for iPhone and Android give out their users' location to third parties without their users’ knowledge.”
Franken’s bill is just one of a number of efforts launched recently to protect the privacy of geolocation information. At least two other bills have been proposed this congressional session but have not yet made it out of committee.
In June the House approved an amendment to prohibit the use of funds to create or implement any regulations mandating GPS “tracking, electronic on-board recording devices, or event data recorders in passenger or commercial motor vehicles.” That measure has yet to be approved by the Senate.
In February the White House issued a framework paper entitled “Consumer Data Privacy in a Networked World.” The 62-page report noted the importance of “preserving trust in the Internet economy” and that “new uses of personal data in location services, protected by appropriate privacy and security safeguards, could create important business opportunities.”
To provide the safeguards the White House set forth a process to have industry and other stakeholders work together to develop an enforceable code of conduct. Enforcement, the paper suggested, should be in the hands of the Federal Trade Commission (FTC).
Efforts are already underway to make the code of conduct a reality. The National Telecommunications and Information Administration (NTIA) was tasked with bringing stakeholders together, and meetings to develop the code began this summer.
For its part the FTC issued a widely publicized report last week that laid out some of the concerns about the use of data gathered from apps aimed at children. The report said that roughly 60 percent of the apps tested were transmitting information back to developers, analytics companies, and third parties. Only 20 percent of the organizations behind the apps disclosed their privacy practices.
Among the information being transmitted about kids using the apps was their location.
“The researchers at the FTC downloaded hundreds of apps onto their devices and tested them to see what they were transmitting to third parties,” said Franken. “They found that 12 highly popular apps, 12 of the most popular apps — apparently downloaded hundreds of thousands of times — were transmitting their users’ precise geolocation to their parties without their parents consent. We asked the researchers at the FTC ‘Just how precise was that location?’ They answered ‘exact location.” It showed us sitting in the FTC’s computer lab.”
“Some app companies are actually developing and marketing stalking apps specifically designed to help abusers stalk their victims,” said Franken.
A victim who testified earlier this year, he said, described how she got a text message from her abuser — within five minutes of visiting the offices of her county’s domestic violence services — asking her why she was at a county building. Frightened, she asked an advocate to get her an order of protection from the local court house.
After filing the order the woman received another text message from her abuser asking why she was in the courthouse and asking whether she was seeking a protection order against him. The advocates later realized he was tracking her via an app on her smart phone.
In 2006 more than 25,000 women were being stalked annually via GPS technology, Franken said, citing Department of Justice statistics. “Imagine what those figures are now,” he added, noting that he had uncovered similar stories across the country.
Franken’s bill would require that those being tracked be told of the surveillance and given the opportunity to opt out. It also makes providing location data in support of domestic violence or stalking punishable by up to two years in prison.
“The mobile marketplace is a unique, yet highly complex technical ecosystem with multiple entities often behind a single service,” said the Interactive Advertising Bureau (IAB) in a December 12 letter to the committee. “One application may have 10 or more different entities functioning behind the scenes to enable service, ad delivery, monetization, or analytics to help improve the user experience.”
“Furthermore,” the IAB letter continued, “these partner entities often change dynamically through automated systems each time the consumer opens the application. In a real-time automated delivery market, there is no technologically feasible or practical means for providing notice of each specific entity, as the entity changes in a moment’s notice. “
The IAB also noted that the bill did not exempt data that is “de-identified” or anonymous and suggested that implied consent be granted for those services, such as mapping, that function only by virtue of location data.
Although the bill won bipartisan approval in the Senate Judiciary Committee, it is unlikely to make it to the president’s desk this year. There is no comparable House bill in the works and no time to write or pass one.
Congress is already in a nearly impossible time crunch with a scant few weeks to deal with a host of complicated challenges including expiring tax cuts, payment rates for Medicare doctors, an extension of unemployment benefits and sequestration–mandated spending cuts that are stalking the economy like a pack of hyenas.
That does not mean the bill is dead, however.
Franken returns to the Senate in January, and he is generally expected to reintroduce the bill. Franken even won a measure of support from Republican powerhouse Chuck Grassley of Iowa, who assured Franken in committee that he had his vote to move the bill to the Senate floor. Industry too, is expecting the bill to be proposed again during the next Congress.
"CTIA appreciates that Senator Franken has been willing to entertain our input as he refined his Location Privacy Protection Act,” said CTIA-The Wireless Association in an emailed comment. “These are difficult issues and we look forward to continuing the dialogue with Senator Franken and his colleagues as they pick this issue up in the 113th Congress.”
Copyright © 2012 Gibbons Media & Research LLC, all rights reserved.