May 11, 2011
Some Thoughts on Internet Privacy Legislation
Yesterday's hearing on consumer privacy before the Senate Judiciary Subcommittee on Privacy, Technology and the Law did not merely highlight the concern of Congress on online data amassed by marketers. It exposed the conflict within government over its own needs for most of the same information for criminal investigations and prosecutions. This came in the form of testimony from Jason Weinstein, Deputy Assistant Attorney General in the DOJ's Criminal Division. While we can all argue about whether there is a need for Apple and Google (an others) to collect location data, the DOJ does like the idea. It's evidence, after all.
Weinstein's testimony notes that 64% of Americans use smart phones. I pointed out in this earlier post how Alexis Madrigal subjected his smart phone to forensic analysis and how the results yielded a lengthy virtual history of his online activities. Think of it as a cautionary tale. This is the age where some courts are ruling that smart phone and computer hard drive analysis can be conducted by government either without a warrant or expansively beyond the original warrant. (See 88 Criminal Law Reporter 644). The real point here is while location tracking is useful for marketers to provide lawful services, the government has an interest in that same information.
Apple says in its various responses to the revelation that iPhones store location information is that the information represents cell phone tower locations. This information assists the phone in determining its location without resorting to satellite calculations, which in turn extends battery power by using less of it. The fact that about a year's worth of data collection exists on the phone and computer back ups now turns this feature into a "bug." Apple claims that none of this shows a person's true location history. This, I guess, should be interpreted as saying Apple doesn't compromise personal privacy. Apple, for its part, is updating its software to shorten the data collection period and give customers some options. What's a person to do, extend battery life or be tracked? It is now a consumer choice.
But the same information collected by a software "bug" can work with other cell phone information collected by the telcos. Prosecutors can match phone data with that lawfully subpoenaed from the cell phone companies to the detriment of a defendant. Or at least a prosecutor would try that strategy. That the same information collected by marketers on our hand held computers that incidentally make phone calls is also useful to the government is not lost on the DOJ. Hence Weinstein's testimony suggesting that any legislation take into account existing business surveillance tracking of customers.
The draft bill proposed by Senators McCain and Kerry on consumer privacy does exactly that. Note that the bill doesn't completely stop data collection as much as it regulates how it is used and disclosed. Consumers would have rights to opt out of some data collection situations and opt in to others. Whether a groundswell of people would take advantage of these options is debatable. Nonetheless, section 405(c) states that the bill does not expand or limit the duty of a covered entity to provide information to a government entity. I haven't checked the competing bills, but I suspect they will have a provision similar to this if not already included in drafts. See this story in CNET for additional analysis.
My prediction on all of this is that either no privacy provision will be enacted, or if one is, it will be weak. There is too much incentive in the business and law enforcement communities to dramatically change the rules at this point. Remember the outrage to the Total Awareness Information data mining project did not end it as much as Congress quietly transferring funding and functionality to various security agencies instead. The government also fought to keep the library provisions in successive re-authorizations of the PATRIOT Act. That shows some motivations to keep the information pipeline open to government law enforcement agencies. The information businesses collect is a potential evidence goldmine to attractive to eliminate.
While we're on the subject, check out this editorial in the Los Angeles Times that highlights some of the privacy problems and rounds up some of the legislative reactions. It notes, for example, that Facebook tracks users and non-users alike through its "Like" button. It may not be able to put faces to the non-users, but tracks nonetheless. Law enforcement likes that. [MG]