The discussion over location data on mobile devices reached Capitol Hill on Tuesday, as executives from Apple and Google and experts on policy, privacy, and technology testified in front of the Senate Judiciary Committee’s Subcommitee on Privacy, Technology, and the Law. Apple vice president of software technology Bud Tribble testified in front of the subcommitte to defend the company’s stance on privacy and its practices.
The hearing, Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy, was prompted by a report late last month that iOS devices contained a database of location information that could conceivably be used to track a device’s user. Apple later responded to the concerns on its Website, saying that the information was a database of the locations of Wi-Fi access points and cell towers that iOS devices could use to speed the process of locating themselves on a map, and could not be used to ascertain a device or person’s location.
A week after that response, the company released iOS 4.3.3 which patched a pair of bugs relating to location data: one that reduced the amount of data being stored to just seven days’ worth, and another that deleted the cache of location data when the device’s location services were deactivated. The update also stopped the practice of backing up the location database to computers, where it could potentially reside unencrypted.
In his testimony before the subcommittee, Tribble reiterated these points, concluding by saying that “Apple is strongly committed to giving our customers clear and transparent notice, choice, and control over their information and we believe our products do so in a simple and elegant way.”
Committee chair Senator Al Franken (D-MN) quizzed Tribble on a statement from Apple CEO Steve Jobs to the press and a written statement from the company itself, which the senator said contained conflicting information on whether or not the information stored on the device contained a user’s location. “It doesn’t appear to me that both of these statements can be true at the same time,” said Franken. “Does this data indicate anything about your location or doesn’t it?”
“The data that is stored in the database is the location of as many Wi-Fi hotspots and cell phone towers as we can have,” said Tribble in response. “That data does not actually contain…any customer information at all. It’s completely anonymous; it’s only about the cell phone towers and the Wi-Fi hotspots.” Elaborating, Tribble explained that the phone can use that information in conjunction with being able to detect which towers and hotspots are near it to determine the device’s location.
Apple and Google were not only called to task for their own activities, but also those of their third-party partners, the developers who create applications available in the platforms’ respective app stores. Senator Franken asked whether or not Apple and Google would be willing to commit to requiring clear privacy policies from its application developers.
“We require contractually third-party app developers to provide clear and complete notice if they’re going to do anything with a user’s information or device information,” said Tribble. “It doesn’t specifically require a privacy policy, but what I’ll say is that probably a privacy policy in this general area is not enough…what we need to do, because people may not read a privacy policy, is put things in the user interface that make it clear to people what is happening with their information.” Tribble pointed out that Apple does so by putting an icon in the menu bar to let the user know an app is accessing their location data, as well as displaying information about which applications have accessed location data in the last 24 hours.
Along the same lines, Senator Tom Coburn (R-OK) asked how Apple and Google enforce the restrictions that they’ve placed on the developers who write apps for their platforms. “How do you know that they’re not using data different from how they agreed to?”
Tribble explained that Apple does random audits of the apps in its store. “We have 350,000 apps, we don’t audit every single one…but we do do random audits and do things like examine the network traffic produced by that application to see if it’s properly respecting the privacy of our customers.”
In addition, Tribble said that Apple pays attention to public sources, such as blogs for particular communities of app users. The company investigates suspect applications and, in the case that an app is found to have violated Apple’s terms, the company tries to get the developer to fix the application—if they don’t, then Apple will notify them that the app will be removed from the App Store within 24 hours.
However, Tribble added, “The overwhelming common case is that the app developers are highly incented to stay in the App Store, so during the investigation or if we warn them, typically they correct. Often that correction involves making sure they pop up a notice panel telling the customer what they’re doing.” A later line of questioning by Senator Franken revealed that Apple has in fact never pulled an application from the store for sharing information without users’ consent, as developers to date have always chosen to fix their apps rather than have them pulled.
Tribble also said that Apple “encourages and requires” app developers to notify users and get their consent before accessing other information on the device, such as calendar and contact data.
The committee touched upon a number of other issues related to digital privacy, such as the recent data breaches at Sony and Epsilon, Google’s Wi-Fi packet sniffing, and even the availability of mobile apps that allow users to circumvent police DUI checkpoints.
Despite the responses from Apple and Google, not all members of the subcommittee were assuaged.
“I still have serious doubts that these rights are being respected in law or in practice,” Senator Franken said at the hearing’s conclusion. “We need to think seriously about how to address these problems and we need to address them now. … This is an urgent issue we need to be dealing with.”
Full video of the hearing, as well as the written testimony of the participants, can be found on the Senate’s Website.