In a recent hearing before the Senate Judiciary Committee, Sen. Al Franken reminded his fellow Americans, “People have a fundamental right to control their private information.” At the hearing, Franken raised an alarm about Carrier IQ’s software, CIQ.
Few people have ever heard about CIQ. Running under the app functions, CIQ doesn’t require the user’s consent (or knowledge) to operate. On Android phones, it can track a user’s keystrokes, record telephone calls, store text messages, track location and more. Most troubling, it is difficult to impossible to disable.
Carrier IQ, located in Mountain View, CA, was founded in 2005 and is backed by a group of venture capitalists. Its software is installed on about 150 million wireless devices offered through AT&T, HTC, Nokia, RIM (BlackBerry), Samsung, Sprint and Verizon Wireless. It runs on a variety of operating systems, including the Apple OS and Google’s Android (but not on Microsoft Windows).
At the hearing, Sen. Franken questioned FBI director Robert Muller about the FBI’s use of CIQ software. Muller assured the senator that FBI agents “neither sought nor obtained any information” from Carrier IQ.
Following Muller’s Senate testimony, Andrew Coward, Carrier IQ’s VP of marketing, told the Associated Press that the FBI is the only law enforcement agency to contact them for data. The FBI has yet to issue a follow-up “clarification.”
CIQ is emblematic of a growing number of ongoing battles that delineate the boundary of what, in the digital age, is personal, private life and information. In this era of 0s and 1s, of globalization and instantaneous communications, what it means to be a person seems to be both expanding and contracting. The battle over personal privacy is as old as the nation and as contemporary as the latest tech innovation. Eight fronts in this battle delineate personal privacy in the digital age.
The Carrier IQ controversy exposed the long-festering problem of the Unique Device Identifiers (UDID), 40-digit-long strings of letters and numbers that distinguish one device from another. Most troubling, it cannot be blocked or removed by a user. (A report by the Electronic Freedom Foundation details how CIQ works.)
Sen. Franken’s hearing took place a few weeks after Trevor Eckhart, a security researcher, exposed the extent of information accessible by the CIQ software; Eckhart works for a firm that is a potential rival to Carrier IQ. Nevertheless, his findings are disturbing.
According to the company, its software is designed to improve mobile communications. CIQ is used to help businesses with GPS tracking of mobile devices and coordinate employee travel. The company initially denied there was anything suspicious about its software. Further analysis revealed a bug that allowed SMS messages to be captured.
Making matters worse, Carrier IQ attempted to silence Eckhart with a cease-and-desist letter, demanding he replace his analysis with a statement disavowing his research. Bowing to online pressure, the company withdrew the letter.
In the wake of the mounting scandal, most of the nation’s leading wireless providers are modifying how they implement CIQ. (For an excellent recap of the controversy and a status report on which carriers and phones employ CIQ, check out Brad Molen’s article in Engadget.)
Carrier IQ is not the only company being challenged over alleged tracking. Earlier this year, two suits were filed challenging Apple over how it collects and exploits data gathered from users of its mobile devices. (See #5 below.) In addition, comScore, the online analytics firm, is being sued for allegedly collecting Social Security numbers, credit card numbers, passwords, and other data from unsuspecting consumers. Its software allegedly “modifies a computer’s firewall settings, redirects Internet traffic, and can be upgraded and controlled remotely.”
2. Reading, Watching and Hearing
One of the oldest fronts in the battle over personal privacy involves the cultural and intellectual media. This includes the books, newspapers and magazines people read; the movies, TV shows and videos they watch; the radio shows and music they listen to; and the live events they attend. Traditionally, these have been battlegrounds over which the great “analog” content wars of previous centuries were fought. They continue to be fought today.
Historically, librarians, civil libertarians, commercial interests and ordinary consumes have fought these battles. They challenged obscenity laws, and with the Supreme Court’s 1933 ruling on James Joyce’s Ulysses, protected what adults could read. However, the Pacifica-Carlin decision of 1978 restricted over-the-air free speech with the imposition of family listening hours and the “seven dirty words” restriction.
Earlier this year, after seven years of litigation, the 3rd U.S. Circuit Court of Appeals in Philadelphia ended the FCC’s thankless effort to censor CBS over showing Janet Jackson’s exposed nipple during the 2004 Super Bowl. However, in 2009, the Supreme Court ruled it was permissible for the FCC to require over-the-air broadcasters to restrict “fleeting expletives” and to establish “safe haven” for family programming. The Court is expected to rule this term on FCC regulation of primetime TV indecency rules.
Against this traditional paradigm of U.S. media consumption, there has been a literal explosion in the availability of online digital content. Today, much of what is read, watched or heard comes from a zillion blogs and YouTube videos, untold online versions of newspapers, magazines, journals and e-books as well as videos in every imaginary form and flavor.
The explosion of online content has expanded the scope and scale of the battle over personal privacy. In 2009, the Supreme Court refused to hear an appeal of the federal District Court in Philadelphia rejection of the Child Online Protection Act (COPA), limiting the FCC’s efforts to impose online censorship.
3. Records of Reading and Watching
Americans have long insisted that their personal library records and video rental records should be considered private, not be made public for either political or commercial purpose.
In the wake of the 9/11 attacks, traditional safeguards regarding library records were ended with the passage of the USA Patriot Act. In 2003, Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (i.e., CAN-SPAM Act) requiring senders of unsolicited commercial e-mail messages to label them and provide an opt-out procedure.
Amidst the contentious 1987 battle over Robert Bork’s nomination to the Supreme Court, a newspaper published his video rental records. Congress acted quickly, passing the Video Privacy Protection Act (VPPA) of 1988. Because of this act, the scandalous 1991 Senate Supreme Court confirmation hearing of Clarence Thomas was spared from considering the nominee’s video rental records.
Efforts are now underway in the House to “revise” VPPA to meet the new marketing needs of Facebook and Netflix. The new legislation would enable a “video tape service provider may obtain a consumer’s informed, written consent on an ongoing basis and that consent may be obtained through the Internet.”
4. Children’s Privacy
In the wake of challenges to COPA, Congress passed in 2000 the Children’s Online Privacy Protection Act (COPPA) to prohibit the collection of children’s online personal information without parental consent.
Over the last decade, the Federal Trade Commission has brought numerous claims against a variety of companies and Web sites for violating the Act. Four cases are illustrative:
- Playdom, including some 20 social networking and virtual worlds sites like Pony Stars, 2 Moons, 9 Dragons, Age of Lore, and My DIva Doll – for collecting children’s names, ages and e-mail addresses and for allowing children to post personal information online without getting parents’ consent; Disney acquired the company and agreed to pay a $3 million settlement.
- Skid-e-kids, a social networking site that allows children ages 7-14 to create profiles, upload pictures and videos, and become friends and to send messages to other members – for collecting personal information from approximately 5,600 children without obtaining prior parental consent.
- Sony Music, relating to 196 of its online music sites — for collecting personal information from at least 30,000 children under 13 years of age; it agreed to pay a $1 million fine.
- W3 Innovations, relating to its Broken Thumbs App mobile games for children like Emily’s Girl World, Emily’s Dress Up, and Emily’s Runway High Fashion — for collecting user information without the consent of minors; settled a $50,000 fine.
This is one of the only fronts in which the federal government is moving aggressively to protect privacy.
5. Commercializing Private App Info
Growing concern over Unique Device Identifiers (UDID) was raised earlier this year in two separate suits against Apple for enabling applications on the iPhone and iPad to transmit personal information to advertisers without the user’s consent.
One suit claims that Apple lets advertisers track what apps users download, how long the programs are used and how often used. The other suit argues that app owners sell user information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views, without their consent. Among the co-defendants with Apple are Pandora, Paper Toss, the Weather Channel and Dictionary.com.
The FTC is also reported to be investigating whether mobile marketing firms violated computer fraud laws by collecting and/or transmitting user information without properly disclosing what they were doing.
6. Monitoring E-mail and Voice Communications
The original Electronic Communications Privacy Act (ECPA), enacted in 1986 and amended by the 1994 Communications Assistance to Law Enforcement Act (CALEA) and subsequently superseded by the Patriot Act, prohibited a third party from intercepting or disclosing communications without authorization. It also limited the protection of e-mail and other messages to 180 days.
When one subscribes to Google’s Gmail services, one enables Google to undertake “content extraction” monitoring of key words and concepts on all incoming and outgoing e-mails. Google, which controls an estimated 70 percent of online advertising, monitors e-mail in order to target the advertising to the user.
However, according to the Electronic Privacy Information Center (EPIC), Gmail violates the privacy rights of nonsubscribers. Google neither warns nonsubscribers of the monitoring, nor seeks their consent. EPIC warns that Gmail may violate Fourth Amendment legitimate expectation of privacy.
Google Voice service is also subject to similar content extraction monitoring.
7. Social Connectivity
In 2009 and 2010, consumer and privacy organizations raised concerns to the FTC about Facebook’s users privacy settings. These settings made a user’s personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. In November, Facebook agreed to FTC terms to change its privacy settings without the affirmative consent of users. However, these changes do not meet the tougher recommendation of EPIC and other groups; for example, they do not restore users’ privacy settings to pre-2009 levels.
According to the Los Angeles Times, “the ads basically turned LinkedIn users into cheerleaders for businesses. They used individuals’ names and photos to promote products or services that the individuals had recommended or companies they followed.”
Faced with significant protest, LinkedIn revised its privacy configurations to give users more control of their personal information.
In May, President Obama extended the Patriot Act for four more years, renewing the federal government’s powers to search records and conduct roving wiretaps in pursuit of terrorists. “It’s an important tool for us to continue dealing with an ongoing terrorist threat,” Obama said.
Three aspects of the widening net of state security monitoring of Americans involve the use of drones, GPS tracking, “smart” drivers licenses and the increasing use of face recognition capabilities.
In December 2011, North Dakota law enforcement officials raided a remote farm seeking six missing cows. Using a military-like assault plan, local police got help from the state highway patrol, a regional SWAT team, a bomb squad, ambulances and deputy sheriffs from three other counties. They also employed a Predator B drone. The military-like campaign resulted in the arrests of Susan and Rodney Brossart and seven of their children. This is the first known arrest of U.S. citizens with help from a Predator drone.
Congress first authorized U.S. Customs and Border Protection (CBP), an arm of the Department of Homeland Security, to buy unarmed Predators in 2005 to provide “interior law enforcement support.” Both the FBI and the U.S. Drug Enforcement Administration have used Predators for domestic investigations.
The Federal Aviation Association restricts the use of drones in domestic air space. However, it plans to revise this policy, likely leading to a significant increase in drone surveillance in 2013 or 2014.
In November, the Supreme Court heard a case involving the police warrantless placing of a GPS tracking device on a suspect’s car. Many argued this act violated Fourth Amendment protections.
The U.S. and Canadian governments are inserting passive Radio Frequency ID chips into Compliant Enhanced Driver Licenses (EDL); they are standard in New York State. These licenses emit a random identifier whenever it comes into a reader device’s range, including Canadian and American border-security databases and displaying the owner’s personal information.
Senator John D. Rockefeller, D-West Virginia, has requested that the FTC assess how extensively facial recognition technology is being used. He is concerned that it violates personal privacy. The senator was alarmed by the use of the mobile app SceneTap which “tracks the male/female ratio and age mix of the crowd [in bars]” as well as by digital ads at the Venetian Resort in Las Vegas that are tailored to the person standing in front of the display. Both are based on recognition of that person’s age and gender.
Each individual inhabits many identities, whether as a social being (e.g., a citizen), part of a commercial exchange (e.g., a worker and consumer) or as a private self (e.g., alone and/or in a relation). The lines separating these aspects of identity are eroding.
In the digital age, the lines between the social, the commercial and the private continually blur. An ever-growing universe of people, corporations and government entities know the most intimate digital detail of each person’s life. Making matters worse, we live in a society that turns the most private aspect of personal life into a commodity, a profitable commercial product.
Personal privacy is an elusive notion, made especially so in the digital age. Privacy is not an enumerated right in the Constitution or the Bill of Rights, but rather an “implied” right extending from aspects of the First (the right of speech and assembly), Third (the prohibition of quartering soldiers), Fourth (the limit to search and seizure) and the Fifth (the prohibition against self-incrimination) Amendments.
Today’s legal climate is shaped by a confusing mess of legislation and court decisions. Among these are the Freedom of Information Act (1966), the Privacy Act (1974) and the Electronic Communications Privacy Act (1986), amended by the Communications Assistance to Law Enforcement Act (1994). The Patriot Act (2001), reauthorized in 2006 and 2011, supersedes these earlier legislations.
There are two fronts in the privacy battles: One covers personal information collected by the government; the other involves personal data collected by private information brokers that might be used by corporate marketers or law enforcement agencies. The separation between these two fronts is eroding.
According to a Washington Post study, nearly 4,000 federal, state and local organizations, “each with its own counterterrorism responsibilities and jurisdictions,” monitor Americans. Nearly a quarter of these entities was created since 9/11 or took up the counterterrorism campaign since then.
Americans surrender vast amounts of their individual data through everyday online interactions. Whether making a cell call, sending an email or tweet, networking via Facebook or making a credit card purchase at a retail store, a person’s privacy is compromised at every turn. Private data brokers, such as Acxiom, ChoicePoint and Seisint (LexisNexis), aggregate online information and merge it with “public source” data from government records, including courthouse and criminal records. These companies have their roots in direct marketing and credit verification, but they are now used extensively by law enforcement and homeland security.
In the era of the Patriot Act and the inability of traditional protections to safeguard information collected by commercial data brokers, more and more people, including legislators, are worried about the future of personal privacy. The growing number of FTC cases and legal suits involving the misuse of personal data exemplify the seriousness of the situation. In response, a number of efforts are underway to check the combined corporate and government digital colonization of people’s personal lives.
The ACLU has undertaken a large-scale effort, involving 35 affiliates in 32 states across the country, to determine from local law enforcement agencies when, why and how they are using cellphone GPS location data to track Americans.
A number of efforts have been underway in Congress to address the erosion of personal privacy. In 2010, it enacted the Restore Online Shoppers Confidence Act designed to protect consumers from “data passing.” Data passing involves consumers unknowingly authorizing a merchant to transfer the consumer’s payment information to another merchant for a separate online sale without otherwise requiring the consumer to reenter payment information.
In April 2011, and in an uncommon example of bi-partisanship, Senators John McCain (R-AZ) and John Kerry (D-MA) introduced the Commercial Privacy Bill of Rights Act designed to establish a framework to protect personal online information. It is intended to provide customers with security and accountability, with the right to know how third parties are using their information. Its passage is in doubt.
In June, and in another effort at bi-partisanship, Senators Ron Wyden (D-OR) and Mark Kirk (R-IL) drafted the Geolocation Privacy and Surveillance (GPS) Act. It would require government agencies to obtain a warrant before monitoring U.S. citizens.
One of the great paradoxes of the online experience is that the more online connectivity becomes social, becomes shared between select friends and global others, sometimes involving millions of people, the more people as individuals are robbed of their personal privacy. Obviously, technology enables this process, but it is corporate practice and lax regulation (and enforcement) that facilitate the commercialization that erodes personal privacy.