US Lawmakers Eye Apple, Alphabet Data Privacy Practices
By Richard Adhikari, E-COMMERCE TIMES
July 11, 2018
The United States House of Representatives Committee on Energy and Commerce has written Alphabet CEO Larry Page and Apple CEO Tim Cook demanding information on their companies’ practices with regard to third-party access, audio and location data collection.
Members want answers to the following questions:
- Whether Android phones and iPhones without SIM cards and with WiFi and Bluetooth turned off continue collecting, and locally storing, information about nearby cellular towers, nearby WiFi hotspots, or nearby Bluetooth beacons — and if they send that data to Apple or Google once they’re on a network;
- If mobile phones re-enable all apps after users disable location services for multiple apps, but then re-enable them for just one app, and if so how users are notified of the changes;
- Whether smartphones can listen to consumers without a clear, unambiguous audio trigger such as “Hey, Siri” or “Okay, Google” and, if so, how the data collected is stored and used;
- The level of access to data Google and Apple give to third parties, including app developers;
- Whether the companies can control or limit the data collected by third-party apps, and the limits they place on third-party app developers’ ability to collect information about users or from users’ devices; and
- What punitive action they will take against rule breakers.
The committee has requested the companies brief its staff on these topics.
“This is a huge issue,” said John Simpson, privacy and technology project director at Consumer Watchdog.
“People are becoming aware of how much data about them is being sucked up by their smartphones,” he told the E-Commerce Times.
The committee wants Google to provide copies of its policies for data collection on Android devices; for third-party collection and use of data transmitted over smartphone mikes; and a list of all data elements third-party apps can collect.
Android phones gather the addresses of nearby cellular towers even when they don’t have an SIM card, when they have location services turned off, and when no apps have been used, Quartz reported last year.
That data is sent back to Google when the phones are reconnected to WiFi or to a carrier’s network, according to the report. Even devices reset to factory default settings and apps have collected and transmitted cellular tower data.
Android devices did not offer users a way to opt out of that data collection, Quartz noted.
Google pledged to end the practice.
“Theoretically, a smartphone using an intelligent assistant app is listening all the time,” said Michael Jude, program manager at Stratecast/Frost & Sullivan.
“However, capturing everything the phone hears and making sense of it is problematic for a number of reasons,” he told the E-Commerce Times.
The principal reason is that would require too much bandwidth, which would be easily noticed.
On the other hand, location, browsing, and other app-specific information “is easy to collect and could be done without the user’s knowledge,” Jude noted, because they are low bandwidth and use telemetry that’s “constantly generated by simply carrying the phone around. Many apps tell you this as a condition of use.”
Google last year pledged to stop using or scanning consumer Gmail content for ad targeting.
However, applications from “hundreds” of third-party software developers could scan consumers’ Gmail in-boxes, The Wall Street Journal reported last week.
Google responded that it vets third-party applications to ensure they only request relevant data and accurately represent themselves.
The Possibly Poisoned Apple
The committee’s letter to Cook quoted him saying earlier this year that detailed profiles of people patched together from multiple sources should not exist, and contrasted that with App Store apps “that you have highlighted as contradictory to Apple’s values, including Google and Facebook apps.”
It also pointed to Apple’s announcement of App Store rule changes a few weeks ago to limit how much data third-party app developers can collect from Apple device users.
Possible Outcomes From the Probe
Business considerations may make it difficult to further tighten up privacy practices.
Online advertising is expected to grow by 70 percent between 2017 and 2021, Forrester Research predicted last fall.
Apple’s introduction of Intelligent Tracking Prevention last year drew fire from the advertising industry, with advertising agencies contending that it cost them millions of dollars in lost revenue.
Apple updated its Intelligent Tracking Prevention last month.
The Impact on Apple and Google
“Google sells information, so that makes them money,” remarked Rob Enderle, principal analyst at the Enderle Group.
“Apple generally doesn’t, but it may depend on their relationship with carriers, who increasingly are selling this information,” he told the E-Commerce Times.
Further restrictions on data use and capture “shouldn’t hurt Apple very much, but could do massive damage to Google’s revenue stream,” Enderle said.
The Role of Congress
“Congress should enact a privacy law that provides the same protections as the European Union’s General Data Protection Regulation (GDPR) that just went into effect,” suggested Consumer Watchdog’s Simpson.
“Google and Apple seem to be able to follow the law in Europe,” he pointed out. “We should insist they offer the same protections to Americans.”
Congress “has generally been too little and too late,” Enderle said. “Initially this was because Google had excessive influence on the Obama administration; more recently, it’s because government has been impressively dysfunctional.”
Congress should follow the EU’s example, he said, but “Apple will embrace this, and Google will give it lip service and find ways to dodge compliance.”
On the other hand, the impact of the GDPR so far has been negative, according to Frost’s Jude, who maintained that “anything of a regulatory nature will hurt revenues.”
Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.