By Leila A. Amineddoleh
Earlier this year, bloggers published findings that some of Apple's most popular applications could access private address book data without user consent. An Apple spokesman stated that "Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines. We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release." (Perlroth, Nicole and Nick Bilton, "Mobile Apps Take Data Without Permission," Feb. 15, 2012, available at http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission/) This statement elicited concern from two House Representatives, Democrats Henry Waxman and G.K. Butterfield. The legislators asked Apple to clarify its developer guidelines and security measures to protect users' information.
On February 16th, in response to the attention from the public and U.S. legislators, Apple stated that it will begin to require iPhone and iPad apps to obtain "explicit approval" in user prompts before accessing users' address book data. (Shih, Gerry, "Apple tweaks apps policy under lawmaker pressure," Feb. 15, 20120, available at http://www.reuters.com/article/2012/02/15/us-apple-privacy-idUSTRE81E1W520120215)
However, a test run by the New York Times questions the veracity of that assertion. To test security measures taken by Apple, the New York Times enlisted a developer to create a test app that requires permission to use a device's location and thus gain access to the phone's photos. The decoy app, PhotoSpy, asked for access to location data when it was opened. Once that information was provided, the app took photos and data location and sent it to a remote server. In essence, a third-party app could copy a user's private content, without gaining additional consent and without providing the user with further notification. A similar test was done with an Android developer, and the Android test app also gained access to users' photos.
In the case of Apple, if customers allow the application to access location data used for GPS-based applications, they also allow access to the users' photo and video files that can be uploaded to outside servers. For Android-based applications, the user only needs to allow the application to use Internet services as part of the app for third parties to gain access to photo albums.
David Jacobs, a fellow at the Electronic Privacy Information Center, criticized Apple for not protecting its customers' privacy. "Apple has a tremendous responsibility as the gatekeeper to the App Store and the apps people put on their phone to police the apps," he said. "It is pretty obvious that they aren't doing a good enough job of that." (Wolfe, Bryan M., "Another iOS Privacy Issue unfolding, This Time Concerning Your Photos," Feb. 28, 2012, available at http://appadvice.com/appnn/2012/02/another-ios-privacy-issue-unfolding-this-time-concerning-your-photos)
The Internet has been abuzz with these findings since the New York Times experiment was disclosed last week. On Sunday, U.S. Senator Chuck Schumer's office released a statement that called on the Federal Trade Commission (FTC) to launch an investigation into reports that Apple applications and Android platforms access users' personal photos and address books. Schumer stated: "When someone takes a private photo, on a private cell phone, it should remain just that: private." (Carew, Sinead, "Senator Schumer asks FTC to prove Apple, Android," March 4, 2012, available at http://www.newsdaily.com/stories/tre8230wz-us-apple-google-ftc/)
The Senator argued that the distribution of information to third parties reaches beyond a "reasonable" user's understanding of the scope of dissemination of information. Schumer opined that "smartphone makers should be required to put in place safety measures to ensure third party applications are not able to violate a user's personal privacy by stealing photographs or data that the user did not consciously decide to make public." (Id.)
The White House has also taken steps to protect privacy. Examination of the Obama Administration's Consumer Privacy Bill of Rights indicates the Administration's interest in protecting user privacy, by limiting not only the use of private information, but also the collection of it. The bill provides users with the right to "exercise control over what personal data companies collect from them and how they use it." (http://epic.org/privacy/consumer/Commercial_Privacy_Bill_of_Rights_Text.pdf)
The bill gives users the right to have their personal data held securely, control data collected and the way that it is shared, and avoid the dissemination of data used for another purpose. In addition, it calls for accountability and transparency by providing users with information as to the identity of companies misusing their personal data.
The Code will be enforced by the FTC, but Congress will also be developing legislation providing the FTC and State Attorneys General authority to enforce the Act. Privacy experts have asked whether federal regulation will hinder technological and communicative developments. However, the better question is whether legislation can keep up with the fast pace of technology innovation. Is it possible for the government to effectively regulate new means of communications that are being developed at breakneck speeds? Do enforcement authorities actually have the ability to police the vast exchange of information over the virtual marketplace? The Act leaves many questions unanswered; in particular, it does not provide a clear mechanism for policing service providers.
Access to the text of the Consumer Privacy Bill of Rights is available at: http://epic.org/privacy/consumer/Commercial_Privacy_Bill_of_Rights_Text.pdf