The advent of mobile apps has led to new forms and combinations of
user- and device-related data that create systems beyond our control,
posing new risks to privacy and security through out-of-your-hands data
storage.
The
real danger is the gradual erosion of individual liberties through the
automation, integration, and interconnection of many small, separate
record-keeping systems, each of which alone may seem innocuous, even
benevolent, and wholly justifiable.
U.S. Privacy Protection Study Commission, 1977i
Can you believe the comment quoted above is almost forty years
old? Have we learned from the 1977 Commission report? Almost
all of us now carry handheld computers – our smart phones, tablets,
smart watches, fitbits – that entertain us, guide us, remind us, warn
us, and serve us. They also gather information about us from our
heart rates, purchases, and locations, to banking transactions,
information about our family and friends, text messages, email addresses
and our personal preferences. In short, these always-on,
always-ready and always-with-you devices pose privacy challenges that
were not likely even pondered in 1977.
It is safe to assume that anything you do on your mobile device, any
information you store on it, any app you utilize, is being snooped even
if you are taking precautions. Despite the amount we use and depend upon
our mobile devices, approximately 62% of smartphone users do not
password-protect their phone, and smartphone users are 33% more likely
to become a victims of identity theft than non-users.
We
must remember that our new “best friends” (or as my friends refer to
the smart phones “our precious”) are the “small, separate record-keeping
systems” contemplated in 1977, albeit multiplied by billions.
They store our electronic lives and, to varying degrees, share our lives
with the highest bidder.
What Data is Being Collected?
First, the providers of your cellular phone service (AT&T, Sprint,
Verizon, and T-Mobile) collect data. Although such providers are
not very forthcoming in explaining what data they collect, or the
reasons they collect it, at the very least these service providers
collect the following:
- Incoming and outgoing calls: the phone numbers you call, the numbers that call you, and the duration of those calls;
- Incoming and outgoing text messages: the phone numbers to which you send texts, and the numbers from which you receive them;
- How often you check your e-mail or access the Internet; and
- Your present location.
Second, in addition to the data collected by your smartphone service
provider, other electronic data “fishers” are collecting:
- Any photos or video you take on your phone;
- Details about the text messages and e-mails you send and receive, including the content;
- Who is calling you, who you are calling, and details about the phone call such as when it was placed and how long it lasted;
- The contacts you have stored in your phone;
- Passwords;
- Financial data;
- The information on your calendar; and
- Your location, age, and gender.
Who is Collecting the Data?
As mentioned above, the collectors of your data begin with the company
providing your cellular service. A second collector, of course, is your “search engine” of choice: Google, Safari, and so on.
But still another purveyor of your personal data are the folks behind
the innumerable “apps” of which we have become fond whether we use a
navigation app to find our way to a new friend’s address or play Angry Birds™ to stave off boredom on a long trip.
Finally, the ability to collect data on where a person has gone and
what they have been doing is valuable information for law enforcement
officers. For example, if you are the subject of an investigation,
or even if you have just been pulled over, police may want to see what
you have been doing and where you are going – things your smartphone may
be able to reveal. Thus, the data provided by your smartphone may be
used against you in a court of law.
The Fourth Amendment to the Constitution protects you from unreasonable
searches and seizures by law enforcement. However, depending on
your jurisdiction, there are different requirements for when and how law
enforcement may access cell phone data without a warrant. In some
jurisdiction police may search the contents of a cell phone if you are
pulled over in your car or arrested.
Law enforcement has also been known to tap into the locations of
smartphones, ask wireless providers to turn over days’ worth of location
data, and implant tracking devices. Also, law enforcement can request
all the data your smartphone provider has collected about you.
Advertisers Love Data – and Apps
Aside from law enforcement, the foregoing collectors are interested in
collecting your personal data so that they can package and sell it to
advertisers. Advertisers want to market to the people most likely
to buy their products. “Behavioral marketing” is the practice of
collecting and compiling a record of individuals' activities, interests,
preferences, and/or location over time. This data may be compiled,
analyzed, and combined with information from offline sources to create
even more detailed profiles.
Apps and other services provide this data to marketers who can then use
this information to transmit advertisements or other content to a phone
user based on his or her behavioral record. This behavioral
record includes not only your consumption choices, but your political
leanings, family background, friend data, aspirations, goals . . .
anything that you have texted, typed, researched, traveled to or
photographed.
The more information advertisers collect about you, the better they
know the types of products and services you purchase and those in which
you might be interested.
Advertisers pay app developers to get access to you. In fact,
advertisers even supply code to the app developers to build into the
app. The code not only makes an ad appear when you use the app, but also
collects data from your phone and transmits it back to the advertiser.
It is also possible that the app itself collects data that is shared
with ad networks. The data collected and shared builds a detailed
profile about you and is re-packaged and sold to the highest bidder.
The privacy concern here is that information could be shared with third
parties and compiled with other data to create a detailed profile about
you without your knowledge or consent. It is no small concern
given the fact that there are more than a billion apps available for
your smartphone!
Anyone can create an app. Apps collect all sorts of data and transmit
it to the app-maker and/or third-party advertisers. An app as seemingly
harmless as a flashlight, game or radio might collect such information
as your device ID, your contacts and/or your location.
For example, in December 2010, the Wall Street Journal investigated 101 apps
to see what data the apps were sharing with advertisers. It found that
56 apps shared the phone’s unique ID number, 47 transmitted the phone’s
location and 5 shared the user’s age and gender and other personal
details (like phone number or contacts list). That study was six years
ago. During the 2012 presidential campaign, apps created by both major
candidates to promote their election campaigns gathered (or sought
permission to gather) large amounts of personal information including
GPS location data.
Privacy and Other Laws
Federal privacy laws have not kept up with the pace of technology and
courts are unclear on the issue as to how easy it should be for law
enforcement to gain access to your smartphone and its data.
The Electronic Communications Privacy Act (ECPA)(18
U.S.C. §§ 2510-3127): Enacted in 1986, ECPA includes the Wiretap Act,
Stored Communications Act, and the Pen Register Act. It can apply to
both law enforcement agencies and companies. ECPA makes it unlawful
under certain circumstances for someone to read or disclose the contents
of an electronic communication. However, there are exceptions to ECPA,
and the definition of what constitutes an electronic communication is
unclear given the extensive advances in technology since its enactment
30 years ago.
Children’s Online Privacy Protection Act (COPPA)(15
U.S.C. §§ 6501-08): COPPA, enacted in 1998, protects the privacy of
children under the age of 13 by prohibiting the online collection of a
child’s personal information without providing notice and obtaining
parental consent. COPPA also prohibits requiring that a child
disclose more information than is reasonably necessary to participate in
an activity online. If your child has a smartphone or uses yours
to go online or install and use apps, you may want to learn more about COPPA.
Mobile Device Privacy Tips:
Before
clicking “download” on an App, you should be asking the following
questions: Who makes it, what data does the App collect, how is your
data being stored, and to whom or what is your data being sent?
You may be able to find the answers in the app’s privacy policy. The Mobile Marketing Association
offers resources for mobile app developers interested in creating a
privacy policy. Despite their efforts, mobile app privacy is far from
standardized and is a developing area in both the policy and legal
realms. Research any app before you download it. Read what has
been said about the app and who created it. Look up the app’s privacy
ratings on Clueful.
Other privacy-related measures you can take include the following:
- Password protect your devices. For tips on creating an effective password see PRC’s “10 Rules for Creating a Hacker-Resistant Password.”
- Do not allow your smartphone to automatically remember login passwords for access to email, VPN, and other accounts.
- Use your phone’s security lockout feature. Set the phone to automatically lock after a certain amount of time not in use.
- Depending
on the settings, your smartphone may be using its built-in GPS
capability to embed your exact location into the file of photos you take
using the smartphone’s camera. The process of embedding location
information into photos is called geotagging. If you share your photos
and they end up on the Internet, criminals can use the geotag to track
your movements or find out where you live. Note that Facebook
automatically strips out geotags, so any photos posted to Facebook do
not have your location embedded in the file.
- Disable photo geotagging on your phone. See instructions at Network World
- Also
install security software that allows you to remotely lock your phone
and wipe the data. Never leave your phone unattended.
This article cannot possibly identify the myriad ways your privacy is
being electronically invaded. We live in an age where your most personal
information is a keystroke away. Each of us must become more
cognizant of how our digital history is being collected, shared and
shaped. The laws above are still behind the curve for individual
privacy protection. Until we become more adept at keeping the
snoops out of our lives we each must find our own balance of privacy vs.
functionality.
-------
iii.
Data retention policies vary among service providers, and certain
records are kept longer than others. For instance, as of September
2011, Verizon, T-Mobile, AT&T and Sprint all differ when it comes
to how long they store any combination of cell tower history records,
text message detail, text message content, IP session information, IP
destination information, and bill copies.
v. http://www.networkworld.com/article/2190651/wireless/obama-and-romney-election-apps-suck-up-personal-data--research-finds.html
.
Other Recent Articles