Original URL: http://www.theregister.co.uk/2011/05/11/us_senate_hearing/

Apple and Google wriggle on US Senate hot seat

Hearing on privacy, patents, iPhones, drunks

By Rik Myslewski

Posted in Security, 11th May 2011 01:52 GMT

When questioned by US senators at a hearing on digital privacy, Apple and Google execs spent most of their time successfully bobbing and weaving, but were thrown off-balance when asked about location-grabbing patents and drunk-driving apps.

Tuesday morning's hearing – "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy" – was called by Senator Al Franken (D-MN) to get input from industry and industry watchdogs as to the state of digital privacy, and to begin discussions about possible government regulations.

"When I was growing up," Franken said in his opening statement, "and people talked about protecting their privacy, they talked about protecting it from the government. They talked about unreasonable searches and seizures, about keeping the government out of our families, out of our bedrooms. They talked about 'Is the government trying to keep tabs on the books I read and the rallies I attend?'"

A fresh look needs to be taken at digital privacy, Franken suggested, because although there are clear laws on the books intended to keep the government from overreaching, things are far more murky in the corporate sphere, where "large corporations that are obtaining and storing increasingly large amounts of our information."

"The Fourth Amendment doesn't apply to corporations," Franken said of the differences between government and corporate powers, "and the Freedom of Information Act doesn't apply to Silicon Valley."

In a slap at Apple's recent iPhone-tracking imbroglio, Franken provided an example of what he characterized as a lack of transparency in corporate information gathering. "If it came out that the [department of motor vehicles] was creating a detailed file on every single trip you'd taken in the past year, do you think they could go one whole week with out answering a single question from a reporter?"

The problem, Franken said, is that the legal framework surrounding digital privacy is both weak and murky, without clearly defined regulations on the collecting, share, and selling of users' personal information.

Apple VP of software technology Bud Tribble, when questioned about Cupertino's attitude toward privacy, insisted that Apple was on the side of the angels. "First, Apple is deeply committed to protecting the privacy of all of our customers. We've adopted a single, comprehensive privacy policy for all of our products," he said.

"We do not share personally identifiable information with third parties for their marketing purposes without our customers' explicit consent," he continued, "and we require all third-party application developers to agree to specific restrictions protecting our customers' privacy."

Carefully choosing his words, Tribble added: "Second, Apple does not track users' locations. Apple has never done so and has no plans to ever do so."

Exactly what is meant by "track user locations," however, is the hard nut. The company's April 27 "Apple Q&A on Location Data" noted: "The iPhone is not logging your location. Rather, it's maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone..."

As pointed out by one witness at today's hearing, however, that "one hundred miles" statement might be a bit disingenuous. When asked his opinion of Apple's statement that the company doesn't track individual users, Ashkan Soltani, identified as an "Independent Researcher and Consultant" and who has researched web privacy for The Wall Streeet Journal, said: "In many cases, the location that this data refers to is actually the location of your device or somewhere near it. While it's true that in some rural areas this can be up to a hundred miles away, in practice – for the average customer, the average consumer – it's actually much closer, in the order of about a hundred feet, according to a developer of this technology, Skyhook."

Google director of public policy Alan Davidson also answered questions on location information. "We use information where we can provide value to our users and we apply the principles of transparency, control and security," he told the assembled senators. "We are particularly sensitive when it comes to location information."

According to Davidson, "We believe that this approach is essential for location services: highly transparent information for users about what is being collected, opt-in choice before location information is collected, and high security standards to anonymize and protect information. Our hope is that this becomes the standard for the broader industry."

Senator Richard Blumenthal (D-CT), however, wasn't easily mollified. In the time-honored senatorial tradition of using props during a hearing, he waved a copy of a 2008 Google patent application, "Wireless network-based location approximation", when grilling Davidson about the Street View Wi-Fi slurp uncovered last year.

'I have here in my hand...'

After Davidson told him that the cock-up was unintentional and that the company was "working with regulators around the world to figure out what to do with [the collected data] and in many cases we've destroyed it," Blumenthal asked: "Why would the company then submit a patent application for the process – that very process that it denies having used?"

Davidson, to put it kindly, wriggled. "I'm sorry I can't speak to the specifics of this very patent. We were not aware that this was a topic for today's hearing. But I will say that generally we submit patent applications for many, many different things. Often they are fairly speculative. We probably do – I don't know – hundreds of patent applications a year. Certainly scores. And it would not be surprising at all that in this area that is so important, we would be looking for innovative ways to provide location based services."

Davidson then got back to his original Street View theme. "As we have said publicly, it was a mistake, and we certainly never attempted to collect payload information."

Both Davidson and Tribble also received a bit of a surprise when Senator Charles Schumer (D-NY) began his questioning by saying: "I want to ask about a slightly different aspect of balancing technology with public safety, and that is the smartphone applications that enable drunk driving."

Schumer went on to describe applications such as Fuzz Alert Pro, Checkpointer, and Tipsy which are designed, as he put it, to "endanger public safety by allowing drunk drivers to avoid police checkpoints."

Schumer reminded Davidson and Tribble that he and three other senators had written to Apple, Google, and RIM, asking them to take down such apps. RIM complied, but Schumer said: "I was disappointed that Google and Apple haven't done the same, and I'd like to ask you how you can justify to sell apps that put the public at serious risk."

Davidson's response was that "we do try to maintain openness of applications" in the Android Marketplace, and that "applications that share information about sobriety checkpoints are not a violation of our content policy."

Schumer followed up by asking: "Would you allow an app that provided specific directions on how to cook methamphetamines?" Davidson responded by saying any evaluation would be "fairly fact-specific", but that "any applications that are unlawful or that [are] directly related to unlawful activity, I think we do take those down."

Having said that, however, Davidson said that Google would reevaluate its Marketplace policy to determine whether checkpoint-avoidance apps could be taken down.

Tribble personalized his answer to Schumer's direct questioning as to why Apple hasn't taken down checkpoint-avoidance apps. "As a physician who's worked in an emergency room I've seen firsthand the tragedy that can come about due to drunk driving," he said.

He then told Schumer that Apple is "carefully examining" the apps in question, and has discovered that some of them are "publishing data on when and where the checkpoints are that are published by the police departments," an argument that Schumer called "a weak reed."

Tribble said that it's sometimes difficult to determine an app's intent, but that if an app's intent is "to encourage people to break the law, then our policy is to pull them off the store."

Schumer asked Davidson and Tribble to get back to him in a month with a progress report on the status of checkpoint-avoidance apps, and in a later statement on his website said that the two companies had agreed to do so.

As he wrapped up the hearing – long after Schumer's exchange with Davidson and Tribble, and after more testimony, conversation, evasion, and grandstanding about digital privacy and related matters – Franken summed up by saying: "As I said at the beginning of this meeting, I think that people have the right to know who is getting their information and a right to decide how that information is shared and used."

However, he added, "After hearing today's testimony, I still have serious doubts if those rights are being respected in law or in practice."

And with the bang of a gavel Franken ended what was just the latest round in the eternal American back-and-forth between voluntary corporate compliance and government-enforced consumer-protection regulations, and between a business' legitimate desire for valuable information about their customers and an individual's arguably constitutional right to personal privacy. ®