Wednesday's joint House of Representatives hearing on "The Collection and Use of Location Information for Commercial Purposes" produced one clear result: Congress has woken up to the fact that technology, particularly location-based services, has outpaced online privacy law.
"Location-based applications and services are springing up each day like wildfire," said Rep. Bobby Rush (D-Ill.), chair of the Subcommittee on Commerce, Trade and Consumer Protection, after the joint hearing with the Subcommittee on Communications, Technology and the Internet. "Yesterday, there was Facebook, and in the not-too-distance future we will be encountering something more akin to a 'Placebook.'"
More data privacy resources
GPS devices, geolocation data create privacy, security risks
Should geolocation data be included in an online privacy law, enterprise security officers could need to treat such data as personally identifiable information and protect it accordingly. Communications, Technology and the Internet subcommittee chair Rep. Rick Boucher (D-Va.) said that he expects geolocation and consumer privacy to be a part of a larger privacy bill that he's working on. That declaration came after a morning of testimony in which privacy advocates, researchers and industry representatives testified to the explosion in location-based services and associated geolocation data.
Rep. Doris Matsui (D-Calif.) observed that according to one estimate, use of location-based services is expected to reach 80 million users in the United States. "In today's economy, information is everything to everyone," she said, adding that while such services provided through mobile devices are an inherent part of that, "privacy policies and disclosures should be clear and transparent. The scope of information collected should be clear, including what it is used for and how long it is retained."
Michael Altschul, senior vice president and general counsel at CTIA, the Wireless Association, testified that, "technology has now overtaken our static assumptions. The move towards open platforms like iPhone and Google Android, adoption of smartphones with their own GPS capabilities and usage of GPS devices have combined to make a carrier-based approach to location-based services no longer sufficient for current guidelines."
A tension between protecting consumers and preserving innovation in this sector was clear. Rep. Ed Whitfield (R-Ky.) cited the utility of global positioning systems for navigation or the use of geolocation data by emergency services to find people in distress. "The rapid progression of technology is both awe inspiring and bewildering," said Rep. Kathy Castor (D-Fla.). "We need to protect consumer privacy. The law has not kept pace with this increased need."
Bridging the "regulatory gap"
With respect to that lag, Rep. Cliff Stearns (D-Fla.) pointed out that a key provision of the Communications Act of 1934 states that wireless carriers are generally prohibited from using location-based information. Application providers are not so governed. Given the explosion of mobile applications that use geolocation data, this has created a lack of regulatory oversight. That "regulatory gap" is particularly acute because of the growth of technologies that can locate a consumer without the use of a telecommunication carrier's technology.
"Increasingly, location-based services do not touch a wireless carrier," testified Altschul, "regardless of whether an application runs with the carrier's knowledge or not." For instance, John Morris, general counsel for the Center for Democracy & Technology and director of its Internet Standards, Technology and Policy Project, said that geolocation data can be collected through Wi-Fi networks by Skyhook Wireless without the carrier or consumer's knowledge and consent.
"Research suggests consumers are concerned, but most services don't tell them how or where they'll be used," said Lorrie Cranor, associate professor of computer science at Carnegie Mellon University. "Better controls are needed. As the website PleaseRobMe.com reveals, users may not think through the consequences of making their location data public."
Yesterday, there was Facebook, and in the not-too-distant future we will be encountering something more akin to a 'Placebook.'
Rep. Bobby Rush,
Buzz, a new social network based on Google's Gmail system, was mentioned in the testimony of Anne Collier, co-director of ConnectSafely.org. Collier referenced Altimeter Group founder Charlene Li's post on Google Buzz, online privacy and kids, observing that "it's time to update privacy law, but it needs to coordinate with COPPA [the Children's Online Privacy Protection Act]. The law shouldn't just refer to a single technology."
Who should regulate location-based technology? Morris testified that "jurisdiction of privacy should rest with the FTC. Our position is that the Internet in general should not have an agency with broad jurisdiction." He cited Section 230 of the Telecommunications Act of 1996, which set a policy of allowing the Internet to grow without regulation.
"The writing is on the wall that there will be baseline privacy legislation introduced," said Morris after the hearing. "It will require location be treated as sensitive data, like medical data. You'll need to do more than just post a disclosure statement."
Morris recommended that security and compliance officers practice data minimization to manage risks posed by breaches of consumer's location data. "Business models should be built to only gather what they need," he said. "If there's no reason for that information to be retained and tracked, don't do it."