Apple and Google get grilled on privacy

@CNNMoneyTech May 10, 2011: 5:14 PM ET
Apple, Google, location, smartphones, tablets, privacy, Al Franken

Minnesota Senator Al Franken is chair of a Senate subcommittee on privacy that is looking into why Apple and Google devices track and store users' location data.

NEW YORK (CNNMoney) -- Google and Apple were grilled on Capitol Hill Tuesday over their so-called "Locationgate" problems.

Executives from both companies appeared Tuesday at a packed hearing called by the Senate Judiciary Subcommittee on Privacy, Technology, and the Law. This comes a few weeks after it was revealed that smartphones and tablets from Apple and Google can track users' location information and store that data.

The privacy brouhaha kicked off last month after two British researchers released an open source application that let Apple's (AAPL, Fortune 500) customers see the location data stored on their iPhones and 3G iPads.

Alan Davidson, Google's (GOOG, Fortune 500) director of public policy, and Guy L. "Bud" Tribble, an Apple vice president, testified at the hearing.

In his opening remarks, Sen. Al Franken, D-Minn., who chairs the new subcommittee, Franken noted that privacy concerns have multiplied as the world becomes increasingly digital.

"To me this subcommittee is about addressing a fundamental shift," Franken said. "I love that I can use Google maps -- for free, no less. I love that I can look up the [local] weather on my iPad. But we need a balance."

Franken cited a Wall Street Journal investigation of 101 apps, in which the paper found that 47 of those apps transmitted their users information -- some of them without users' consent.

Apple under fire: Tribble, the Apple executive, opened his statement with an explanation about which location data is accessed and why the company needs it.

The information tracked is not the user's specific location, Tribble said, but rather the locations of the Wi-Fi network routers and cell towers around the device.

That data is used to locate users if GPS is unavailable, and to more quickly locate a GPS signal when one is around -- information that's crucial for maps and many other smartphone apps.

Franken later seemed exhausted by the explanation, asking: "Mr. Tribble, does this show your location or doesn't it?"

Tribble said Apple's databases "don't have any customer names at all" but conceded that the data "could be considered some kind of location."

Franken responded dryly: "I find that confusing."

Franken then redirected the question to Ashkan Soltani, a D.C.-based independent researcher.

"It's the location of your device, and where you're using it, usually accurate to about 100 feet," Soltani said. "I would consider that my location."

Tribble pointed out that "Apple absolutely gives users clear options" to shut off location tracking options, and the company does not let any third-party apps receive that data without explicit user consent.

He also noted that Apple has promised a software update to fix a "bug" that retained data for more than a year instead of the intended few days, and the next version of iOS will encrypt users' location data.

Google's 'complicated' question: Tough questions were also lobbed at Google's Davidson.

In his statement, Davidson reiterated that Android devices collect location data, but only with users' consent. Any location data that is sent back to Google location servers is not tied or traceable to a specific user, he said.

"Is what you did illegal?" asked privacy subcommittee member Sen. Richard Blumenthal, D-Conn., referring to complaints about Android app security.

"This was a mistake that we did not intend," Davidson said. "Our position is that it was not illegal, but it was not our intent either."

Blumenthal pressed on: "If it was not illegal, do you think it should be?"

Davidson was visibly shaken by the question. He replied: "I think this raises a really complicated question. It's an important question, but we have to be careful about it."

Don't blame us, blame the apps: Both Davidson and Tribble highlighted the difficulty of controlling which data third-party apps harvest.

"We don't go after trucking companies because they happen to handle damaged goods," Tribble complained. "We go after the manufacturers."

"We do go after trucking companies if they knew what they were carrying," shot back Sen. Sheldon Whitehouse, D-R.I. "I don't think that's a comfortable analogy for you to rely on."

Suggestions for privacy regulation: Jason Weinstein, deputy assistant attorney general at the Department of Justice, said the proliferation of handheld devices is a breeding ground for data theft.

"The line between mobile devices and computers is shrinking every day," Weinstein said, noting that this makes it easier for malicious users to create a network of infected computers.

Even as technology evolves, though, today's security threats are "new variations on old problems," Weinstein said. "Before it was email, now it's an android app. It's an old school crime with a new spin."

Weinstein pointed out "there is no comprehensive federal regulation that enforces data breach disclosure," using as an example the theft of millions of email addresses from marketing firm Epsilon earlier this year.

Jessica Rich, deputy director of the Bureau of Consumer Protection at the Federal Trade Commission, said the FTC believes "consumers have no idea about the layers of sharing [data] that goes on behind the scenes."

Rich suggested prohibiting apps from collecting location information "if it's not necessary to the business model," as well as "streamlined" terms of service "that don't take 100 clicks to get through." To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.