Back in 1984, the prospect that most adults might some day carry small devices that not only perform location tracking but also keep track of phone calls and social interactions would have seemed … Orwellian. Yet, slightly more than a quarter of a century later, many of us choose to carry smartphones or tablets that collect that information and often much more.
It is helpful to keep this in mind when considering the latest dust-up involving privacy and mobile devices, this time involving a company called Carrier IQ. To recap: In November, 2011, a security researcher named Trevor Eckhart posted an analysis and then a YouTube video appearing to show that Carrier IQ’s software, which is installed on tens of millions of smartphones in the United States, logs mobile phone keystrokes and text messages. This led to a rapidly cascading series of events that has included a dubious cease-and-desist letter from Carrier IQ to Mr. Eckhart, an apology from Carrier IQ after the Electronic Frontier Foundation interceded on Mr. Eckhart’s behalf, letters from several members of Congress, multiple class-action lawsuits against Carrier IQ and its corporate customers, including Samsung and HTC, and a reported U.S. government probe.
The most serious charges against Carrier IQ stem from the possibility that data was collected without user consent – in other words, that the people on whose phones Carrier IQ is installed weren’t given the choice to “opt in.” If Carrier IQ indeed has been acquiring and using data inappropriately, it should be held accountable.
But it is also important not to let the Carrier IQ scandal divert attention from a trend in mobile privacy that may be far more important in the long run: Opting in to the monitoring and tracking technologies used in today’s sophisticated mobile “apps” increasingly means opting out of privacy. In fact, you would probably be shocked to know how much information about your life has been collected and distributed with your consent, and is now in the hands of hundreds of companies providing social-networking services, games and advertising for mobile devices.
How did this happen?
A good place to start is with the privacy policies that you accept by clicking “I agree” when downloading new mobile apps. Contrary to what might be expected, these policies are rarely written with protecting your privacy as the primary goal. Instead, they are designed, in part, to enable companies in what the industry calls the “mobile marketing value chain” to extract as much information about you as possible in order to deliver targeted marketing and advertising.
Various linguistic sleights of hand are employed to achieve this goal. For example, knowing that consumers are justifiably uncomfortable with the collection of personal information, many privacy policies deem the “unique device identifier” – which is akin to a mobile social insurance number tied to your specific mobile phone or tablet – to be non-personal. The usage patterns and location of your device are also typically categorized as non-personal, even though today’s tracking technologies can often pinpoint devices to a specific home or commercial building.
In addition, privacy policies often specify that this data can be shared with third parties, who in turn combine it with information about your device usage obtained from other companies to build a more complete profile of your overall behaviour. Information about where you sleep, where you work, when and how you use social networking, gaming applications and other wireless services is logged, aggregated, analyzed and resold, all while technically avoiding privacy’s third rail of “personal information.”
Legal gymnastics aside, it’s hard to make a straight-faced argument that this information is not personal. App providers know this information is personal. Their advertising partners understand this as well. In late 2010, a representative of the Mobile Marketing Association, which has more than 700 member companies, told the Wall Street Journal, “In the world of mobile, there is no anonymity.”
That may be technically true, and there are certainly situations – for example, in connection with law enforcement investigations – where the ability to track the behaviour of an individual wireless user can be critically important. But that doesn’t mean that all of the advertisers, marketers and other participants in the mobile ecosystem deserve complete access to every scrap of data about our wireless activities.
Clearly, they don’t. But unless we are as demanding about mobile privacy as we are about mobile convenience, opting in to mobile products is going to increasingly mean opting out of privacy.
John Villasenor is a professor of electrical engineering at UCLA and a non-resident senior fellow at the Brookings Institution. He is a key speaker at Beware of Surveillance by Design, a symposium on freedom and privacy taking place in Toronto on Friday, Jan. 27.