Skip to main content

iPhone flap is privacy wake-up call

By Justin Brookman, Special to CNN
  • Justin Brookman says flap over location-enabled iPhone flags larger problem
  • Apple says it'll make a fix, but what about everyone else handling such data, he asks
  • Brookman: Cell carriers, smartphone providers collect data; users have little control
  • Brookman says policymakers, companies must address lack of privacy protections

Editor's note: Justin Brookman is the director of the Center for Democracy and Technology's Project on Consumer Privacy. He is the former chief of the Internet Bureau for the New York attorney general's office.

(CNN) -- Over the past week, we have seen a tremendous uproar over Apple's storing of historical location information on user phones.

The press has excoriated the company, and to a lesser degree other smartphone makers who also generate geolocation information, and Congress has issued requests for information and called for a Federal Trade Commission investigation.

Apple made some mistakes in creating the location file, and in failing to give users notice and choice about the storing of their data, but by continuing to focus on the Apple file, we are losing sight of much larger, and more worrisome, problems.

The iPhone controversy should instead awaken us to its broader implications: Web and mobile communications that are "location enabled" can result in the transmission of location data not only to Apple (and to Google for Android users) but also to your cell phone service provider, to applications loaded on your phone, to websites you browse to and to other people.

In this complex environment, we simply do not have a comprehensive legal framework in place to address either commercial reuse and redistribution or governmental access to this data.

Apple's Jobs: 'We don't track anyone'

In Apple's case, it turns out that the iPhone was keeping a record of the cell towers and Wi-Fi access points your phone had previously detected to calculate your geolocation more quickly the next time you were in the same place.

This makes sense from an efficiency point of view -- since GPS is not always available and since GPS location takes time, your phone could use the stored file to speed up the location process. However, from a privacy point of view, it was creating a store of sensitive data that could be accessed by the government (possibly without a court order) or a jealous spouse.

Apple announced that it had never intended to store so much of your location history and that it would soon implement a set of fixes in the way the iPhone handles location data.

Three of the changes Apple will be making match suggestions my organization, the Center for Democracy and Technology, offered last week: Apple will dramatically shorten the time period covered by the location data stored on your phone to seven days; it will stop making backup copies of the file on your computer, and it will enable users to delete the file by turning off "Location Services" (presumably, a new file will begin to be created when you turn location back on). Apple will also encrypt the location file on the phone to make it harder for others to access.

All of these features could have -- and should have -- been built into the phone in the first place, which is why my organization has long recommended that Apple and other companies push down to the engineering level the philosophy and practice of "Privacy by Design." If engineers and product managers are trained to take privacy into account when designing new technologies, we won't have to go back and tack on corrective privacy protections after the fact.

Apple's changes now leave exposed the larger, more important question: What about everyone else handling location data? Your cell carrier and your smartphone provider collect and use location information -- that's an essential feature of those services.

But how long do they keep that data, and what else do they use it for? And what about the apps on your phone, and the ad networks they use, and anyone else with whom they can share your location (and other) information? What are their data retention and redistribution policies? What controls do these other entities offer to users? What happens when the government comes to them and asks for information about you?

The best way to address these cross-platform, cross-industry questions is through public policy. We need legislation that establishes fair information practices for commercial collection, disclosure and use of all consumer data -- but especially for sensitive data, such as geolocation information -- and we need the courts and Congress to update the rules for governmental access, to require a judicial warrant for tracking the location of cell phones and other mobile communications devices.

Policymakers and companies must take advantage of this flurry of attention to address the fundamental lack of privacy protections for U.S. consumers.

The opinions expressed in this commentary are solely those of Justin Brookman.