|
> > |
META TOPICPARENT | name="SecondPaper" |
Current Response to Unbeknown Cell and Internet Tracking
Despite the recent attention being paid to issues of customer tracking and surveillance, the proposed legislative responses and probability of a pending lawsuit success leave much to be desired. There are different options that may better address the egregious void of consumer protection that is not keeping up with technological innovation.
Recent Sources of Disclosure:
Senator Jay Rockefeller issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited “disturbing” reports about Facebook’s ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent. The statement followed a USA Today article regarding Facebook’s tracking practices that provides insight into how Facebook uses cookies and other technologies to track the browsing patterns of members and non-members, and suggests that the company has the ability to track members even after they log out of the Facebook website. Senator Rockefeller’s statement came shortly after media reports that Facebook and the Federal Trade Commission are close to reaching a settlement over charges that Facebook misled users about its use of their personal information. See Facebook Tracking Is Under Scrutiny, USA Today, 11/15/11.
Separately, Trevor Eckhart, a private security researcher, detected the Carrier IQ software while watching the packet traffic inside an enterprise network he manages. Eckhart then reviewed Carrier IQ’s privacy policy that states that its products, “work within the privacy policies of our end customers.” Eckhart found the privacy policy both “suspicious and alarming,” so he published his research on Carrier IQ and backed it up with copies of the Carrier IQ research manuals. Eckhart’s concerns were 1) whether the app tracked all data ever input and whether the data is logged or transmitted and 2) whether the data tracked can actually identify individual mobile users. Carrier IQ responded to Eckhart with a cease and desist letter and threatened to sue him for copyright infringement for his reference to their manuals. Carrier IQ apologized only after the Electronic Frontier Foundation informed them that Eckhart’s research is protected as free speech. See Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11.
Reactions to Protect or Maintain Privacy:
Legislative Proposals
Senator Rockefeller introduced the “Do-Not-Track Online Act of 2011”. The Act instructs the Federal Trade Commission to promulgate regulations that would 1) create standards for the implementation of a “Do Not Track” mechanism that enable individuals to express a desire to not be tracked online and 2) prohibit online service providers from tracking individuals who express such a desire. The regulations would allow online service providers to track individuals who do not want to be tracked only if 1) the tracking is necessary to provide a service requested by the individual (and the individuals’ information is made anonymous or deleted after the service is provided), or 2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.
In developing the standards for the Do Not Track mechanism, the Act requires the FTC to take several factors into consideration, including 1) the scope of the standards, 2) the technical feasibility and costs of implementing and complying with a Do Not Track mechanism, 3) existing Do Not Track mechanisms that have already been developed and 4) how a Do Not Track mechanism should be publicized. The Act gives the FTC the power to enforce the rules pertaining to a Do Not Track mechanism by treating violations as unfair and deceptive acts or practices, and authorizes state attorneys general to bring civil actions for violations of the Act. The Act sets forth civil penalties of up to $16,000 per day for violations, with a maximum total liability of $15,000,000.
Judicial Recourse
In response to Eckhart’s revelation, mobile phone customers sued AT&T, Sprint, Apply and T-Mobile as well as Carrier IQ claiming that the tracking software installed on their phones violates U.S. wiretapping and computer fraud laws and seeking compensatory and punitive damages. See Pacilli v. Carrier IQ, U.S. District Court, District of Delaware (Wilmington). Violations of federal wiretap laws prohibit willful interception of wire or electronic communication and can result in $100 of damages a day per violation; that number combined with the 150 million phones assumed to contain the software could result in damages totaling $150,000,000,000. In order to succeed on their claim, however, defendants will have to address the fact that Carrier IQ asserts the software is designed to help improve service performance and that the company doesn’t sell personal subscriber information to third parties.
Recommendations:
The Gramm-Leach-Bliley Act (GLB), 15 U.S.C. 6801 et seq., incidentally requires that companies develop and abide by privacy notices, but GLB could do much more in the way of structuring the content that is required by them. For instance, Trevor Eckhart was quoted as saying, “This data should be subject to some kind of clear privacy policy. Without that clarification, he argues, the software is simply a rookit: unwanted, hidden, hard to delete, but running with root level access.” Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11. The current mandate issued by the GLB only requires that the company have a notice, and does not structure the format or content of the policies which can range from general blanket statements to unattainable promises that provide the user with little true understanding of the use to which their information will be put.
Eckhart also went on record stating that companies should, “Let all handset owners see a copy of everything you’ve collected about them and ensure that they know when the app is running on their phones… Give them the freedom to deactivate it.” Id. While the last suggestion is in direct contention with the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1202, it would still be possible to comply with his first request of making the information available to the consumer so they are more educated about the what is entailed in the browsing and communication choices they make. Further, the DMCA has been widely criticized as contravening public policy, impeding competition and innovation and interfering with computer intrusion laws.
Other legislative options include mandating that companies cannot require consent in order to use their website though this is likely politically infeasible. For companies that distribute their privacy notices online, it is quite common for them to require the customer to check a box to indicate their acceptance of the policy before they are allowed access to the site they desire to visit. See Money & the Law: Technology Raises New Privacy Concerns, The Gazette, 12/2/11. In most cases, this could be read as something close to a contract of adhesion, which is presented as a standard form on a take-it-or-leave it basis where one party does not have an ability to negotiate because of an unequal bargaining position.
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list. |
|