Congress demands answers on iPhone location data

Usually, I’m disappointed by how out of touch lawmakers and regulators are with technology issues. But this week, I’ve been pleasantly surprised – twice. First, the thing about the FTC cleaning up Twitter and now this: congress issues targeted questions to Apple about what they’re up to with the recent changes to their privacy statement.

Personally, I can’t decide if this is good news or bad news.  I think it’s good news that someone is calling Apple on their BS-ery in giving user location data to whoever they want.  But I’m a little nervous about lawmakers implying that Apple is a “telecommunications carrier” for the purposes of the Telecommunications Act (47 U.S.C. § 222 : US Code – Section 222).  If Apple is, so is Google… so could other software providers be… MagicJack?  Skype?  Facebook?  Title 47 defines it as:

The term “telecommunications carrier” means any provider of telecommunications services, except that such term does not include aggregators of telecommunications services (as defined in section 226 of this title). A telecommunications carrier shall be treated as a common carrier under this chapter only to the extent that it is engaged in providing telecommunications services…

Is it a carrier?  ”…any provider of telecommunications services…”  Looks like it could be.  Of course I’m not a lawyer, so what do I know?

If you’re not familiar with the issue, the backstory is this:  Apple developed additional location-based services in the iPhone 4.  At the same time (not sure if it’s cause/effect or just happenstance), they decided change their privacy statement regarding collection of location data – meaning, collection of data about where you, the phone user, are throughout the day.  Basically, they’ve stated directly their intention to share location data about users with whomever they please for whatever purpose they please:

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

Congress is concerned about (among other things) the sharing with the “partners and licensees”, how exactly that happens, and how Apple can consider itself to be compliant with section 222 of the communications act.  I hadn’t stopped to mull over whether Apple can be considered a “telecommunications carrier” myself (I had figured that would be AT&T in the iPhone scenario). But the letter does seem to imply that Apple is regulated under this law.  Uh oh.

I’m not a lawyer or anything, but it seems to me, humble layman that I am, that this law is pretty specific - location data is treated pretty specifically. 47 U.S.C. § 222(h)(1):

Customer proprietary network information - The term “customer proprietary network information” means - (A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship [emphasis mine]

Meaning, your location is considered in the group of data that’s customer proprietary.  47 U.S.C. § 222(c)(1):

“Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.”

So unless they’re authoring a phone book – or providing service – they’re not allowed to disclose “proprietary network information” unless they ask you first.  Should there be any ambiguity, they further emphasize this with respect to mobile communications; (f):

Authority to use wireless location information – For purposes of subsection (c)(1) of this section, without the express prior authorization of the customer, a customer shall not be considered to have approved the use or disclosure of or access to -
(1) call location information concerning the user of a commercial mobile service (as such term is defined in section 332(d) of this title), other than in accordance with subsection (d)(4) of this section;

If you’re wondering, (d)(4) allows only:

• (A) Informing care providers (e.g. emergency medical services) in the event of an emergency
• (B) Informing immediate family members or a legal guardian in an emergency
• (C) Providing to database management services for support during an emergency

So it’s pretty clear that any wireless provider would need, “express prior authorization” before they can give that location data to partners. Does clicking “I agree” to their legalese count as “express prior authorization”?  I don’t think so, and apparently neither do these lawmakers.

So please to enjoy the grilling, Apple.  I’m interested to see how they address this.  I’m wondering what action other folks might take if it’s decided that Apple is regulated under this law (I’m looking at you Google).  It means a lot of things you can’t do tomorrow that you’ve been used to doing yesterday.