TC 291- Mobile Privacy & Sensing Technologies
Jordyn Castor, Joseph Lajavic, Jeremy Rook, Andrew Skandalaris
Modern technological progression seems to entail that high-tech devices become increasingly incorporated in the daily life of the average user. With over 300 million active cell phone subscriptions in the United States, mobile phones have become an integral aspect of the modern lifestyle (CTIA, 2012). The hardware and software configurations of these phones are becoming increasingly integrated with new technologies for the collection of new data types. These ‘sensing’ technologies sense the environment of the phone and its user by recording the information as various forms of data such as sound, images, and location. With hundreds of millions of people carrying around such a powerful device in their pocket, privacy implications arise when examining the methods in which personal information is collected by sensing technologies, how this data is used, who it is shared with, and the inadequacy of informing the mobile phone users about these methods. In examining the hardware specifications of Android and Apple phones, participatory sensing and Carrier IQ as case studies, the inadequate privacy policies regarding sensing technology, and average users’ knowledge regarding the issue, we will demonstrate the major privacy implications that arise due to sensing technologies in mobile phones. We will also propose a solution to this privacy issue in terms of creating stronger privacy policies that outline the responsibilities of the various stakeholders and foster user awareness of the issue so they may make more informed decisions about the sharing of their personal data.
The privacy issue is the overwhelming presence of sensing technologies in off-the-shelf mobile phones and the lack of policies to adequately protect users’ personal information that is being collected. The innate hardware and software configurations of mobile phones today allow a variety of information to be collected about the user. Types of data collected by such sensing apps are diverse and can include time, location, audio recordings, visual (pictures and video), and environmental data such as barometric pressure. The threat one is subjected to based purely on smartphone data cannot be avoided because users are not given the ability to prevent the data from being gathered. Even when purchased applications ask for permission to collect sensing data, users are not typically informed what specific data will be collected, how it will be used, or who may potentially receive it. This could possibly lead to collection of data for malicious purposes. This has direct correlation to access, control, and disclosure of the personal data that is collected and aggregated.
The stakeholders in this privacy issue include the end users, cell providers, app developers, data aggregators, and the OEMs. The end user produces the data collected by sensing applications simply by using his or her mobile phone; yet they may have no idea what data they are producing. Cell providers use the data collected from pinging to track cell traffic, data consumption, location of phone, and activity on phone. App developers have the desire to gather this personal data for the benefit of the company or individual. The developers can use the data pertaining to the location of person, when they are “active” or when they are asleep, for example, for legitimate and illegitimate reasons. Data aggregators wish to have this data to better build a profile on the end user. For example, many data aggregators sell information in order to create more personalized advertisements with the intention of increasing click-thru rates. OEMs determine how end users utilize their product to improve their next product. The features of mobile phones are determined by the hardware and software specifications designed by OEMs and therefore they inherit the responsibility to ethically decide what sensing data is necessary for optimal use.
Hardware specifications: Android & Apple
Even though sensing technologies are prevalent in all smart phones, the Layman does not really see nor understand the pervasiveness and power behind these features. One person interviewed- a 21 year old male- was asked whether he knew of any piece of technology that could be used to track his behavior, location, or personal information that was contained within his smartphone. After admitting he had no clue what was inside is iPhone, the subject then began rattling off things he knew for a fact were inside his phone; battery, antenna (for cellular service), Bluetooth, and GPS. This “average Joe” is a perfect example of a smartphone user. While he knows the basics of what a cell phone needs to operate, he does not understand what other things could be contained within his phone. Sensing technologies are not limited to the well-known GPS and cellular network/Wi-Fi antennae. Both Android and Apple include many other technologies in their phones that can detect things such as location, temperature, movement, ambient sound, ambient light, keystrokes, and more. Through these sensors, data is produced- and by the sheer nature of the device, cannot be prevented from being produced.
For every iteration of its Android operating system (OS), Google releases device requirements. All devices that wish to run that specific version of Android must meet or exceed all things listed within the list. The list is comprehensive, covering everything from Application Programming Interface (API) compatibility, User Interface compatibility, multimedia playback, hardware specifications, connectivity requirements, and performance. Among the myriad requirements and recommendations is a section devoted solely to sensors that must, should, may, or should not be included on a device. Google is rather specific in each of these categories, sometimes giving specific metrics by which to measure. Many of the sensors included in the guide are given metrics, and all of them are spelled out in some detail. Although many are not required, all are suggested or highly recommended, and all must follow four cardinal rules:
“For example, device implementations:
· MUST accurately report the presence or absence of sensors per the android.content.pm.PackageManager class. [Resources, 37]
· MUST return an accurate list of supported sensors via the SensorManager.getSensorList() and similar methods
· MUST behave reasonably for all other sensor APIs (for example, by returning true or false as appropriate when applications attempt to register listeners, not calling sensor listeners when the corresponding sensors are not present; etc.)
· MUST report all sensor measurements using the relevant International System of Units (i.e. metric) values for each sensor type as defined in the Android SDK documentation [Resources, 41]” (Google, 2012)
The first listed sensor is the accelerometer. Google states there should be an accelerometer in every device. Accelerometers are capable of measuring acceleration (Analog Devices, 2008). The listed purpose of the presence of an accelerometer is to sense the orientation of the device; the accelerometer is what determines whether you are holding a device in “landscape” or “portrait” style, and relays the data it gathers, so that the screen displays the proper way. All sensors in new phones must relay data 10 times every second (or more), must be exceedingly accurate, and must not deviate from that accuracy very often, or by very much (Google, 2012) However, accelerometers can also detect linear acceleration, from which speed (and direction) can be derived. Accelerometers can be used in a smartphone to detect orientation of the device, but can also be used to detect speed, and acceleration.
The next listed sensor is the Magnetometer. Google states that there should be a magnetometer in every device. Magnetometers measure Earth’s magnetic field. This, coupled with the accelerometer listed above, can be used to figure out how a device is being held, in regards to the space around it. An accelerometer can measure direction, but the Magnetometer makes sense of that direction by comparing it to Earth’s magnetic field. Ultimately, this can also serve as a compass, providing 3-dimensional data based on a magnetic field (Sensor Platforms, 2011). Location data is not generated here; however, movement direction coupled with location data could reveal many personal things, such as daily habits.
Coupled with the previous 2 sensors, GPS (also strongly recommended for every device) can provide very granular information about location and direction. Global Positioning System is a network of satellites that is open to be accessed by anyone for navigation and location purposes. When put into a phone, GPS has multiple uses; as a vehicle navigation tool, as a crowd-sourced “check-in” tool, as an emergency response tool, among others. GPS can often be turned off, which means, unlike many of the other sensors mentioned here, GPS is less of a threat with regards to unknown dissemination of personal information. This does not mean it cannot happen. If an application developer were to gain rights to GPS data, that application would be able to monitor GPS usage as well as locations you visit.
Gyroscopes are used in tandem with an accelerometer to determine location in a 3-dimensional space. Google states that a Gyroscope should be inside an Android device. Gyroscopes detect the twisting and turning of a phone. When paired with an accelerometer, the gyroscope provides accurate data based on the data it gathers. Gyroscopes must relay data at least 100 times every second, with a granularity of calculating change of around 1,000 degrees per second. Each bit of data must also have a timestamp of the “event” that it is recording (Google, 2012). When used with the above technologies, the gyroscope could potentially provide a better location for anyone with access to the data. Accelerometers, Gyroscopes, and Magnetometers have also proven to be useful for the use of keylogging. Keylogging is simply documenting every press of a button or key on a computer for use at a later date. Keylogging is more often seen on desktops, where a small dongle is attached between the keyboard and the computer itself, or a piece of software is installed that tracks which keys are pressed. As the user types, the keylogger records and stores each press of a button, which can be retrieved later. Until recently, it was very difficult to do any keylogging on exclusively touch screen devices. However, as accelerometers become more accurate, applications installed can detect the specific location at which the screen is pressed, and relate that to the displayed keyboard (New Scientist, 2011).
A barometer is also included inside many Android devices. Although not required, Google states that a barometer may be included in the device. Barometers measure atmospheric pressure. The measure of air pressure can be used to detect altitude. Barometers inside android devices must relay data 5 times every second and must be accurate enough to determine altitude. Altitude can be used in combination with other directional sensors. Practical application of this is the further refining of one’s location. Much of the sensors included on an Android device lend themselves to detection of location. Unfortunately, much personal data can be gleaned from location data- daily habits, what places you frequent, stores you attend, where you work, where you sleep, where you eat, and more can all be inferred from the above sensors and their data.
Google also permits a thermometer to be included, although they say that a device “should not” include it. Google then explains that should a thermometer be included, it can only measure the temperature of the CPU, and nothing else (Google, 2012). Google has put a strong emphasis on excluding a thermometer in a device, although, from our research, it is unclear as to why. More than likely, this has less to do with privacy than it does with conserving resources- reporting temperatures of more than just the CPU would begin to be taxing if done with any regularity.
The photometer- a sensor which measures the amount of ambient light around the phone- is often used to determine how bright the phone’s screen is when on “auto-brightness” mode. The sensor therefore is able to detect whether the phone is somewhere dark or bright. An application with access to the photometer would be able to detect how bright a place is, how long it stays that bright, and the time at which it is that bright. With a photometer an application could easily draw a few conclusions about a user; when they sleep, how long they sleep, how often the phone is in a user’s pocket, and how long a user is using the phone. Something seemingly harmless can easily be mined for data about habits and personal information.
Finally, Google lists a proximity sensor as an optional sensor. Proximity sensors can detect how near the device is to another object. The most common use-case for this is to detect when the user has the phone to their ear. This could be used for much the same purposes as the above photometer.
Apple is much more secretive about their technologies used; however certain functions the phone is capable of indicate the presence of many of the same above sensors. The fact that the view of the screen rotates indicates the presence of an accelerometer and gyroscope. Compass apps available on the iPhone indicate that a magnetometer is present. Although much-maligned, iOS contains turn by turn navigation, suggesting the presence of GPS. The iPhone will lock itself down if the processor begins to overheat; meaning a thermometer of some sort is contained within. Unlike the above list of sensors on the Android platform, this is not an exhaustive list for Apple. However, it is very clear that the two platforms share more than one sensor between them, and security and privacy threats between them are shared as well. Apple and Android both include many different sensors, most of which cannot stop producing data. The data, which the layman does not know they are producing, needs to be protected for their sake.
Case Study: Participatory Sensing
Participatory sensing utilizes the sensing technology in mobiles phones to collect users’ data for personal or social projects. Users are encouraged to participate in these projects by sharing the information that is collected by the sensors in their mobile phones. Surveillance and coercive sensing are subsequently avoided as users willingly give up this potentially sensitive information. Previously invisible sensor data is aggregating by sensor networks for analysis (Shilton, 2009). An example of a participatory sensing application is DietSense which helps participants who desire to lose weight by “documenting their dietary choices through images and sound samples” (Delphine, Hollicka, Kanherec, Reinhardtb, 2011). The mobile phones are worn like a necklace in order to “infer potential relationships between the participants’ behavior and their context” by recording time of day, sound samples, and location data (Delphine, 2011). For example, the application can infer whether an individual is eating at a restaurant for lunch or indulging in junk food late at night. This highlights the extent to which sensing applications are able to infer sensitive information about users based on contextual data collected by sensing technologies.
Participatory sensing can be seen as a microcosm of the privacy implications that arise from the presence of sensing technologies in mobile phones. An article by Katie Shilton examines these privacy implications which result from the plethora of information that can and is being collected by sensing technologies of mobile phones. Shilton identifies the variety of different types of information that is being collecting by cameras, microphones, accelerometers, and GPS. Despite the potential benefits of such data collection, privacy implications arise when concerning who is collecting the data, how revealing the data is, and how long it will be retained (Shilton, 2009).
After outlining the privacy implications regarding sensing technologies and participatory sensing, Shilton suggests the implementation of new privacy policies to protect users when their sensitive data is being collected. Examples of new privacy policies include “participant primacy” which is giving users maximum control over their location data and “data legibility” which refers to helping users have a better understanding about the decisions they make regarding the data they give. Shilton’s article also outlines the responsibility of app developers in upholding the privacy of users by “protecting the sensitive data collected by alwayspresent, always-on mobile phones” (Shilton, 2009). Using participatory sensing as a microcosm of our privacy issue, one can see the importance in notifying users about how their data is being used and how to make informed decisions when allowing this data to be collected.
Case Study: Carrier IQ
Carrier IQ is an extraordinarily complex set of tools that function silently in the background of mobile devices. These silent but invasive tools are in the form of software modifications that are installed by request of either the OEM of the handset, or the carrier for whom the device will operate over. These small modifications no matter how minor they may seem, have the ability to gather a treasure trove of information about the device and user.
When talking about Carrier IQ, it is important to understand first and foremost what exactly it is. Carrier IQ is a three phase piece of software that is operating on the mobile device without notice or knowledge of its existence by the user. The first part of this software is Carrier Agent. Carrier Agent is the pre-installed version of the software which does the main data gathering function on the device for the respective stakeholders, whom are requesting the data in the first place. The second important software piece is IQ insight. IQ insight performs as an aggregation tool which compiles the received information and then organizes it according to certain parameters in order to make the random selection of information usable. IQ Care is the third piece of the software suite. This third chunk of the puzzle is seemingly the most important as it provides an interface for the operators or viewers of the collected data a way to see the results. This interface is essentially a troubleshooting GUI (graphical user interface) which specifically helps to bring forth usage information and device statistics in order to try and help solve problems that occur.
Carrier IQ was first discovered on the IQ Agent level. A software researcher named Trevor Eckhart was looking at Android phones to research security settings in the phone but ultimately discovered a key-logger type software hiding among the code. Eckharts’ initial discovery was ignored by all of the major OEMs and carriers as a way to downplay the invasion of privacy that this piece of software could cause. Eckhart following his discovery promptly received a Cease and Desist order aimed at his research and findings. Eckhart went on to name this software after its developer, Carrier IQ. Carrier IQ responded as a company saying that “it is capable of tracking what apps you’re running, to where your phone is, to what buttons are being pressed” (Velazco, 2011). Carrier IQ however maintained the position that their software was only meant “to help improve the quality of a carrier’s customer experiences” (Velazco, 2011). Regardless of this “intent”, people argued that this constant recording of the user was an invasion of their privacy and potentially a function of illegal wire-tapping.
The initial shock over Carrier IQ ultimately was the death blow to this type of software. Most software applications regardless of device have some sort of debugging feature added in to help report and narrow-down issues as they arise. This reporting function helps device and software manufactures speed up fixes as they have more information to tackle the problem at hand. According to Ulanoff, “Carrier IQ operates in the background and only deals directly with carriers and manufacturers” (Ulanoff, 2011). This silent agreement for exclusive talk between only the parties requesting the data, made most people hesitant to trust it once it was known to exist. This distrust ultimately has “consumers looking for ways to disable Carrier IQ on their phone, as if that will in some way improve their mobile experience or protect them from identity theft” (Ulanoff, 2011). The problem with this software being included as hidden then exposed has caused a type of hysteria into mobile privacy. Information recording on PCs or other devices is rampant, and it helps to improve user experiences by allowing companies to fix issues and refine their software. In some cases, this data recording and mining is invasive and potentially harmful but Ulanoff argues that it’s ultimately for the better. Mobile platforms need some sort of this same ability in order to maintain an effective product for the life of the device as owners demand. No device is perfect from the factory; consistent fixes and a constant cat and mouse game it required to make the devices as function as possible as they mature in the field. This concern over the data mining functionality of Carrier IQ and its risk of identity theft according to Ulanoff is “misguided” (Ulanoff, 2011). Ulanoff states that the removal of Carrier IQ “could end up hurting more than it helps as Carrier IQ’s carrier and manufacturing customers suddenly find themselves with far less diagnostic information and fewer avenues for measuring service and network quality”(Ulanoff, 2011). Ultimately, regardless of whether this software is present or not, we are going to be making a sacrifice potentially as users for either a boost to usability or a boost to privacy.
Carrier IQ has caused a cloud to be cast over mobile privacy. Governments have been asking questions regarding the suitability of current laws to protect against software such as Carrier IQ in case it was used in a negative fashion. According to Greenburg, “If Carrier IQ has gotten the handset manufactures to install secret software that records keystrokes intended for text messaging and the Internet, and are sending some of that information back somewhere, this is very likely a federal wiretap violation” (Greenberg,2011). Federal wiretap laws are in effect to limit any interception of voice or data over cellular networks. Any data gathered through this mean generally requires a warrant to authorize any such action. It is said however that if all parties are aware of this software and were willing to allow its function that it ultimately would be allowed to go about its work without issue. The problem arises in this case due to the fact that the software was kept hidden and private from all parties involved. This blind trust was more of an issue than the software as a hole would be. Carrier IQ because of its hidden and silent nature is being sued by the U.S Justice Department on criminal charges in various accounts. The trials have repeated been delayed due to the “extraneous” factors.
The federal government admitted it had been aware of Carrier IQ and its actions. The FBI reports to have been using the data gathered by the service for certain situations. According to Hruska, “a Freedom of Information Act (FOIA) request was filed asking for manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ” (Hruska, 2011). The FBI has received this request and has responded by delaying the grant of this information. The FBI issued the following statement regarding the request: “The material you requested is located in an investigative file which is exempt from disclosure... the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records; and that release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceedings” (Hruska, 2011). This admission by the FBI further cause conflict and people believed that warrantless wiretapping was for sure happening as this statement was taken as a damning admission of guilt. The federal government has responded once again by putting forth a set of new laws aimed at protecting what Carrier IQ exploited.
Carrier IQ while being a piece of software most people would not like to have on their devices, effectively caused legislators to take a fresh look at potential laws for mobile communication. This new look into the mobile device law was aimed at determining if current limitations and laws are actually protective enough. Carrier IQ has forced legislation in response due to the concerns of the masses to put forth a new bill called the “Mobile Device Privacy Act”. This bill, “would require the disclosure of included tracking software at the time of the purchase of the device, or during ownership if a software update or app would add such software to the device, and the consumer gains the right to refuse to be tracked” (Oswald, 2012). According to Oswald the law would further demand that “disclosure must include what types of information is collected, who it is transmitted to, and how it will be used” (Oswald, 2012). It is important however to recognize that no law is ever going to potentially solve all issues that arise. Generally speaking, laws have been somewhat relaxed in the technology sector to help protect against the potential reduction in innovation that over restriction by legal means might cause. These concerns are present now more than ever, especially due to this new law that is the first modern law that could change the way mobile devices handle data.
Carrier IQ while starting off as a piece of software with the intent to operating silently and invisibly, could ultimately have a much bigger impact on the future of mobile devices than anyone would ever have expected. Carrier IQ which is essentially a key-logging debugging software, has become the catalyst to kick start a new round of protective laws for all mobile devices. Carrier IQs’ three software packages have proven that current laws which many are over 20 years old are insufficient. New laws must be forged to help protect users more effectively than the existing but aged laws can. In this case, a tiny piece of software will potentially help determine the future of mobile data collection.
Privacy Implications of Sensing Technologies
Sensing technologies are well-integrated into mobile phones as a variety of sensors that collect many different types of information. By associating different data types, contextual information can be inferred about what a person is doing, where they are doing it, and who they are doing it with. Gyroscopes, accelerometers, and proximity sensors in combination collect contextual information, which can indicate whether the user is walking, riding a bike, or sleeping, for example. As indicated by Shilton, this data is sensitive due to its ability to reveal regular locations, habits, and routines of mobile phone users (Shilton, 2009). Shilton also elaborates that once this data is collected, “acquaintances, friends, or authorities might coerce you to disclose it” and it may be shared and used for other purposes without the consent or knowledge of the users (Shilton, 2009). Current privacy policies do not adequately inform users about the potential sensitivity of the information that they may be unknowingly sharing to unidentified parties. The responsibility of those who retrieve the information collected by sensing technologies, including app developers, data aggregators, and cell providers, are not clearly outlined by privacy policies. A user’s personal data may be shared with third parties who intend to use the information reasons unpermitted by the user, such as for malicious purposes.
The rich contextual information collected by sensing technologies is valuable to numerous parties due to the ability to infer habits, routines, and social relationships of users. Despite the good intentions of some parties to use this personal data for applications and services, one must acknowledge those who wish to exploit sensing technologies for malicious purposes or reasons that conflict with a user’s wishes. An article published by the USENIX Association outlines several examples of passive and active privacy attacks on sensor networks that aim to steal this valuable information. Eavesdropping is a passive attack that occurs when an adversary attempts to learn about the configuration of a sensor network in order to access the plethora of information that passes through them (Grunwald, Gruteser, Han, Schelle, Jain, 2003). After learning about the sensor network configuration, the adversary may pursue active attacks such as inserting false data or changing routing behavior. The adversary may maliciously enter false information in order to compromise the application or service that utilizes the sensor data, or to deface individual users. The adversary may also change the way in which the packets of sensor data move from users to a centralized network (Grunwald, 2003). With these passive and active attacks, an adversary may gain access to the sensitive information that is collected by sensing technologies. User security is compromised and one’s personal data may be used for malicious purposes.
User data may also be unknowingly and unwillingly shared with different services, such as government agencies. In 2011, United States government requested data from mobile phone providers on over 1.3 million separate occasions (The Economist, 2012). The rate of government requests has been steadily growing. In fact, “Verizon, America's biggest mobile-service provider, says it has gone up by 15% in each of the past five years” (The Economist, 2012). This demonstrates the value of the data collected by sensing technologies which infers contextual information that contains sensitive and personal information about users, such as location, habits, and one’s lifestyle. Users are not in control over who may be given access to their sensitive information.
Inadequate Privacy Policies
There are two current laws which are inadequate in considering smartphone privacy. The first of these laws is the Computer Fraud and Abuse Act, enacted in 1984. This law was enacted to prevent unauthorized access to information stored on a computer. In today's society, a smartphone might be considered a computer in a court case, and this law might serve to protect someone whose smartphone data was shared with a third party without their consent. However, when a smartphone is not considered a computer in a court case, this law does nothing to protect the user’s data, making this law very inadequate and unpredictable.
The second law is the Electronic Communications Privacy Act which encompasses the Wiretap Act, Stored Communications Act, and the Pen Register Act. A summary of the ECPA was found on the United States Department of Justice website. Enacted in 1986, these acts deal with both law enforcement and other companies and the reading and disclosure of any electronic communication. However, what constitutes an electronic communication is not up to date with the current times and current technology.
The Wiretap Act prohibits almost any form of interception of wired, oral, or electronic communication. One exception to this law is individuals who are authorized by law to intercept these forms of communication or “conduct electronic surveillance.” The only other exception is for individuals who are making necessary changes to their service or services and who feel this interception is necessary for the success of their service (DHS/Office, 2012). This last exception to the Wiretap Act is very vague in what it designates as a service and a service provider. Therefore, app developers and individuals collecting data from smartphones cannot violate this law because it is not up to date in what is considered a service where communications need to be intercepted.
The Stored Communications Act is about the privacy of the files that service providers have about their customers and protecting the privacy of those files (DHS/Office, 2012). Again, this portion of the law is not specific and does not include smartphones or anything about app developers and the data they obtain from people who download their app.
Finally, the Pen Register act is about Pen Register and Trap and Trace devices and how a court order must be obtain to install and use any of these devices. A Pen Register device is used to collect information about calls a person makes, and a Trap and Trace device is used to collect information about the calls an individual receives. However, conversations made by the individual and other people while these devices are in use are not intercepted (DHS/Office, 2012). This part of the law also does not say anything about smartphones and the data which could be obtained by an app developer if they were to collect this information somehow.
Overall, the two laws summarized above are extremely unpredictable in how and when they are used in protecting a consumer’s privacy and smartphone data. Both the laws were enacted over twenty years ago and do not reflect the changes and advancements in technology we have today. Thus, more accurate and efficient policies with clear and up to date definitions of electronic communications should be created and enforced to solve this issue.
Average Users & Sensing Technologies
We interviewed several average mobile phone users in order to gain insight on their awareness of sensing technologies and the privacy implications that arise from their ever-growing presence. When asked about what he knew about what was contained inside his iPhone (the “average Joe” discussed in the above sections), the interviewee could only state that he only knows that “there’s GPS and cell phone service. Maybe there’s a thermometer, but I’m not sure.” Additionally, the respondent stated that “Google and Apple are using my data for the best reasons.” He further went on to explain that he believed that his data was not at any risk, and that he was not in the least bit worried about malicious use of personal information. He did concede that this may become a problem in the future. “I think that there isn’t any action required right now because the information isn’t being abused… I think that at some point, when abuse of information that we give out freely, we will need legislation, but it isn’t required today.” Finally, he believed that policies have not yet been developed because they are not needed, and as a result, everyone is indifferent. “Nobody will care about this until there’s some earth-shattering event.” The average person in the US does not understand the type of data recorded by sensing technologies, nor do they understand the amount of data that is collected. The average user will continue to believe that their data is not at risk of anything malicious- much like the example here, they will simply continue to give their data away while remaining apathetic to the potential ramifications.
We also interviewed an individual who is aware of some types of sensing technology in his Android phone, but not all of them such as barometer. He regularly uses the application MapMyRun which utilizes contextual information collected by sensing technologies. When asked whether the application has privacy policy and if he read it, the interviewee responded, “MapMyRun does have a privacy policy and I have read it. I didn’t take a magnifying glass to it, but I did skim it.” The interviewee claimed that the privacy policies he reads are vague enough to where he doesn’t feel threatened that his data is being used for malicious purposes. In terms of using apps that utilize sensing information, he feels he uses simple apps that do not collect detailed enough information for it to be considered sensitive. This perfectly demonstrates that current privacy policies do not adequately outline or protect against the potential dangers of sharing this sensitive information. More awareness regarding the privacy implications of sensing technologies may cause users to be more cautious in using such applications. If the privacy policies of the applications were more detailed about the third parties that see the sensor data, he may be more apprehensive in using these apps. In a broader sense, users are unaware of the technological implications of sensing technologies in terms of how it is collected and who it is shared with.
Solution
In order to more adequately protect the privacy of users, the policies that determine the relationships between the various stakeholders of the privacy issue must be revised to outline their responsibilities in maintaining security of personal information for their users. First, more stringent guidelines must in place to establish the hardware and software specifications of mobile phones and the ethical implications that are associated with new sensing technologies. Second, the app developers must take these same ethics into consideration when the applications they create utilize the sensing technologies to collect data from the end users. Third, data aggregators who collect and organize this information must be closely regulated to ensure the purposes for collecting the personal data are productive and not potentially malicious. Lastly, the cell providers who also have access to the data collected by sensing technologies must be held responsible for who they share the information with, such as law enforcement and federal agencies. Cell providers must also take into account the potential positive effects of allowing access to this information, such as responding to emergency situations more quickly based on location data. Stricter company policies are needed in order to ensure security over the potentially sensitive information that is collected by sensing applications. The end user should be given detailed information about what personal data is being collected, where it is transmitted, and how it may be used or who it may be shared with. Users should also be given the right to decide who their information is shared with, regardless if the median of the data is cell providers or app developers. Privacy policies should regulate which third parties are given access to the potentially sensitive data collected by sensing technologies. Ultimately, users should have the ability to keep their personal data completely private if they so wish.
Solution: Laws Currently in Review
There are three laws involving privacy and collection of smartphone data currently in the process of review. These laws are The Mobile Privacy Protection Act, The Geolocation Privacy and Surveillance (GPS) Act, and The Location Privacy Protection Act. The Mobile Device Privacy Act, proposed by Congressman Edward Markey of Massachusetts, deals directly with monitoring software like Carrier IQ. The draft legislation was released on January 30, 2012. A press release was also written on that date summarizing the effects of the new legislation and Congressman Markey’s current viewpoints on smartphone privacy. According to this press release, The Mobile Device Privacy Act would require a consumer to be notified of any monitoring software on their smart phone. The consumer would need to be notified about the monitoring software before they purchased the smartphone as well as if any monitoring software was installed by the carrier, manufacturer, or the OS after the purchase of the phone. Under this act, individuals would also need to be notified if an app they download has monitoring software. Along with the disclosure of the monitoring software’s presence, the act would require the consumer to be aware of what types of information the monitoring software collects, the name of the third party the information is transmitted to, and how the information will be used. Congressman Markey stated in the press release:
“While consumers rely on their phones, their phones relay all sorts of information about them, often without their knowledge or consent. I am concerned about the threat to consumers’ privacy posed by electronic monitoring software on mobile phones, such as the software developed by Carrier IQ. Today I am releasing draft legislation to provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to such transmission” (Markey, 2012).
However, before the collection of this information could take place, the Mobile Device Privacy Act would require the consent of the consumer. Policies by the third parties would also need to be in place so the collected information would be secure, and any agreements to transmit data to third parties would need to be filed with the Federal Communications Commission and the Federal Trade Commission (Markey, 2012). As of now, any app downloaded to a phone can monitor consumer’s activities and send that information to third parties without the permission or knowledge of the consumer. This is a huge issue with access and control of personal information, and the passing of this law would help to stop this malicious collection and transmission of personal data. The passing of this act would also allow consumers to be able to take legal action against a company they felt was violating this law.
Furthermore, The Location Privacy Protection Act, introduced by senators Al Franken of Minnesota and Richard Blumenthal of Connecticut, deals with companies who collect and distribute location data. According to an article written by Catharine Smith for The Huffington Post, the Location Privacy Protection Act would require any company which obtained a customer’s location information from their smartphone or mobile device to get two forms of consent from the customer. The customer would have to explicitly give the company permission to collect their location information. The act would also require the company to receive a customer’s permission prior to the customer’s location being shared with any other third parties (Smith, 2011). If this law is passed, app developers would be required to obtain these forms of consent which would increase the awareness of customers as well as hopefully deter the malicious collection of location data.
Finally, the GPS act, written by Senator Ron Wyden of Oregon and Representative Jason Chaffetz of Utah, would provide a set of regulations regarding the protection and legal procedures involving devices which can be used to track an individual’s location. According to a press release, this act is aimed at making those regulations clear to everyone. One of these rules is to require the government to obtain a warrant and show a valid reason before they receive a person’s geolocation information. The GPS Act also applies to geolocation information acquired by law enforcement, as well as the location information received when tracking a person (both past and present records). Furthermore, the existing Wiretap laws would be closely monitored in regards to their use in court cases. Under this law, penalties would also be created for those who use a device to track someone’s location without their knowledge. Finally, the GPS Act would require consent from the individual before location information, collected by a company, was shared with others outside the company that collected the location information (Wyden, 2011). Currently, many apps downloaded on smartphones track location information without the permission of the consumer. This law would help to stop this practice as well as set forth penalties for companies and app developers who still collect and share this information. This act is also pretty specific with which kinds of protections it would offer individuals, making it a much needed addition to our current out of date legislation.
These three laws are very important in that they give consumers a way to take legal action against app developers who they feel are violating their privacy rights. The laws currently enacted just do not provide the type of detail required and the regulations to fit the extremely advanced technology and the wide range of possibilities we have in manipulating that technology.
Solution: Potential Negative Side Effects
In terms of the potential negative side effects of our solution, placing restrictions upon sensitive technologies may also hamper their benefits. If more stringent policies are enacted to limit the parties that cell providers may share sensor data with, this can limit the ability for advertising companies to offer more relevant advertisements. On the other hand, if users are given more control over what personal data is being collected, where it is transmitted, and how it may be used or who it may be shared with, many applications and services which rely on contextual information collected by sensing technologies may be severely hindered. The comprehensive contextual information that is collected by various sensing technologies allows mobile phone applications to be very powerful. A prime example of this is the participatory sensing application called Nericell which utilizes the microphone, accelerometer, and GPS of a user’s mobile phone to “detect and localize traffic conditions and road conditions” (Delphine, 2011). Accelerometers are able to detect roughness in roads such as potholes or bumps while microphones record noise that would indicate traffic jams, such as honking. This contextual information is associated with the phone’s GPS coordinates then collected and aggregated to be displayed on a map to be utilized by other users. With our proposed solution, privacy policies would outline the specific types of information collected by the sensing technology in users’ phones and exactly which third parties will have access to it. This may deter many users who had been previously unaware of how the applications had functioned in relation to sensing technology. In addition, if users are given the ability to completely opt out of data collection, many applications may be unable to function efficiently without the aggregated sensor data. However, users may be more willing to share their potentially sensitive information if app developers created more transparent privacy policies that outlined how user information will be used and who it will be shared with. The risk of less effective apps due to the denial by users to share sensor data may be avoided if users were more informed about how the app developers will use the data.
Similar to mobile phone applications, numerous social services rely on the contextual information collected by sensing technologies. Rescue services from across the globe in particular need access to phone data in order to more efficiently assist individuals in need. For example, location data is extremely beneficial in the process of locating someone who urgently needs help. Britain’s phone services recently implanted a system to provide emergency response teams with any available location data relating to the emergency call. Quentin Armitage, the deputy director of technology for the London Ambulance Service, proclaims that “response times to emergency calls improved dramatically” (Duncan, 2003). This demonstrates the potential in mobile phone location data from sensing technologies to aid in emergency situations. In fact, the E112 directive was integrated by the European Union in September of 2003 which “requires mobile phone networks to provide emergency services with whatever location information they have about where a mobile phone call was made” (Duncan, 2003). This same information can also be utilized to help catch criminals who use mobile phones integrated with location sensors. Social services such as these may be significantly restricted and less useful if users are given the power to refuse the sharing of personal data, including location information. It is ultimately the user’s decision whether they want the information collected by their mobile phones to be shared with any third parties, including social services; therefore our solution must encompass them. Users will be strongly advised to allow their data to be shared with such services, yet they must be given the ability to deny this access.
As smartphones have evolved, the sensors within have evolved. Ultimately, though, the policies, companies, and organizations involving sensing technologies have not evolved at an equal rate. The result is a disparity between what reality is and what reality should be. These results manifest themselves in catastrophes like Carrier IQ- a case where every interest group failed to take note of the importance of privacy of data collected by sensors within a smartphone. Carrier IQ displayed how inept the current laws are, and also showed that certain interest groups do not have the proper interests at heart. Nothing will change, however, without significant modification by everyone involved. This cannot just be a solution by policy; and change of mindset by each of the involved parties. OEMs and application developers must learn to control what data is collected and saved/sent to other parties. Policy makers must implement up to date, modern, and useful policies to help guide development of sensing technologies without putting a total damper on innovation. Finally, the end user must become less apathetic to the cause of personal privacy. Even if all other parties change, all end users must become aware of what data they generate in order to control how it is disseminated. With these solutions implemented, we could see a shift in how sensing data is used- for the betterment of privacy for end users.