Data Security Issues Aired In House, Senate

Sony under investigation for data breaches; FTC says geolocation deserves hightened protection

By John Eggerton -- Broadcasting & Cable, 5/4/2011 2:34:20 PM

Data security got a lot of face time on Capitol Hill Wednesday, as two separate hearings focused, and touched on, respectively, issues from Sony's online data breaches to the location-based data issues involving Google and Apple.

The Attorney General said that Sony was under active investigation for data breaches, while the FTC signaled that geolocation is the kind of sensitive information that deserves heightened government scrutiny and protection.

The House Energy & Commerce Committee bored down into the issue with a panel of witnesses that included the Federal Trade Commission's point person, David Vladeck, director of the Bureau of Consumer Protection.

On the issue of Apple's storing of geolocation information for up to a year, Vladeck was asked by Rep. Bill Cassidy (R-La.) whether the agency supported a "thou shalt not" approach of legislation barring the saving of such data beyond a certain time period, he said the FTC had not taken a position on that specific issue. But he did say he supported making the use and storage of that data an automatic trigger for notification of consumers about what was happening with it.

Apple and Google have both taken heat for their handling of Geolocation info, Google for what it says was inadvertent collection of data as part of its online mapping efforts, Apple for storing geolocation info, unencrypted, for up to a year (it says that was a glitch) and backing up that info on unsecured computers when iPhones were syncedAtt.

Vladeck pointed out that the FTC in a December report recommended that geolocation data be considered the kind of personal information that gets heightened protection. He also said that one of the questions it raised in its ongoing review of child online protection laws is how to treat geolocation info.

Cassidy asked what the argument was against limiting the storage of geolocation information. Vladeck said that there were two arguments--though he hastened to point out he was not advocating either. One was that it enhanced the functions and the other was that it allowed them to perfect the service. "I am rehearsing the arguments you will hear," said Vladeck.

Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology, said he would be concerned by a "thou shalt not" approach, saying there are reasonable uses for retaining such data for longer periods of time, including a traffic program that would remember his routes and give him the best info about them.

He and Vladeck were in agreement that there needed to be clear consumer information, and not "buried in paragraph 40."

Vladeck said that the industry was not doing enough to self-regulate in the area of data security, that Congress should pass comprehensive data security legislation, that federal regs should supersede state regs if the latter are not as strong, that states attorneys general should be authorized to enforce federal data security laws, that the FTC should have stronger rulemaking authority, and that it could use more resources.

Those to the point answers were courtesy of the now iconic "answer yes or no, please" line of questions from Rep. John Dingell (D-Mich.), which all of the panelists honored to a degree unusual in such proceedings.

Over on the Senate side, Attorney General Jeffrey Holder said Justice was "actively engaged" in investigating Sony over two recent data breaches.

Sony two weeks ago revealed that someone had hacked into its PLaystation online gaming network and accessed millions of records. Then this week it said that its SOny Online Entertainment gaming net had been hacked, with millions more possible breaches, according to Ed Markey (D-Mass.), co-chair of the bipartisan House privacy caucus.

"I am alarmed that twice within one week, sensitive consumer information, especially that of children, has been exposed by hackers," said Markey. "Sony's tagline is ‘make.believe'. It also should be ‘make.secure.'

At the Senate hearing, Holder said Justice and the FBI were taking those Sony breaches "very seriously," while one legislator said he was not happy with the way Sony has handled the situation, including the length of time it took to inform consumers and take corrective action.

The mobile data security issue will be getting more attention. Senator Al Franken (D-Miss.), chair of a new Judiciary privacy subcommittee, has scheduled a May 10 hearing on "Protecting Mobile Privacy: Your Smart Phones, Tablets, Cell Phones and Your Privacy," while the Senate Commerce Committee also plans to hold a hearing on that issue this month.