Sen. Al Franken (D-Minn.) said at the beginning of a Tuesday hearing on mobile privacy that he thought people had a right to know who was getting access to their information via their mobile broadband devices and should have the right to control how that information is shared and used.
By the end of the hearing in the Senate Judiciary Subcommittee on Privacy, Technology and the Law, which Franken chairs, Franken said he still had serious doubts that those rights were being addressed in law or in practice. He said the issue of privacy and data security were urgent ones that needed to be dealt with now.
At the hearing, representatives of both Apple and Google got a grilling over geolocation information-collection issues that have troubled lawmakers and led to pledges by both companies to take remedial actions as well as to Franken's calling of the hearing.
One Senator, Connecticut Senator Richard Blumenthal, appeared to take Google director of Public Policy Alan Davidson by surprise when he presented him with a patent application that appeared to anticipate the kind of geolocation data collection that Google said was inadvertently collected as part of its Google Maps initiative.
Davidson said he was not familiar with the documents, but that the company filed hundreds, or certainly scores of patents, many of them speculative. But that, at any rate, Google had not used the info and had not meant to collect it.
Federal Trade Commission witness Jessica Rich, deputy director of the Bureau of Consumer Protection, stopped short of endorsing any specific privacy legislation, but echoed the FTC's conclusions that companies needed to build choice, control and notice into their products from the outset.
Deputy Attorney General Jason Weinstein of the Justice Department's criminal division, said to look for a package of cybersecurity legislative recommendations any day now, and that one would be asking for government access to more users' online data. He pointed out that while there were no restrictions on sharing data with commercial third parties, there were plenty on sharing with the government, like the IP addresses that could lead to identifying criminal behavior.
Franken, Blumenthal and Sen. Sheldon Whitehouse all agreed that federal laws fell short in protecting online privacy, while ranking member Senator Tom Coburn (R-Okla.) cautioned that more information was needed on the issue before legislating.
Sen. Patrick Leahy (D-Vt.), who chairs the Judiciary Committee, said he would be reintroducing a data security bill that would create a national standard for notification when there is a data breach. It will be his fourth try at getting that notification in law, he said. Weinstein said it was vital for law enforcement to be informed, otherwise the "trail could have gone cold" by the time they know about it.
He conceded that most states have their own notification laws, but few of them require law enforcement to be notified. He said to look for a notification requirement as part of Justice's cybersecurity legislative package proposal.
The hacking of Sony's online gaming sites to the tune of information breaches affecting up to 100 million customers has put an exclamation point on that issue, particularly after complaints about the length of time it took Sony to reveal the breaches. Leahy called the breaches more and more "frightening" the more he has learned about them.
Justin Brookman, from the Center for Democracy and Technology, said that there were no affirmative obligations in law to require timely notification of breaches. Weinstein said that would be one of the recommendations in the upcoming package of legislative proposals on cybersecurity.
Among the issues of concern to Congress are privacy policies that are so complicated that they become default acceptances of fine print too few are reading; the disclosure of location information without user's knowledge or consent--"this is a serious problem," said Franken; Franken said he was not saying that Apple or Google or others should not be able to collect location info, calling them "brilliant." He said it was about balancing rights and privacies, something he said he thought was "doable."
He provided an example of the difficulty and necessity of that balancing act in a Minnesota coalition trying to protect battered women. He said he had been contacted by them and told that, on the one hand, location information could help track offenders, while on the other such information led to the stalking of women via their cell phones.
Rich spoke to some of the potential harms of collecting location data. Those include stalking, targeting teens and kids who are increasingly on the devices, and the ability to extrapolate from that data what kind of church someone belongs to, what political meetings they attend, or their route to and from school. "That is sensitive data that requires protection."