Location, Privacy a Two-Lane Street
If 20 years ago, you'd have said that Al Franken (D-Minn.) would be drafting location-privacy legislation from his position as Senator of the State of Minnesota, you'd probably have gotten a more robust laugh than did some of Franken's skits on Saturday Night Live.
But that's exactly what Franken is up to these days. On June 16, he and co-sponsor Sen. Richard Blumenthal, (D-Conn.), introduced the Location Privacy Protection Act of 2011, a bill designed to give users more control over the data generated by their mobile phones by closing some of the loopholes in the existing Electronic Communications Privacy Act (ECPA).
More specifically, Franken hopes to make it harder for OEMs, carriers and application developers to share their customers' information with third parties, while also curtailing the practice of stalking by technological means.
In a one-page summary of the proposed bill, Franken explains the gaping hole in existing legislation. "When a person uses a smartphone to place a phone call to a business, that person's wireless company can't disclose his location information to third parties without first getting his express consent," Franken wrote. "But when that same person uses that same phone to look up that business on the Internet, because of ECPA, his wireless company is legally free to disclose his location to anyone other than the government."
And while securing our privacy may seem nothing more than an expected grace to some, Franken's bill aims to stem some of the more sinister abuses of location-aware technologies, primarily stalking. According to a January 2009 special report by the Department of Justice, approximately 26,000 persons are victims of GPS stalking annually, including by cell phone.
While some rules regarding the collection, storage and sharing of location information are long overdue, industry players are always watchful that regulation doesn't bring unintended consequences that might adversely affect growth and innovation. However, the timing of the Location Privacy Act of 2011 might be just right, as a little regulation can often times go a long way and in the end legitimize services that might previously have worried consumers.
We're Already Doing It
Application developers could be particularly affected by location privacy legislation, as many of them share a user's information with advertisers. While users may not realize it, many of the "free" mobile applications they're downloading, say a tic-tac-toe game that asks to access their location information, are paid for by the sale of said location so that a brand can more accurately profile and target the audience it wants to reach.
Wayne Irving, CEO of Iconosys, an app developer with more than 500 retail-grade smartphone apps to its catalog, says that he hopes that any information that is obtained by one of his company's apps will lead to a better experience for the consumers.
When asked why a standard app like Zombie Slasher that's all about, you guessed it, slashing zombies, would need a user's location information, Irving says location has become an expected integration in gaming. He says Zombie Slasher is a great example, because the game will feature 36 different cities in which players can slay zombies. "So with Zombie Slasher, we may need your location, so we can put you in your own town."
But he admits that consumers can benefit by sharing their location with an app in other ways.
For instance, Iconosys has a partnership with Jiffy Lube, where Jiffy Lube might offer Zombie Slasher for free if you get an oil change at one of its stores. He says that Iconosys will gather a user's location and store it for a short period of time on a macro-location basis, meaning by ZIP code or area code. Obviously, Jiffy Lube wouldn't want to offer a free copy of Zombie Slasher to users who don't have a Jiffy Lube in their area, he adds.
"It's only for our own internal purposes," Irving says. "We haven't really found a reason to use it for any other purpose. I think getting super finite, as far as the location, you know within 3 meters, doesn't really make sense."
Irving says the time is right for legislation that will give consumers piece of mind, although he says Iconosys is already very mindful of how it obtains and uses customer information, adhering to best practices already put in place by the Mobile Marketing Association (MMA).
"We have a triple opt-in process over here with all of our apps. So even though we don't collect GPS data, they do need to sign the User Licensing Agreement (ULA), they do get the ULA emailed to them and they do get an email notification that reminds them that they did sign the ULA," he says.
Irving, who has two kids who are on Facebook and using mobile phones, says the definition of privacy is changing in a fundamental way, as technology allows and even encourages people to disclose more about themselves in very public ways.
"The Gen Yers are kind of a peephole into the future, and watching how they live on the Internet, and live on Facebook… Fortunately, if we talk about it, people can be a little more cognizant and a little more aware of what they do share," Irving says.
In the end, Irving says that abusing a customer's trust by misusing their information is the last thing a respected app developer wants to do. "The last thing I want to do is to have to go pull a bunch of apps down and do a revision and send a bunch of apology letters … because an app wasn't protecting users. We're trying to be responsible and advanced, so that we're not faced with that kind of situation. We want to move forward."
Good for the Consumer, Good for the Brand
Alistair Goodman, CEO of Placecast, which offers location- and SMS-based mobile advertising solutions, says that the majority of his company's existing customers are pleased with the results of sharing their location and would do so in the future so long as it proves valuable to them and they have control.
"I think where this space is going is much more towards consumer choice and giving consumers full transparency as to how any data is used," Goodman says.
Placecast customers double opt-in to the company's program through an operator or a brand, he says, but stresses that his company always ensures that customers agree to the program once and then agree to share the location information in a separate instance.
Goodman says honoring the consumer's trust is first and foremost. Placecast only uses location information for the purposes of delivering someone an offer for something that they've already said they want and only when it's relevant. He adds that all of the information Placecast gathers is encrypted and the company dumps that data shortly after a consumer has acted on an offer.
So how does Goodman feel about Franken's legislation? "Spot on," Goodman says. "What Senators Blumenthal and Franken are proposing is really a practice that Placecast has been using with its clients for years now, with respect to our shop alerts program."
Like Irving of Iconosys, Goodman says that reasonable legislation can only foster a healthier relationship between the consumer and brands that want to create valuable experiences for their potential customers.
"Ultimately, brand marketers that do succeed in delivering a great experience for consumers are going to have their trust, and they're also going to have a great way of communicating with consumers when they're near a store and in the mindset to make a purchase," he says.
Devil in the Details
While legislation can certainly protect consumers, it can have unintended effects on an entire ecosystem. Julian Sanchez, a research fellow at the libertarian Cato Institute, says that Franken's proposal adds some legal muscle to best practices that on the whole are already being adhered to by most of the industry.
"The effect of this legislation I think will be to effectively push app developers to do something that they were already supposed to be doing, and maybe some of them weren't," Sanchez says, noting that both Apple and Google already require app makers to ask permission before they acquire any location information.
But Sanchez offers that location, which is all that is covered under Franken's bill, represents just a sliver of the information that modern smartphones collect. Sanchez says that even more worrisome than an application that relays location information are apps that relay information like a device's Unique Device ID (UDID), which can be used to re-identify data when it's combined with other data sets.
According to a report published by The Wall Street Journal that looked at 101 applications and what kind of information those apps are accessing and transmitting to third parties, fully 57 of those apps obtained a user's UDID and transmitted it to a third party.
While Sanchez says Franken's bill is all good and fine, he adds that legislators are going to want to look specifically at what the requirements and penalties are and how consent is supposed to be implemented.
As an example of how good intentions can pave the way to future problems, Sanchez points to a provision of the bill that requires companies that store more than 5,000 mobile phone records to be able to go in and delete those records at the user's request. "For example, cell phone providers use location data for network maintenance. So if you have random gaps in that data set, that can create an issue," he says, with the caveat that this is just an off-the-top suggestion as to the kinds of challenges this kind of legislation will face as it moves towards a vote.
As for stopping staking, one of the legislation's key aims, Sanchez is skeptical. "For the most part, I'm assuming that people who do stuff like that are already committing the crime of stalking. This is the kind of behavior that is often illegal whether or not it's done by technological means."
Those concerns aside, Sanchez agrees with Irving and Goodman that rules like those being proposed can be a good thing for the industry on the piece-of-mind level.
"Rules like this can be beneficial in that even when apps are not doing anything wrong, sometimes consumers don't feel up to sorting through all these obtuse, legalistic privacy policies," he says, adding that consumers are also currently relying on companies like Apple and Google to do a certain amount of curating of malicious apps.