Root Cause of Privacy Furor: EULAs

People really care about the fact that their smartphones gather location data. It reached the frontpage of MSNBC.com with this article. It also inspired a flood of righteous indignation from Washington. From the article:

Why were Apple consumers never affirmatively informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?

-Al Franken (D-Minn)

Collecting, storing and disclosing a consumer's location for commercial purposes without their express permission is unacceptable and would violate current law. That's why I am requesting responses to these questions to better understand Apple’s data collection and storage policies to make certain sensitive information can't be left behind for others to follow.

-Edward Markey (D-Mass)

It seems surprising that a large company like Apple wouldn't have tried to get consent from users to collect this location information, especially since it's so trivial to include it in the EULA which everyone agrees to anyway.

Oh, wait... (from the iPhone EULA, updated 5/8/09, available here)

(b) Location Data. Apple and its partners and licensees may provide certain services through your iPhone that rely upon location information. To provide these services, where available, Apple and its partners and licensees may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iPhone. The location data collected by Apple is collected in a form that does not personally identify you and may be used by Apple and its partners and licensees to provide location-based products and services. By using any location-based services on your iPhone, you agree and consent to Apple's and its partners' and licensees' transmission, collection, maintenance, processing and use of your location data to provide such products and services. You may withdraw this consent at any time by not using the location-based features or by turning off the Location Services setting on your iPhone. Not using these features will not impact the non location-based functionality of your iPhone. When using third party applications or services on the iPhone that use or provide locaiton data, you are subject to and should review such third party's terms and privacy policy on use of location data by such third party applications or services.

(emphasis in original)

I wonder how many of those Senators read the EULA before pontificating about Apple not getting consent for collecting location data. I wonder how many consumers who have privacy concerns about their location actually read the EULA before agreeing to it. My guess is that the answer to both questions is none. That isn't to say that there isn't a real problem. After all, I think there is a big conflict between EULAs and privacy, and that that conflict is a matter of significant public concern.

But unless there's more to the story than is currently being reported, the problem isn't that people's privacy rights have been violated, it's that they were inadvertently thrown away.

Data privacy legislation introduced

Per Wired.com, Senators Kerry and McCain have proposed legislation that would give web users the right not to be tracked while on line (the text of the bill can be found here). While this sounds like a step forward for consumer privacy, the legislation has not been well received by privacy advocates. According to the article:

The ACLU and others would prefer what is being touted as a “universal opt-out” in which consumers could one-stop shop and end all tracking by using a national registry of sorts. The Federal Trade Commission suggested such legislation in December.

“Consumers need strong baseline safeguards to protect them from the sophisticated data profiling and targeting practices that are now rampant online and with mobile devices. We cannot support the bill at this time,” Consumer Watchdog, Center for Digital Democracy, Consumer Action Privacy Rights Clearinghouse and Privacy Times wrote McCain and Kerry on Tuesday.

While I have concerns about the proposed legislation, I don't know that I agree with the sentiments expressed by quoted advocacy organizations. True, the bill could do more for privacy. However, the U.S. has generally been slow to enact laws protecting privacy, so letting the perfect be the enemy of the good in this case doesn't seem to make sense. Also, the bill (at least as proposed) does do more than prevent tracking. For example, for example, section 101 requires the FTC to make rules requiring covered entities to establish security measures to protect the data they do collect and section 202(A)(4) requires the FTC to make rules enabling individuals to correct information stored about them. There are also provisions requiring covered entities to design their products with privacy in mind (section 103) and to minimize the data they collect (section 301). These are all potentially helpful provisions, and the fact that they weren't mentioned indicates to me that the bill might not be getting all the credit it deserves.

With that having been said, I do have two problems with the bill that (if anyone were interested in my opinion) would stop me from supporting it. First, as mentioned in the Wired article, it preempts potentially more stringent state laws (section 405). This is a significant problem, as states are generally well ahead of the federal government on privacy issues. Second, it specifically states that it does not create any kind of private right of action (section 406). This is also a significant issue, since giving people the right to sue would likely result in much more vigorous enforcement of the law than simply relying on the FTC.

The bottom line for me is that, while the legislation includes a number of privacy protective features, its incompatibility with stronger state laws, as well as its lack of a private right of action mean that, if passed, it probably wouldn't help (and might even hurt) consumer privacy rights.