Smartphone App Developers Being Criminally Investigated Over Privacy Issues?

A couple of stories about mobile phones and your privacy, or lack thereof, that have appeared recently that I thought would be on interest.

A few weeks ago, there was a story in the New York Times about a German Green party politician by the name of Malte Spitz who discovered that his movements - apparently along with other German mobile phone users - were being continuously and routinely tracked by Deutsche Telekom. The Times article states that:

"In a six-month period - from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times."

This is not entirely surprising given Deutsche Telekom needs - as do all other mobile phone companies - to track the location of a mobile phone user. The Times article noted that:

"Every seven seconds or so, the phone company of someone with a working cell phone is determining the nearest tower, so as to most efficiently route calls. And for billing reasons, they track where the call is coming from and how long it has lasted."

Okay, so what's the big deal?

Well, it turns out that Deutsche Telekom wasn't using the cell tower information to track Mr. Spitz's location, but used instead information relating to how often he checked his email.

Mr. Spitz sued Deutsche Telekom for the location data it kept on him, and then turned it over to ZEIT Online, which combined it with "information relating to his life as a politician, such as Twitter feeds, blog entries and web sites, all of which is all freely available on the Internet." ZEIT Online next created a visual trip map of Mr. Spitz life from August 2009 to February 2010, which illustrated the detail that can be gathered about an individual using mobile phone company geographical data and public information.

It's a bit scary.

You can read a full story about what ZEIT Online did with Mr. Spitz's data here.

US telecom companies do not have to state - and are very reluctant to disclose - what information they collect on cell phone users (or how they collect it) and who in addition to law enforcement they provide this information, like marketing companies. The Times notes, for instance, that Verizon's privacy policy states in part that:

"Information such as call records, service usage, traffic data... [may be used for] ... marketing to you based on your use of the products and services you already have, subject to any restrictions required by law."

Which brings us next to this story appearing today about the issue of your privacy, your smartphone, and the information those apps on your phone might be collecting and sending to third parties without your knowledge. 

Apparently, the US Justice Department has launched a criminal investigation aimed at the application developers for Apple and Google smartphones. According to this story in the Financial Times of London, Pandora Media - a streaming music radio broadcast service - disclosed in an amended IPO form to the US Security and Exchange Commission that it had received a subpoena from the US Attorney for New Jersey. This made what was a secret investigation public knowledge.

In the section discussing Pandora's IPO risk factors, the amended form states that:

"... in early 2011, we were served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms. While we were informed that we are not a specific target of the investigation, and we believe that similar subpoenas were issued on an industry-wide basis to the publishers of numerous other smartphone applications, we will likely incur legal costs related to compliance with the subpoena, management’s attention could be diverted and there is no guarantee that we will avoid costly litigation. Any claims or allegations that we have violated laws and regulations relating to privacy and data security could result in negative publicity and a loss of confidence in us by our listeners and our advertisers, and may subject us to fines by credit card companies and loss of our ability to accept credit and debit card payments."

The FT article says that the US Attorney for New Jersey, Paul J. Fishman, who is thought to be leading the investigation, has refused comment about what he is investigating.

A related article appearing in the Wall Street Journal states that its sources indicate that the criminal probe is looking into "whether the app makers fully described to users the types of data they collected and why they needed the information," for example, are smartphone apps giving information to advertising networks without smartphones users being aware of it.

The WSJ reports that app developers who send information such as the smartphone "user's age, gender, and location, as well as unique identifiers for the phone," to third parties may be in violation of the Computer Fraud and Abuse Act.

The WSJ story also states that the US Attorney has asked Apple and Google "to provide information about the applications and app makers." Many of the app developers the WSJ contacted have refused to say whether the US Attorney has sent them subpoenas.

The FT article quotes Scott A. Kamber, Managing Partner of KamberLaw, who has filed numerous class action lawsuits for clients alleging privacy violations by a wide-range of Internet companies, including Pandora, as saying:

"This [the US Attorney investigation] is a particularly interesting example of just how much is happening on people’s phones that the average consumer is completely unaware of."

Given also Mr. Spitz's experience, that's probably an understatement.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement