Pandora gets subpoena in grand jury app probe

Online music provider Pandora Media disclosed in a filing to the Securities and Exchange Commission today that it has received a subpoena related to a federal grand jury investigation about sharing customer information in its smartphone app.

The company, which filed for an initial public offering with the SEC earlier this year, added the latest tidbit of information regarding the grand jury subpoena to its S-1 today. The disclosure was listed under potential risk factors for investors interested in participating in the IPO.

Pandora said in the filing that it believes it is one of several Internet publishing companies with mobile apps to receive the federal grand jury subpoena. The company didn't disclose the location of the grand jury or any other specific information related to the grand jury investigation.

"In early 2011, we were served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms. While we were informed that we are not a specific target of the investigation, and we believe that similar subpoenas were issued on an industry-wide basis to the publishers of numerous other smartphone applications, we will likely incur legal costs related to compliance with the subpoena, management's attention could be diverted and there is no guarantee that we will avoid costly litigation. Any claims or allegations that we have violated laws and regulations relating to privacy and data security could result in negative publicity and a loss of confidence in us by our listeners and our advertisers, and may subject us to fines by credit card companies and loss of our ability to accept credit and debit card payments."

Several smartphone applications, including Pandora, monitor consumers' behavior to get more information that helps advertisers target individuals. For example, Pandora collects information such as gender, ZIP code, music preferences, and other information contributed to a user's profile to provide more targeted advertising.

These applications have recently come under fire as officials question whether these apps violate consumers' privacy. Several civil lawsuits have been filed against application companies, such as Pandora. And Apple, which certifies mobile applications for its App Store that provides mobile applications to the iPhone, iPad, and iPod Touch, has also been named in several class action lawsuits.

The subpoena that Pandora disclosed in its filing is an indication that the government is now looking into the case as a criminal matter. The Wall Street Journal reported late Monday that an unnamed source said that federal prosecutors in New Jersey are investigating whether smartphone applications illegally obtain or transmit information about their users without proper disclosures.

The newspaper reports that the investigation is looking into whether the application makers disclosed to users that their data was being collected and why that data needed to be collected. Collecting information about a user without proper notice or authorization could violate a federal computer-fraud law, the paper reports.

The criminal investigation and class action lawsuits were likely prompted by an article by the Wall Street Journal published in December. In that story, the paper examined 101 mobile applications and found that many were sending information to marketers without the consent of users.

The article highlighted privacy concerns and since then class action lawsuits have been filed against Apple and other companies, including Pandora, Paper Toss, Weather Channel, Dictionary.com, Yelp, NPR, and WebMD. Mobile advertising and analytics providers Flurry, Medialets and Pinch Media, have also been named in a lawsuit filed in February in the U.S. District Court for the Northern District of California in San Jose.

The lawsuits allege that Apple and the other defendants have violated the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.

In the suit filed in February, the plaintiffs claim these companies had gained unauthorized access to mobile devices Apple, including the iPhone, iPad and iPod Touch to "access, collect, monitor, and remotely store, electronic data," including the user's unique device identifier (UDID). This is similar to a serial number in that it belongs to each specific iOS device. Furthermore, the suit alleges that Apple is at fault for not making it clear that this information was being passed along to the makers of these apps and services, thus giving the companies an easier way to track user activity.

Along with the privacy implications, the lawsuit alleges that the underlying technology, which is transmitting this information elsewhere, is actually slowing devices down. This is something made worse, the plaintiffs say, because said services could not be disabled.

Pandora was specifically mentioned in the Wall Street Journal article in December. In that article, the newspaper said it found that the app sends age and gender information to marketers to target advertising.

The Mobile Marketing Association, an industry association for marketers, has also begun calling for best practices to be used among its members to help protect consumer privacy. The group has asked marketers and app developers to provide consumers with a more transparent view of the process of how they gather information and what they do with that information. The MMA has also called on more companies join its privacy committee, which sets up certain guidelines for online data collection.

The government is also getting involved in the issue. In January, the Federal Trade Commission released a report on online privacy in which it discussed the idea of a "do not track" for the Web policy, similar to the current "do not call" list that bans telemarketers from calling people.

A representative from Pandora declined to comment. Apple and Google, which also operates a mobile application store, did not respond to requests for comment.

Updated 3:50 p.m. PT:: This story was updated with more background information and updated information from the Wall Street Journal

CNET reporter Josh Lowensohn contributed to this report.