Apple MacBook Pro 2021 review Facebook Papers: The biggest takeaways Tesla cracks $1 trillion market cap Samsung's The Frame wall-art TV on sale Eternals review

Congressman wants FTC probe of iPhone tracking

Apple's explanation for location tracking, and promise of a fix, doesn't satisfy Rep. Jay Inslee (D-Wash.), who still wants a Federal Trade Commission investigation.

A Democratic congressman isn't satisfied with Apple's explanation of why iPhones keep track of their users' locations and wants a federal probe into the Cupertino software marker's privacy practices, CNET has learned.

Rep. Jay Inslee of Washington said through a spokesman yesterday that a Federal Trade Commission investigation is still needed to "ensure all the questions regarding this issue, including the lack of disclosure, are answered." Inslee said he has not received a response from Apple to a statement he sent out last week.

Inslee, who is a member of the House Energy and Commerce Committee, also said this is an example of why new federal laws and regulations restricting companies' data collection and use practices are necessary. Previously, in 2004, he introduced unsuccessful legislation called the E-Mail Privacy Act.

Declan McCullagh/CNET

Yesterday morning Apple posted a list of questions and answers on its Web site saying the iPhone's controversial location-history database, which caused significant controversy when publicized lack week, was a way to improve location services. Apple also acknowledged a "bug" that can cause an iPhone to store over a year of location data, saying that it shouldn't need to store more than seven days worth. (See CNET's list of related articles.)

Microsoft says it does not save location histories directly on Windows Mobile 7 devices, but acknowledges in in some circumstances it collects information including a unique device ID, details about nearby Wi-Fi networks, and the phone's GPS-derived exact latitude and longitude. Android devices store a limited amount of location information but transmit to Google current and recent GPS coordinates, nearby Wi-Fi network addresses, and two 16-letter strings apparently representing a device ID that's unique to each phone.

Apple did not immediately respond to a request for comment from CNET yesterday. Apple CEO Steve Jobs told All Things Digital that: "We haven't been tracking anybody's location and the files they found on these phones, as we explained, it turned out were basically files we have built through anonymous, crowdsourced information that we collect from the tens of millions of iPhones out there."

The remarks from Inslee, who represents the congressional district that includes Microsoft's Redmond, Wash., headquarters, indicate that legislative concern hasn't evaporated in the wake of Apple's announcement, which promised some of the points of concern would be addressed through a free software update "in the next few weeks."

Rep. Marsha Blackburn, a Tennessee Republican who has stressed the need for a free-market approach to technology companies and the Internet, hinted that a House of Representatives hearing is in the works. Blackburn is the vice chairman of a House Energy and Commerce subcommittee and signed a letter to Jobs earlier this week asking him to answer questions about Apple's iOS software and privacy.

"(Rep.) Blackburn finds Apple's response encouraging but is eager to hear from companies and their engineers directly," a spokesman told CNET yesterday. "This is further evidence that interaction between consumers and providers in the free marketplace is the best way to protect privacy, property, and innovation."

Sen. Al Franken (D-Minn.) has asked Google and Apple to appear at a Senate hearing scheduled for May 10, and Illinois Attorney General Lisa Madigan also has asked for a meeting. A lawsuit seeking class action status has been filed in Tampa, Fla.

To make applications like maps work, of course, it's necessary for a smartphone or tablet to transmit its GPS coordinates to a remote server--and, in exchange, receive nearby restaurant reviews, driving directions, and so on.

Privacy concerns arise when a unique device ID is transmitted, which allows a company to track a customer's whereabouts over an extended period of time. Randomizing the device ID frequently would alleviate some concerns.

Both Android and Windows Phone 7 devices appear to transmit unique IDs, and Google and Microsoft have declined to elaborate on that point. For its part, Apple says the data is sent "in an anonymous and encrypted form" and "Apple cannot identify the source of this data."

Inslee's letter to FTC chairman Jon Leibowitz says: "Following the purchase of an iPhone, a citizen's movements were tracked, recorded, stored permanently and left unprotected on numerous devices - all without their informed consent. Mobile users deserve better.

Apple said yesterday it uses the location information as part of a "crowd-sourced Wi-Fi hotspot and cell tower database" to help speed up location fixes. Google appears to use the location data from Android phones to offer features like traffic data on city streets. And Microsoft says transmitting the whereabouts of nearby Wi-Fi networks can aid in location fixes and avoid a negative "impact on mobile phone users by increasing data charges and draining the battery."

Another privacy concern is that location databases can be a gold mine for police or civil litigants: requesting cell phone location information from wireless carriers has already become a staple of criminal investigations, often without search warrants being sought. Even before last week's disclosure, the relatively cloistered computer forensics industry has been using the ability to extract location histories from iPhones as a sales pitch to customers in police, military, and intelligence agencies.

Even though police are tapping into the locations of mobile phones thousands of times a year by contacting AT&T, Verizon, and other carriers, the legal ground rules remain unclear, and federal privacy laws written a generation ago are ambiguous at best. The Obama Justice Department has claimed that no warrant is required for historical location information, a claim opposed by a coalition of companies including Google and Microsoft but not Apple. (CNET was the first to report on warrantless cell tracking in 2005.)

Here's a copy of Rep. Inslee's letter to the Federal Trade Commission, which he says he still stands behind:

April 22, 2011

The Honorable Jon Leibowitz, Chairman
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580

Dear Chairman Leibowitz:

I am writing to express concern over recent revelations that Apple's iPhone continuously records and archives the location of its users. Two researchers discovered this practice and presented their findings to a conference on location-aware technology on April 20, 2011. I believe this discovery warrants a Commission review of the ubiquity of this type of activity and the methods of disclosure to customers.

Citizens expect to be able to know the extent to which their private information is being collected. In this case, Apple's only apparent disclosure comes buried in the vaguely worded language of a lengthy terms and conditions agreement. Furthermore, agreement on the part of the user is apparently granted simply by "using location-based services on your iPhone." The fact that no iPhone user was aware of this activity until two tech-savvy researchers stumbled upon it illustrates the lack of adequate disclosure. Nor is it clear that the recommended opt-out mechanism (turning off global Location Services) prevents this data collection from continuing. In total, following the purchase of an iPhone, a citizen's movements were tracked, recorded, stored permanently and left unprotected on numerous devices - all without their informed consent. Mobile users deserve better.

The mobile ecosystem continues to offer consumers unprecedented capabilities. Nonetheless, with these powerful tools comes a responsibility to ensure the hundreds of millions of mobile phone users are aware of the types of data collection occurring. It is currently unclear how pervasive this practice is across the wireless device industry and the extent to which it has been disclosed to consumers. I respectfully ask that the Commission carefully investigate this disturbing discovery and determine the size and scope of this activity. As part of this investigation, I encourage the Commission to gain a full understanding of the purpose behind this data collection, the length and extent of this data collection, the method and extent of customer notification, the tools provided to users to prevent this activity and the degree of data protection.

I look forward to the Commission's prompt attention to this important matter.


Jay Inslee

Updated 9:12 a.m. PT to clarify that what Rep. Inslee released last week was a statement.