Out today is a proposed piece of legislation from Representative Ed Markey designed to protect consumers from being unfairly tracked in a mobile environment, to inform as to who is tracking them, where that information is going, and how it is being used. The bill also outlines standards for companies or other entities that do collect mobile consumer information to help keep it secure, among other requirements.
This post quickly and briefly examines the origins of the bill, details its broader strokes, excerpts the most strident initial complaint against it, synthesizes whether or not the bill is worthy of passage, and then outlines its potential timeline.
Do you recall the Carrier IQ debacle? Even if you do, a refresher is in order.
Carrier IQ touched off as a controversy after it was discovered that the tool, useful as a diagnostic, could be used to track every button pressed on a phone. That fact led to lawsuits, and even to a ruckus that brought the FBI into the orbit of discussion.
Software built to allow consumers the ability to check if their phones had Carrier IQ on board revealed that hundreds of thousands did. It was a rather scandalous moment, as smartphone users became aware that their actions weren’t nearly as private as they might have thought.
This matters in regards to the Mobile Device Privacy Act as its progenitor, Mr. Markey, asked the FTC to investigate Carrier IQ. Even more, in the announcement of the new bill on the Representative’s website, a full several sentences are used to bring Carrier IQ and its controversy into the discussion:
Media stories last year reported that that [sic] Carrier IQ software installed on millions of smart phones and mobile devices were tracking every keystroke of users and sending the information back to the software company without user knowledge or permission.
In short, much of the impetus for this bill stems from the falling out of the Carrier IQ episode.
In short, any entity that sells either a mobile service, a mobile device, or offers the download of a mobile application, which contains ‘monitoring software’ must inform the person that is being sold the service, device, or provided the application of that fact.
What must the consumer be told? Paraphrasing from the bill itself: That the monitoring software is installed, what type of information is being monitored and transmitted, with whom that information might be shared, how the information will be used, and what the consumer can do to prohibit further collection, even if they have provided permission in the past. Also, ‘additional information’ that the FTC deems appropriate must be provided.
If that reads like a strict and full list, that’s simply due to the fact that it is. The list of those who must disclose is likewise robust and granular.
What form must the disclosures take? That isn’t fully fleshed out, but it is required that disclosure be both “clear and conspicuous.” Several areas of the bill are handed off to later work, essentially being set as ‘to be determined.’ This provides flexibility inside of the bill while preserving the elements of it that are rigid, such as who must disclose, and what they must include therein.
The legislation also calls for standards to be set, and met, to protect collected information. This specific policy area is not to be trifled with, as work is currently undertaken to set standards for the disclosure of breaches of such data.
Following, how breaches of the law, if enacted, are to be met is described. The Communications Act of 1934 is key in that regards as it provides penal authority. However, the bill does reserve the right of attorneys general to prosecute breaches of the bill’s tenets. This gives the act extra teeth, as the number of parties that can pursue those breaking it is broader than it perhaps could have been.
Finally, if you are a consumer, what happens if you are abused under the rules prescribed? Unintentional infractions can be worth up to $1,000 per violation, whilst those intentional can ring up to $3,000 per violation. TNW is unsure of what exactly constitutes a ‘violation,’ but a cursory reading of the bill seems to leave open the door to a single person enduring several violations of the same character. This is to say that if an entity took down your information without permission several times, they would have committed a number of unique violations, even if they were of the same variety.
Despite being a new, and relatively short piece of potential law, reactions are already out against the bill.
Mark MacCarthy, of the Software & Information Industry Association, wrote a note strongly opposed to it. From that rebuttal:
Representative Ed Markey’s proposed mobile legislation, scheduled to be introduced today, is the wrong way to go. It would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism. [...]
Rather than overregulating an industry that holds such potential for economic growth, Congress should be following the House Energy and Commerce Committee’s lead in supporting the industry.
That final note points to the hearings held today which TNW covered here.
TNW is unconvinced that the forced telling of consumers when and how they are being tracked would result in a precipitous decline in the app industry, such as Mr. MacCarthy insinuates. Indeed, Facebook has sharpened and strengthened the rules by which applications on its platform must detail to consumers how their information can be use used, tracked, and modified. It is an obvious, and useful parallel. Impact on development for Facebook’s ecosystem? Minimal to none, except that its users are now better informed and safer.
Scammy tactics should be called down as foul. This bill does nothing to prevent applications from collecting information in a safe, responsible, and transparent way.
TNW’s resident legal backstop Jeff Cormier, after a reading of the bill, provided the following notes to our editors:
As consumer, I welcome these protections. The bill requires disclosure, provides increased consumer protection, and allows adequate recourse for violations. The extent of disclosure required, however, is yet to be determined. It’s definitely fair, and should not be described as overly strict. Instead it reads like a simple measure requiring disclosure when buying apps [or other specific services], much like any other purchase disclosure.
According to a report in The Hill’s excellent Hillicon Valley publication on the confluence of technology, politics, and policy, Rep. Mary Bono Mack, chairperson of the committee into which the bill has been introduced, has stated that, in the words of the report, “Markey’s bill likely wouldn’t see action until next year since it’s already so late in the congressional session.”
Thus like cybersecurity, we are on hold. That doesn’t mean that meaningful work might not be done on the legislation in the meantime.
TNW has an eye fixed on the bill. As its life continues, expect continuing coverage.
Top Image Credit: Andrew Malone