FTC, Big Carriers, at Odds on Mobile Privacy
Other government initiatives to protect mobile privacy are already well under way and the FCC doesn’t need to impose regulations of its own, AT&T and Verizon Wireless said. Their comments responded to a May 25 public notice about carrier practices on network diagnostic information stored on mobile devices. Both companies also assured the FCC they are taking steps on their own to protect consumer privacy. FTC staff suggested carriers and others need to do more to protect consumer privacy. “Providers of mobile products and services must do a much better job of providing consumers with basic information about what information they are collecting, how it is used, and what third parties gain access to it,” staff said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"Given the wide range of industry participants collecting and using customer data, a single, comprehensive approach that encompasses all mobile services would be far superior to a piecemeal regulatory approach in which individual agencies impose different rules for whichever small slice of data falls within their jurisdictions,” AT&T said (http://xrl.us/bng2nn). “Rules that single out telecommunications services, while ignoring the large majority of other services and service providers that obtain and use substantially the same (or more) consumer information, are anachronistic in the new mobile landscape. As such, they are neither effective in protecting consumer privacy and security, nor conducive to job creation and innovation.” Any regulation that applies just to telecom “leaves these services subject to outdated marketing restrictions that go far beyond protections needed to safeguard consumer privacy,” AT&T said. “Yet at the same time, those rules have no applicability to mobile applications and other services that are growing rapidly and, in some cases, raising privacy and security issues."
AT&T said mobile privacy initiatives under way at the FTC and NTIA may obviate the need for the FCC to impose rules. The FTC is “particularly well-suited to spearhead development and enforcement of federal consumer privacy policy (along with state attorneys general who provide complementary enforcement at the state level),” the carrier said. AT&T also said the FCC has a role to play: “The Commission can and should use its expertise to support the FTC, the NTIA, and industry stakeholders in their development of a privacy and security framework that applies equally to each service and service provider in the mobile marketplace."
AT&T Senior Vice President Bob Quinn also blogged on the issue Monday (http://xrl.us/bng2tr). “To provide a level playing field in this new marketplace and thoughtfully address privacy issues, policymakers should take into account all the different ways real folks communicate in the 21st century -- not just one player in that ecosystem which is the traditional way the FCC is empowered to view the world,” he wrote. “And any government oversight must be applied equally and fairly. Any regulatory disparity will skew competition and ultimately deny consumers the benefits of real advances in privacy and security protections."
Many parts of any wireless device, including “Wi-Fi connectivity, GPS capability, the SD card, and the web browser” are “accessible to other players,” Verizon Wireless explained (http://xrl.us/bng2pc). “Service providers do not have the technical capability to restrict many of the most significant device functions that enable access to consumer data. For example, the service provider cannot restrict all features of the device Operating System (OS), which controls how apps request and use device resources. And where an OS platform is based on an open ecosystem, most of the device Application Programming Interfaces (APIs) are publicly available to any app the customer may download from the Internet.” The very openness of the Internet has “profound implications for the Commission’s inquiry here,” Verizon said. “In short, because consumers are largely free to use the apps they desire, without interference by the service provider, the service provider in turn is necessarily precluded from playing any meaningful ‘gatekeeper’ role with respect to consumer privacy."
FTC officials have testified twice to Congress on the issue and “expressed strong concerns about the lack of basic privacy protections on many new and emerging mobile products and services,” that agency’s filing said (http://xrl.us/bng2qw). A report that commission released in March (http://xrl.us/bmzh4v) on consumer privacy “notes that the unique features of a mobile phone -- which is highly personal, almost always on, and travels with the consumer -- have facilitated unprecedented levels of data collection,” the agency said. “It also noted the potential for mobile devices to collect and retain location information, that could be used to build detailed profiles of consumer movements over time and could be used in ways not anticipated by consumers.” The staff recently released a report on mobile apps for children. It “found that in virtually all cases, neither app stores nor app developers provide disclosures that inform parents what data the apps collect from children, how the apps share the data they collect, or with whom they share the data,” the FTC said.
Verizon Wireless noted that NTIA has already launched an “important consultation among a wide array of privacy advocates, academics, industry representatives, and others” aimed at developing a code of conduct for mobile privacy (CD July 13 p7). “Imposing new privacy-related rules on service providers alone, however, would not accomplish the goal of protecting data stored on mobile devices, and could give customers a false sense of security,” the carrier said. “The ultimate policy goal should be to protect sensitive information from all unauthorized access, and any measures addressing a narrow subset of the ecosystem simply will not adequately protect consumers. Again, the only way to truly protect consumers today is through a comprehensive privacy framework that establishes technology-neutral codes of conduct that apply to all players.”