The U.S. Supreme Court heard oral arguments in what may become one of the defining consumer privacy cases of our generation. The central question in Carpenter v. United States asks whether the government violates the Fourth Amendment by accessing an individual’s historical cell phone locations records without a warrant. The Court’s decision, expected by June 2018, could draw a more concrete legal line for what constitutes “reasonable search and seizure” when government agencies seek to gather potentially incriminating smartphone data from third-party communication providers. The outcome of the case may significantly reshape consumer expectations of electronic privacy, and even alter the disclosures companies across all sectors must make in their privacy policies.
Written by Amy Malone, CIPP/US
In 2013 geolocation and biometrics were hot topics. Apple included a fingerprint reader on the new iPhone which was either really cool or an epic fail depending on your viewpoint, and Google and the NSA are tracking our every move.
While Edward Snowden’s revelations may have been eye opening (and headline-grabbing), the government has long been first in line to develop and use technology like geolocation and biometrics. Homeland Security insists that biometrics are essential in national defense – identify and stop the bad guys. The feds have also pushed biometrics in immigration reform bills for over a decade and continue to push that legislation forward. And your location? Well, law enforcement has been conducting warrantless geolocation tracking for years!
States have also been active in this area – passing legislation to allow the storage of the high resolution photos they take of you at the DMV in a searchable data base. Many states allow federal and state law enforcement officials to search those databases. Most legislation is aimed at limiting government use of this information, but the winds may be turning…
Currently, no federal law limits a private entity’s ability to collect, use or disclose biometric information. Cybersecurity has been a hot button issue over the last few years and legislation has been introduced, but no legislation regarding private use of biometric data has been passed. The Cyber Privacy Fortification Act has been introduced a few times and was reintroduced in March. This legislation could be passed in 2014; it would require covered entities to provide notice to the FBI or the United States Secret Service of “major” security breaches of “sensitive personally identifiable information,” which by definition in the legislation includes unique biometric data.
Despite the current lack of proposed legislation, legislators are definitely paying attention to this area. Senator Franken has repeatedly taken aim at the use of biometrics and recently questioned Apple about their use of fingerprint readers on the iPhone and urged the Department of Commerce to develop best practices for facial recognition technology. The National Telecommunications and Information Administration responded to Franken’s request by announcing the kick-off of a privacy multistakeholder process to implement the Consumer Privacy Bill of Rights in the field of facial recognition.
With Senator Franken pushing and the multistakeholder process moving forward, there’s a good chance we will see new legislation aimed at regulating biometric information in 2014.
As this technology has flowed into our everyday lives we’ve seen some states take action by regulating the collection and use of biometric information. Both Illinois and Texas have laws restricting a private entities use and disclosure of biometric information and several other states have laws governing the disposal of biometric information. A few states also include biometric data in their definition of “personal information” and require notice to data owners in the event of a data breach involving that information.
In 2014 Alaska may pass its proposed House Bill No. 144, which is similar to the laws in Illinois and Texas. The law requires covered entities to provide notice and obtain written consent from individuals prior to the collection of their biometric information and provides for an individual cause of action. It would not be a surprise to see other states move forward in the biometric regulation area in 2014.
With the advent of smartphones came the love-hate relationship with geolocation. We love when Siri gives us the name of a great restaurant that is up the street, but we are creeped out when we discover she’s been tracking our every move, even when we aren’t trying to locate that hip hangout.
Like with biometrics, the government has been all over geolocation technology for some time now and courts are playing catch up. The big question today is whether police need warrants to obtain the location information of suspects. Decisions around the country have been all over the map. In July the New Jersey Supreme Court overturned an appellate decision and ruled that the use of cell phone information obtained by police without a warrant from a wireless provider violates the suspect’s constitutional rights under the Fourth Amendment of the New Jersey Constitution. It’s possible that in 2014 the US Supreme Court will take this matter up for review.
Most legislation in this area has focused on limiting the government’s ability to collect and use geolocation information. The Geolocation Privacy and Surveillance Act was reintroduced in 2013, and the bill requires government agencies to obtain a warrant to obtain geolocation information in the same way they currently get warrants for wiretaps.
On the state level, both Maine and Montana have laws requiring law enforcement agencies to get a warrant before they can obtain location information of an electronic device. Texas, Maryland Ohio, Colorado, California, and Illinois introduced similar bills this year, and we expect to see more state legislative activity in this area in 2014.
In the private sector, geolocation is an exploding industry. In an attempt to compete with online competitors (who can easily track your every move) brick and mortar retailers use geolocation tracking via your mobile device to gather specific information on your shopping habits – like how long you stayed in the store, whether you went to the register, how long you waited in line and where the store hotspots are located. In 2013 we saw this type of tracking blow up in Nordstrom’s face, but that did not stop Apple from rolling out its iBeacon in its own company stores in the U.S., or Macy’s from piloting the iBeacon technology in a few of its stores this holiday season. We expect that 2014 will bring more new and creative technology to retailers who will use that to find new ways to find us — and monetize mobile location information.
Mobile app providers are also trying to get your geolocation information to improve their bottom line. The New Year rings in with Twitter tapping into its location data. Twitter just entered into an agreement with a provider for location intelligence technology which Twitter will use to support location sharing in tweets. A news source reports, “Twitter will have an option to combine that location data for tweets with buying patterns, behaviors, preferences and influencers, and cross-reference it with nearby stores or other mobile users within an individual’s social network. It uses a smartphone’s GPS signal to pinpoint a location.”
Although we have not seen laws regulating the private sector’s collection of geolocation information, we blogged recently about the release of the Mobile Location Analytics Code of Conduct. The Code is a self-regulatory framework of seven principles for services provided to retailers by mobile location analytic companies.
If a voluntary framework doesn’t ease your worried mind, maybe an app to block location tracking will? Android users can now download an app to do just that!