Articles

Apple iOS 4, the Evolution of Technology and Global Online Privacy Concerns

By Susan H. Stephan

Earlier this month, an investigation was launched into the Apple iOS 4 operating system and its data collection practices, apparently including the continuous collection and storage of user location data, up to one hundred times per day or more.¹ Do the existing laws in any jurisdiction care about this? Does location data count as "personally identifiable information" warranting more stringent protection in some areas of the world?

Personally identifiable information (commonly known as "PII") is generally seen as any data about an individual that could be used to identify that person, for example, that person's name, email address, street address, telephone number, social security number, fingerprints, or DNA. The concept of PII carries through existing privacy laws in various nations and regions today, and PII often is seen to warrant higher protection than information that is not considered as personally or individually identifying.² Increasing commercial use and commercial value of PII, in conjunction with the increasingly global nature of commercial transactions, makes legal compliance challenging. There also is an overriding concern that privacy laws, still utilizing the traditional idea of what makes up PII and what does not, are not keeping up with the technical reality that what traditionally has been seen as non-PII; for example, geographical location, zip code, gender, and a computer's Internet Protocol ("IP") address; might actually be more identifying than it has been in the past.

From a business standpoint, it is valuable to know as much as possible about a consumer and what he or she typically is seeking. As technology progresses, the process of researching consumer behavior is becoming increasingly accurate and efficient in every way. Although the practice of tracking a consumer's online activities over time has been possible since at least the advent of the World Wide Web, the level of sophistication of tracking technologies has risen precipitously.

Online tracking of individuals is becoming more common and more pervasive. Most commercial websites download some form of tracking software onto users' computers, from cookies to recall user names and passwords to, more commonly, up to hundreds of files or programs being downloaded onto a computer by one website, most of which typically originate from companies that track and sell web user data.³ Many of these tracking files can predict a website visitor's age, gender and ZIP code, and they may also contain a code that generates an estimate of income, marital status, number of children and home ownership status. The resulting tracked information might be considered "anonymous" by most standards, as it identifies web users by a number assigned to their computer, not their name, US social security number, or other personal data.

The presence of tracking programs is not always apparent to an Internet user. These programs often come from hidden files within downloads or display ads. Certainly, consumers might appreciate the personalized experience that is made possible through a third party comprehensively tracking Internet behavior; but relevant, targeted ads are just one result of online data collection. This type of data is a significant source of revenue for web-based companies, and it stands to gain in net worth as more interested parties discover the value of collected information and are willing to pay for it. As a result, the regulation of tracked information, PII and non-PII alike, is of great national and international importance. Although some jurisdictions are attempting to keep up with online technologies, current laws do not comprehensively cover tracking technologies.

The European Union arguably has the most advanced online privacy regulations. EU Member States are required by privacy directives to prohibit listening, taping, storage or other kinds of interception or surveillance of communication and "related traffic," without consent. The Directive also restricts the retention and indentifiability of data, restricts the use of cookies, and prohibits e-mail marketing akin to SPAM.⁴ Collectors of data in the EU must inform individuals regarding who is collecting their personal data, and individuals must be allowed to access their data and correct inaccuracies. In addition, in November of 2010, the EU's Commission submitted to the European Parliament's Council, Economic and Social Committee and Committee of Regions a strategy in the form of a formal Communication, for updating the EU's provisions for the protection of personal data, taking into account current challenges presented by globalization and new data collection and monitoring technologies.⁵

The most recent regulatory update would likely be that of the Republic of Korea (South Korea). In September 2011, South Korea will implement an omnibus privacy act, known as the Act on the Protection of Personal Data, which passed South Korea's Parliament in March of 2011. The 2011 Act provides more specifically its existing laws for the handling of personal data, and requires consent before the collection and use of private data by public and private interests. The People's Republic of China also has been working on draft Data Protection Laws since 2007; China's Ministry of Industry and Information Technology ("MIIT") continues to develop its draft and recently circulated for comment Draft Interim Measures for Supervision and Management of the Internet Information Service Market, which addresses Internet subscriber privacy to some extent.⁶ The development of China's Data Protection Laws is supported by the EU-China Information Society Project ("EUCISP"), a joint economic and social reform initiative of the EU and the Chinese government.⁷

Although US and Canadian regulatory agencies recognize the potential threat to personal privacy posed by behavioral tracking and targeted use of collected data, there is as of yet no specific law in Canada or the US that directly addresses newer technologies related to online or wireless mobile tracking, profiling and behavioral targeting. However, a "Do Not Track Me Online Act," H.R. 654, was proposed in Congress in February of 2011 and would require a consumer's "opt-out" mechanism from tracking. As of early 2011, a total of seven bills relating to online privacy have been proposed in Congress. In addition, the current US Presidential administration of Barack Obama formally announced support for a data privacy "Bill of Rights" with the goal of bringing US policy regarding behavioral tracking closer to the EU's approach.

So what will be the result of challenges to data tracking practices such as those that Apple apparently has undertaken through its iOS 4 platform? It will be interesting to see how the world reacts and how quickly rules and regulations evolve to address privacy dilemmas such as these. Google has been the target of privacy-related lawsuits in many countries - including South Korea, Japan, Germany, Switzerland, Spain and across the US - regarding its "Street View" mapping cars that drove though neighborhoods across the globe to take photographs, admittedly collecting emails and other personal information from unsecured Wi-Fi networks along the way. Apple has already been named in a class action privacy lawsuit related to its data collection practices though its apps,⁸ and it will likely be sued in conjunction with its iOS 4 practices.

Based on the dynamics of our global network economy, the international community might be inclined to strive for an international convergence of privacy laws that apply to issues such as Apple's and Google's use of data, particularly with regard to the protection of PII and the right to consumer choice. However, similar efforts toward convergence, such as those involving a global standard for recognition and enforcement of basic human rights or laws relating to competition (antitrust in the US), have failed. Nonetheless, privacy regulations that address online data continue to evolve within national borders, and efforts to standardize privacy laws in cyberspace also continue internationally through the efforts of interests such as the Organization of Economic Cooperation and Development ("OECD") and the Asia-Pacific Economic Cooperation ("APEC").

Until we see a global "norm" related to online privacy standards, consumer rights and businesses' obligations continue to develop. If an individual or business owner has questions about online privacy laws, it is important to contact an attorney familiar with Internet privacy and data security requirements for an analysis of specific issues under the most current state of the myriad laws.

1 Edw Lynch, "Apple iOS 4 Has Been Secretly Tracking iPhone & iPad Users' Locations," laughingsquid.com (April 20, 2011), available at http://laughingsquid.com/apple-ios-4-has-been-secretly-tracking-iphone-ipad-users-locations/.

2 See, Seth Schoen, "What Information is 'Personally Identifiable'?" Electronic Frontier Foundation (September 11th, 2009), available at http://www.eff.org/deeplinks/2009/09/what-information-personally-identifiable.

3 Researchers at AT&T Labs found tracking technology on 80 percent of 1,000 popular websites, up from 40 percent of those sites in 2005. Julia Angwin, "The Web's New Goldmine: Your Secrets," Wall Street Journal Online (July 30 2010), available at http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html.

4 Directive 2002/58/EC.

5 Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, "A comprehensive approach on personal data protection in the European Union," available at http://ec.europa.eu/health/data_collection/docs/com_2010_0609_en.pdf.

6 The MITT Draft Interim Measures are available at http://lawprofessors.typepad.com/files/aba-sal-sil-comments-on-china-miit-internet-interim-measures-finalfinal-comb.pdf. An English translation of the Draft Interim Measures is available at http://lawprofessors.typepad.com/files/interim-measures-for-supervision-and-management-of-internet-information-service-market-ito-trans-2.pdf.

7 Information on EUCISP can be found at http://ec.europa.eu/delegations/china/eu_china/information_society_and_media/range_activities/index_en.htm.

8 See, Charles Arthur, "Apple faces suit over app privacy leaks," The Guardian online (December 29, 2010), available at http://www.guardian.co.uk/technology/2010/dec/29/apple-lawsuit-breach-of-privacy.