“We know that no one ever seizes power with the intention of relinquishing it.”
The above quote, taken from George Orwell’s novel 1984, seems to speak to the recent rise in privacy-affecting mobile apps and the companies behind them. The question remains, though, is the average user protected by the law?
In the past year, the Internet giant Facebook released a new feature for its mobile app. According to Yahoo! Finance, this feature allows Facebook to turn on your device’s microphone on its own, so that the app can listen to your surroundings. Ideally, this app feature was meant to create automatic Facebook updates based on what your microphone picks up, such as Watching Once Upon a Time or Listening to Elvis Presley. In light of its spying abilities, some have referred to the app as “breathtakingly creepy.”
Facebook has released a statement clarifying that the privacy settings on your device decide its access, but the “creepy” factor has not faded for many. This app and others like it are starting raise important questions. Is this sort of intrusion widespread? How might the law protect the average consumer? This short post will attempt to provide an overview of these questions.
Big Google Is Watching You
Facebook is not alone in its uncomfortable tapping of personal data. In 2013, the New York Times ran an article stating that Google had entered into a settlement with 38 states after the company had willingly violated the privacy of state citizens by using its Google Street View vehicles to gather data such as emails through open Wi-Fi while on their mapping routes. Among the settlement requirements were a brand new privacy plan to be written in the subsequent six months and a fine by the Federal Trade Commission. Despite the settlements, the new privacy plan for Google does not seem to clarify any further protections for consumers.
Along with Facebook and Google, smaller applications like Angry Birds Star Wars have drawn fire for their lax treatment of information including phone contacts and location data. According to a 2010 study by Intel Labs, Penn State, and Duke University, 15 out of 30 Android apps that were studied sent “users’ geographic location to remote advertisement servers” without the users’ knowledge. Note that very few of the millions of apps available to any device have even been studied at all. Even with these prospects, is there legal protection?
Anything that you send through the Internet, from location data to emails to website visit information, could conceivably be available to third parties through data leaks and collection. Yet surprisingly, the federal statute book is thin on privacy protection when compared to growing state law.
One of the federal laws to clearly deal with this issue is Children’s Online Privacy Protection Act of 1998 (“COPPA”). This act, and its subsequent Federal Trade Commission regulations, prevents “any operator of a Web site or online service directed to children . . . to collect personal information from a child in a manner that violates [federal law].” COPPA, in its newest incarnation, has been used to protect children under the age of 13 from data collection practices by mobile apps and websites. However, it is an outdated law, much like the other Internet privacy laws, and focuses on the notice and protectionaspects of data collection rather than prevention.
A newly proposed law, though, may replace these older amended statutes. That law is the Personal Data Protection and Breach Accountability Act of 2014. This Senate bill would not only “[amend] the federal criminal code to impose a fine and/or prison term of up to five years for intentionally or willfully concealing a security breach involving sensitive personally identifiable information” but would also allow for the average person to file civil actions against the companies and people that allow “security breaches” of personal data. Yet, the law is still only proposed and would require that at least 10,000 people would be affected as a statutory trigger. In light of the current federal hole, states have acted with mixed legislation.
According to a summary posted in January 2014 by the National Conference of State Legislatures, at least 22 states have some sort of data and privacy protection statute on their books. North Carolina is not among them. The focus of most of these statutes is to protect information on state governmental websites. Therefore, they tend to miss the interstate websites and applications that have been held responsible for data collection.
The current state of Internet Privacy Law in the face of data collection technologies is not ideal, but its outlook could be sunny as Congress begins to pass laws protecting against personal data breaches and as people continue to recognize these actions and respond. It is unlikely that Facebook, or any of its siblings, will stay double-plus good for long.
*Austin Griffin is a third-year law student at the Wake Forest School of Law. He holds a B.A. in English with foci in Medieval Literature and Rhetoric from the University of Florida in Gainesville, Florida. Upon graduation, he plans on entering into a legal career centered on sustainability and renewable energy.