Four U.S. Democratic senators today called on the Federal Trade Commission to “investigate Apple and Google for engaging in unfair and deceptive practices by enabling the collection and sale of hundreds of millions of cell phone users’ personally identifiable information.”
“The FTC should examine Apple’s and Google’s roles in transforming online advertising into an intensive surveillance system that encourages and facilitates the unrestricted collection and ongoing sale of Americans’ personal information,” they wrote. “These companies have failed to educate consumers about the privacy and security risks associated with using these products.
The letter cited the Supreme Court decision overturning it Roe v. calf, and said that women “who seek abortions and other reproductive health care become particularly vulnerable to data breaches, including through the collection and sharing of their location data.” It went on:
Data brokers are already selling, licensing, and sharing the location information of people who visit abortion providers with anyone with a credit card. Prosecutors in states where abortion is becoming illegal will soon be able to obtain warrants for location information on anyone who has visited an abortion provider. Private actors are also incentivized by state bounty laws to prey on women who have had or are seeking an abortion by accessing location information through shady data brokers.
iOS, Android “fueled unregulated data broker market”
The letter was sent to FTC Chairperson Lina Khan by Sens. Ron Wyden (D-Ore.), Elizabeth Warren (D-Mass.), Cory Booker (DN.J.) and Sara Jacobs (D-Calif.). Apple and Google “knowingly facilitated these malicious practices by incorporating advertising-specific tracking IDs into their mobile operating systems,” the senators wrote.
“Apple and Google have both designed their iOS and Android mobile operating systems to include unique tracking identifiers, which they have specifically marketed for advertising purposes,” the letter reads. “These identifiers have fueled the unregulated data broker market by creating a single piece of information linked to a device that data brokers and their clients can use to link with other data about consumers. This data is bought or acquired by app developers and online advertisers. and may include consumer movements and Internet browsing activity.”
While Apple stopped enabling tracking identifiers by default, the senators wrote that both companies harmed consumers:
Both Apple and Google now allow consumers to opt out of this tracking. However, until recently, Apple enabled this tracking ID by default and consumers had to dig through confusing phone settings to turn it off. Google still enables this tracking identifier by default and didn’t even provide consumers with an opt-out until recently. By failing to warn consumers of the foreseeable harms that would come from using their phones with the default settings these companies chose, Apple and Google allowed governments and private actors to use ad-tracking systems for their own surveillance, and deployed hundreds Millions of Americans escape serious data breaches.
Last week, Warren proposed legislation that would ban data brokers from selling Americans’ location and health data.
“Anonymous” identifiers can be linked to individuals
The advertising identifiers are “allegedly anonymous”, but in reality “can easily be linked back to individual users”, the letter says. “That’s because some data brokers sell databases that explicitly associate these advertising identifiers with consumers’ names, email addresses, and phone numbers. But even without buying this additional data, it’s often possible to identify a specific consumer in a dataset of ‘Anonymous’ location records by looking up where they sleep at night.”
We have reached out to Apple and Google for comment on the letter and will update this story when we receive a response.
Updated at 2:55pm ET: Google responded to Ars, touting its efforts to block apps that violate Google Play policies and the bans it has imposed on companies that appear to have sold user data. “Google never sells user data, and Google Play strictly prohibits the sale of user data by developers,” the company said in a statement. “The Advertising ID was created to give users more control and a more private way for developers to effectively monetize their apps. In addition, Google Play has policies prohibiting the use of this data for any purpose other than advertising and user analytics created to facilitate data sales are simply wrong.”
Google also said that its Android Privacy Sandbox will “enable new, more private advertising solutions that restrict the sharing of user data with third parties and work without bipartisan identifiers, including advertising IDs.” Ars reporter Ron Amadeo’s coverage of this initiative called her “toothless.”
EFF calls on Congress and technology companies to act
The senator’s letter was prepared ahead of the official release of the Supreme Court’s abortion decision, which came out today after a draft was leaked in early May. In response to today’s court ruling, the Electronic Frontier Foundation said it “underlines the importance of fair and meaningful privacy protections.”
“Everyone deserves to have strong control over the collection and use of information that they inevitably leave behind when going about their normal activities, such as using apps, searching in search engines, posting on social media, texting friends, and so on” , said the EFF . “But those who seek, provide or facilitate access to abortion must now assume that any data they provide online or offline could be obtained by law enforcement.”
The EFF called on state and federal lawmakers to “enact meaningful privacy laws” and said businesses should protect privacy “by allowing anonymous access, stopping behavioral tracking, strengthening data erasure policies, encrypting data in transit and by default.” enable end-to-end message encryption, prevent location tracking, and ensure users are notified when their data is being sought.”
Last month, more than 40 Democratic congressmen asked Google to stop collecting and storing customer location data that prosecutors could use to identify women who are having abortions. Legislators have also been working on comprehensive data protection legislation, but no proposal is close to adoption.