Four Democratic US senators today asked the Federal Trade Commission to “investigate Apple and Google for engaging in unfair and deceptive practices by enabling the collection and sale of hundreds of millions of mobile phone users’ personal data.”
“The FTC should investigate Apple and Google’s role in transforming online advertising into an intense system of surveillance that incentivizes and facilitates the unrestrained collection and constant sale of Americans’ personal data,” they wrote. “These companies have failed to inform consumers of the privacy and security dangers involved in using those products. It is beyond time to bring an end to the privacy harms forced on consumers by these companies.”
The letter cited the Supreme Court decision overturning Roe v. Wade, saying that women “seeking abortions and other reproductive healthcare will become particularly vulnerable to privacy harms, including through the collection and sharing of their location data.” It continued:
Data brokers are already selling, licensing, and sharing the location information of people that visit abortion providers to anyone with a credit card. Prosecutors in states where abortion becomes illegal will soon be able to obtain warrants for location information about anyone who has visited an abortion provider. Private actors will also be incentivized by state bounty laws to hunt down women who have obtained or are seeking an abortion by accessing location information through shady data brokers.
iOS, Android “fueled unregulated data broker market”
The letter was sent to FTC Chair Lina Khan by Sens. Ron Wyden (D-Ore.), Elizabeth Warren (D-Mass.), Cory Booker (D-N.J.), and Sara Jacobs (D-Calif.). Apple and Google “knowingly facilitated these harmful practices by building advertising-specific tracking IDs into their mobile operating systems,” the senators wrote.
“Apple and Google both designed their mobile operating systems, iOS and Android, to include unique tracking identifiers which they have specifically marketed for advertising purposes,” the letter said. “These identifiers have fueled the unregulated data broker market by creating a single piece of information linked to a device that data brokers and their customers can use to link to other data about consumers. This data is bought or acquired from app developers and online advertisers, and can include consumers’ movements and web browsing activity.” Advertisement
While Apple has stopped enabling the tracking identifiers by default, the senators wrote that both companies harmed consumers:
Both Apple and Google now allow consumers to opt out of this tracking. Until recently, however, Apple enabled this tracking ID by default and required consumers to dig through confusing phone settings to turn it off. Google still enables this tracking identifier by default, and until recently did not even provide consumers with an opt-out. By failing to warn consumers about the predictable harms that would result by using their phones with the default settings that these companies chose, Apple and Google enabled governments and private actors to exploit advertising tracking systems for their own surveillance and exposed hundreds of millions of Americans to serious privacy harms.
Last week, Warren proposed legislation that would prohibit data brokers from selling Americans’ location and health data.
“Anonymous” identifiers can be linked to people
The advertising identifiers are “purportedly anonymous” but in reality “are easily linkable back to individual users,” the letter said. “This is because some data brokers sell databases that explicitly link these advertising identifiers to consumers’ names, email addresses, and telephone numbers. But even without buying this additional data, it is often possible to easily identify a particular consumer in a dataset of ‘anonymous’ location records by looking to see where they sleep at night.”
We asked Apple and Google for comment on the letter and will update this story if we get any response.
Update at 2:55 pm ET: Google responded to Ars, touting its efforts to block apps that violate Google Play policies and the bans it has imposed on companies that apparently sold user data. “Google never sells user data, and Google Play strictly prohibits the sale of user data by developers,” the company said in a statement. “The advertising ID was created to give users more control and provide developers with a more private way to effectively monetize their apps. Additionally, Google Play has policies in place that prohibit using this data for purposes other than advertising and user analytics. Any claims that advertising ID was created to facilitate data sale are simply false.”
Google also said its Android Privacy Sandbox will “enable new, more private advertising solutions that limit sharing of user data with third parties and operate without cross-party identifiers, including advertising IDs.” Ars reporter Ron Amadeo’s coverage of that initiative called it “toothless.”
EFF calls for action by Congress and tech companies
The senators’ letter was prepared before the official release of the Supreme Court’s abortion decision, which came out today after a draft was leaked in early May. Reacting to the court ruling today, the Electronic Frontier Foundation said it “underscores the importance of fair and meaningful protections for data privacy.”
“Everyone deserves to have strong controls over the collection and use of information they necessarily leave behind as they go about their normal activities, like using apps, search engine queries, posting on social media, texting friends, and so on,” the EFF said. “But those seeking, offering, or facilitating abortion access must now assume that any data they provide online or offline could be sought by law enforcement.”
The EFF urged state and federal lawmakers to “pass meaningful privacy legislation” and said companies should protect privacy “by allowing anonymous access, stopping behavioral tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and ensuring that users get notice when their data is being sought.”
Last month, more than 40 Democratic members of Congress called on Google to stop collecting and retaining customer location data that prosecutors could use to identify women who obtain abortions. Lawmakers have also been working on comprehensive data privacy legislation, but no proposal is close to being passed.
