[Senate Hearing 113-781]
[From the U.S. Government Publishing Office]
S. Hrg. 113-781
THE LOCATION PRIVACY PROTECTION
ACT OF 2014
=======================================================================
HEARING
before the
SUBCOMMITTEE ON PRIVACY, TECHNOLOGY
AND THE LAW
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
JUNE 4, 2014
__________
Serial No. J-113-63
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
97-739 PDF WASHINGTON : 2016
_________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
DIANNE FEINSTEIN, California CHUCK GRASSLEY, Iowa, Ranking
CHUCK SCHUMER, New York Member
DICK DURBIN, Illinois ORRIN G. HATCH, Utah
SHELDON WHITEHOUSE, Rhode Island JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota LINDSEY GRAHAM, South Carolina
AL FRANKEN, Minnesota JOHN CORNYN, Texas
CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah
RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas
MAZIE HIRONO, Hawaii JEFF FLAKE, Arizona
Kristine Lucius, Chief Counsel and Staff Director
Kolan Davis, Republican Chief Counsel and Staff Director
------
Subcommittee on Privacy, Technology and the Law
AL FRANKEN, Minnesota, Chairman
DIANNE FEINSTEIN, California JEFF FLAKE, Arizona, Ranking
CHUCK SCHUMER, New York Member
SHELDON WHITEHOUSE, Rhode Island ORRIN G. HATCH, Utah
CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah
MAZIE HIRONO, Hawaii JOHN CORNYN, Texas
LINDSEY GRAHAM, South Carolina
Alvaro Bedoya, Democratic Chief Counsel
Elizabeth Taylor, Republican Chief Counsel
(II)
C O N T E N T S
----------
JUNE 4, 2014, 2:35 P.M.
STATEMENTS OF COMMITTEE MEMBERS
Page
Flake, Hon. Jeff, a U.S. Senator from the State of Arizona....... 4
Franken, Hon. Al, a U.S. Senator from the State of Minnesota..... 1
prepared statement........................................... 142
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont,
prepared statement........................................... 141
WITNESSES
Witness List..................................................... 37
Atkinson, Robert D., Ph.D., President, The Information Technology
and
Innovation Foundation, Washington, D.C......................... 22
prepared statement........................................... 115
Goldstein, Mark L., Director, Physical Infrastructure Issues,
U.S. Government Accountability Office, Washington, D.C......... 8
prepared statement........................................... 60
Greenberg, Sally, Executive Director, National Consumers League,
Washington, D.C................................................ 21
prepared statement........................................... 99
Hanson, Bea, Principal Deputy Director, Office on Violence
Against Women, U.S. Department of Justice, Washington, D.C..... 5
prepared statement........................................... 39
Hill, Brian, Detective, Criminal Investigations Division, Anoka
County
Sheriff's Office, Andover, Minnesota........................... 16
prepared statement........................................... 79
Mastria, Luigi, Executive Director, Digital Advertising Alliance,
Washington, D.C................................................ 19
prepared statement........................................... 84
Rich, Jessica, Director, Bureau of Consumer Protection, Federal
Trade
Commission, Washington, D.C.................................... 7
prepared statement........................................... 46
Southworth, Cindy, Vice President, Development and Innovation,
and
Founder, Safety Net Technology Project, National Network to End
Domestic Violence, Washington, D.C............................. 24
prepared statement........................................... 122
QUESTIONS
Questions submitted to Robert D. Atkinson by Senator Flake....... 145
Questions submitted to Mark L. Goldstein by Senator Franken...... 147
Questions submitted to Luigi Mastria by Senator Flake............ 146
Questions submitted to Jessica Rich by Senator Franken........... 148
ANSWERS
Responses of Robert D. Atkinson to questions submitted by Senator
Flake.......................................................... 149
Responses of Mark L. Goldstein to questions submitted by Senator
Franken........................................................ 157
Responses of Luigi Mastria to questions submitted by Senator
Flake.......................................................... 151
Responses of Jessica Rich to questions submitted by Senator
Franken........................................................ 155
MISCELLANEOUS SUBMISSIONS FOR THE RECORD
Chamber of Commerce of the United States of America, R. Bruce
Josten, Executive Vice President, Government Affairs, June 11,
2014, letter................................................... 160
Consumers Union, George Slover, Senior Policy Counsel, June 3,
2014, letter................................................... 162
IAB, Mike Zaneis, EVP and General Counsel, June 4, 2014, letter.. 163
MAPPS, John M. Palatiello, Executive Director, June 4, 2014,
letter......................................................... 165
MCBW, Liz Richards, Executive Director, May 28, 2014, letter..... 169
National Center for Victims of Crime, Mai Fernandez, Executive
Director, June 2, 2014, letter................................. 172
NRF, David French, Senior Vice President, Government Relations,
June 4, 2014, letter........................................... 174
NWLC, Fatima Goss Graves, Vice President for Education and
Employment, and Lara S. Kaufmann, Senior Counsel and Director
of Education Policy for At-Risk Students, June 3, 2014, letter. 158
OTA, Craig Spiezle, Executive Director, June 2, 2014, letter..... 176
Stalking Case: Harry Hitzeman, Daily Herald, ``Kansas Man
Convicted of Stalking, Choking Woman in Elgin,'' October 31,
2012, article.................................................. 177
Stalking Case: Justin Scheck, Wall Street Journal, ``Stalkers
Exploit Cellphone GPS,'' August 3, 2010, article............... 178
Stalking Case: Dan Rozek, Sun-Times, ``Accused GPS-Stalker Tells
Judge He Wants To Plead Guilty to Murder,'' July 18, 2011,
article........................................................ 183
Stalking Case: Francie Grace, CBS News, ``Stalker Victims Should
Check for GPS,'' February 6, 2003, news story.................. 184
THE LOCATION PRIVACY PROTECTION
ACT OF 2014
----------
WEDNESDAY, JUNE 4, 2014
United States Senate,
Subcommittee on Privacy, Technology and the Law,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:35 p.m., in
room SD-226, Dirksen Senate Office Building, Hon. Al Franken,
Chairman of the Subcommittee, presiding.
Present: Senators Franken, Blumenthal, and Flake.
OPENING STATEMENT OF HON. AL FRANKEN,
A U.S. SENATOR FROM THE STATE OF MINNESOTA
Chairman Franken. This hearing will be called to order.
Welcome to the Senate Judiciary Subcommittee on Privacy,
Technology, and the Law. This is a hearing on my bill to
protect sensitive location information, the Location Privacy
Protection Act of 2014.
Three years ago, I held a hearing to look at how our laws
were protecting the location information generated by
smartphones, cell phones, and tablets. The first group that I
heard from was the Minnesota Coalition for Battered Women. They
told me that across Minnesota victims were being followed
through so-called stalking apps specifically designed to help
stalkers secretly track their victims.
I started investigating these stalking apps. Let me read
you some of their websites.
Here is one called SPYERA. It says: ``Most of the time if
you think your spouse is being unfaithful, you are right.''
``[SPYERA] will be your spy in their pocket.'' ``[Y]ou will
need to sneak your spouse's phone and download it to their
phone.'' ``After the software is downloaded, you will be able
to see where they are geographically. If your husband is in two
counties over from where you live, SPYERA will tell you that.''
And, of course, ``husband'' can mean ``wife'' or ``ex'' or
whatever you want to put in there.
Here is another. This is from FlexiSPY. ``FlexiSPY gives
you total control of your partner's phone without them knowing
it--See exactly where they are, or were, at any given date and
time.''
Here is another quote that has since been taken down:
``Worried about your spouse cheating? Track EVERY text, EVERY
call and EVERY move they make using our EASY Cell Phone Spy
Software.''
These apps can be found online in minutes. And abusers find
them and use them to stalk thousands of women around the
country.
The Minnesota Coalition for Battered Women submitted
testimony about a northern Minnesota woman who was the victim
of domestic violence--and the victim of one of these stalking
apps. This victim had decided to get help. And so she went to a
domestic violence program located in a county building. She got
to the building, and within 5 minutes, she got a text from her
abuser asking her why she was in the county building. The woman
was terrified. And so an advocate took her to the courthouse to
get a restraining order. As soon as she filed for the order,
she got a second text from her abuser asking her why she was at
the county courthouse and whether she was getting a restraining
order against him. They later figured out that she was being
tracked through a stalking app installed in her phone.
This does not just happen in Minnesota. A national study
conducted by the National Network to End Domestic Violence
found that 72 percent of victim services programs across the
country had seen victims who were tracked through a stalking
app or a stand-alone GPS device. Without objection, I will add
to the record the accounts of a few other victims.
Here is one from a victim in Illinois. She was living in
Kansas with her abuser. She fled to Elgin, Illinois, a town
three States away. She did not know that the whole time her
cell phone was transmitting her precise location to her abuser.
He drove the 700 miles to Elgin. He tracked her to a shelter
and then to the home of her friend, where he assaulted her and
tried to strangle her.
Here is one from a victim in Scottsdale, Arizona. Her
husband and she were going through a divorce. Her husband
tracked her for over a month through her cell phone.
Eventually, he murdered their two children in a rage.
In most of these cases, the perpetrator was arrested
because it is illegal to stalk someone. But it is not clearly
illegal to make and to market and to sell a stalking app. And
so nothing happened to the companies making money off of the
stalking. Nothing happened to the stalking apps.
My bill would shut down these apps once and for all. It
would clearly prohibit making, running, and selling apps and
other devices that are designed to help stalkers track their
victims. It would let police seize the money that these
companies make and use that money to actually prevent stalking.
My bill will prioritize grants to the organizations that train
and raise awareness around GPS stalking. And it would make the
Department of Justice get up-to-date statistics on GPS
stalking. That is a big deal, because the latest statistics we
have from DOJ are from 2006, and at that point they estimated
over 25,000 people were being GPS-stalked annually, back in
2006, and we know what smartphone technology has done since
then.
But my bill does not protect just victims of stalking. It
protects everyone who uses a smartphone, an in-car navigation
device, or any mobile device connected to the Internet. My bill
makes sure that if a company wants to get your location or give
it out to others, they need to get your permission first.
I think that we all have a fundamental right to privacy: a
right to control who gets your sensitive information and with
whom they share it. Someone who has a record of your location
does not just know where you live. They know where you work and
where you drop your kids off at school. They know the church
you attend and the doctors that you visit.
Location information is extremely sensitive. But it is not
being protected in the way it should be. In 2010, the Wall
Street Journal found that half of the most popular apps were
collecting their users' location information and then sending
it to third parties, usually without permission.
Since then, some of the most popular apps in the country
have been found disclosing their users' precise location to
third parties without their permission. And it is not just
apps. The Nissan Leaf's on-board computer was found sending
drivers' locations to third-party websites. OnStar threatened
to track its users even after they canceled their service; they
only stopped when I and other Senators called them out on this.
And a whole new industry has grown up around tracking the
movements of people going shopping--without their permission,
and sometimes when they do not even enter a store.
The fact is, that most of this is totally legal. With only
a few exceptions, if a company gets your location information
over the Internet, they are free to give it to almost anyone
they want.
My bill closes these loopholes. If a company wants to
collect or share your information, it has to get your
permission first and put up a post online saying what the
company is doing with your data. Once a company is tracking
you, it has to be transparent, or else it has to send you a
reminder that you are being tracked.
Those requirements apply only to the first company getting
location information from your device. For any other company
getting large amounts of location data, all they have to do is
put up a post online explaining what they are doing with that
data.
That is it. These rules are built on existing industry best
practices, and they have exceptions for emergencies, theft
prevention, and parents tracking their kids. The bill is backed
by the leading anti-domestic violence and consumer groups.
Without objection, I will add letters to the record from the
Minnesota Coalition for Battered Women, the National Center for
Victims of Crime, the National Women's Law Center, the Online
Trust Alliance, and Consumers Union--all in support of my bill.
This bill is just common sense.
[The letters and stalking cases appear as submissions for
the record.]
Chairman Franken. Before I turn it over to my friend the
Ranking Member, I want to make one thing clear. Location-based
services are terrific. I use them all the time when I drive
across Minnesota. They save time and money, and they save
lives. Ninety-nine percent of companies that get your location
information are good, legitimate companies.
And so I have already taken into account many of the
industry concerns that I heard when we debated this bill last
Congress: I have capped liability, I have made compliance
easier. And if folks still have issues with the bill, I want to
address them.
So, with that, I will turn it over to Senator Flake.
OPENING STATEMENT OF HON. JEFF FLAKE,
A U.S. SENATOR FROM THE STATE OF ARIZONA
Senator Flake. Thank you, Mr. Chairman. Thank you again to
the witnesses for being here. I know you have busy schedules,
and I really appreciate you doing this.
I think we can all agree that stalking and domestic
violence are serious concerns. That is why I was pleased to
support the reauthorization of the Violence Against Women Act.
I agree with those who will testify today, like Ms. Southworth
of the National Network to End Domestic Violence and Detective
Hill on the second panel, that domestic violence and stalking
are serious problems that need to be addressed. I am not aware
of any concerns that have been expressed about some of the
sections of this bill, those that address the stalking apps and
directing the Government to study GSP stalking and prioritize
grants to educate law enforcement about this problem.
Having said that, there are sections of the bill that I
think are still a bit concerning. The bill before us regulates
the commercial collection of geolocation information. Some
concerns have been raised about its effect on businesses and
applications that use geolocation information to provide
consumers with services that they now rely on.
I would like to enter into the record letters from the
National Retail Federation and the Interactive Advertisement
Bureau if that is okay.
Chairman Franken. Without objection.
Senator Flake. Thanks.
[The letters appear as submissions for the record.]
Senator Flake. In our efforts to protect the privacy of
Americans, which is extremely important, we have got to be
careful not to stifle innovation in dynamic sectors of the
economy. A lot of the concerns that have been expressed are
about static regulations that deal with a dynamic sector of the
economy, and we want to make sure that we do not hamper
development of new products and technologies.
With that, I look forward to the witnesses. Thanks.
Chairman Franken. Thank you, Senator Flake.
The first panel of witnesses has seated themselves. Thank
you.
Bea Hanson is the Principal Deputy Director of the United
States Department of Justice Office on Violence Against Women.
Before joining the OVW, Ms. Hanson was director for emergency
services and the chief program officer for Safe Horizon, a
crime victims service organization in New York City. Ms. Hanson
is a Minnesotan by birth and was raised in St. Paul.
Jessica Rich is the Director of the FTC's Bureau of
Consumer Protection. During her time at the FTC, Ms. Rich has
led major policy initiatives related to privacy, data security,
and emerging technologies; overseen enforcement actions; and
developed significant FTC rules. She also received the
Chairman's Award in 2011 for her contributions to the FTC's
mission.
Mark Goldstein is the Director of Physical Infrastructure
Issues for the U.S. Government Accountability Office. He is a
frequent witness before Congress and served as senior staff
member of the Senate Committee on Homeland Security and
Governmental Affairs. He will testify about the two different
studies that GAO conducted at my request on the subject of
location privacy.
I would like to welcome you all. Thank you for appearing.
Your written testimony will be made part of the record. You
each have about 5 minutes for any opening remarks that you
would like to make. We will start with Ms. Hanson.
STATEMENT OF BEA HANSON, PRINCIPAL DEPUTY DIRECTOR, OFFICE ON
VIOLENCE AGAINST WOMEN, U.S. DEPARTMENT OF JUSTICE, WASHINGTON,
D.C.
Ms. Hanson. Thank you so much. Good afternoon, Chairman
Franken, Ranking Member Flake, and members of the Committee.
Thank you for the opportunity to testify on behalf of the
Department of Justice regarding stalking, mobile devices, and
location privacy.
My name is Bea Hanson, and I am the Principal Deputy
Director of the United States Department of Justice Office on
Violence Against Women, or OVW. One key way that the Department
of Justice has focused on strengthening the criminal justice
response to stalking is through the implementation of the
Violence Against Women Act, or VAWA.
Since the passage of VAWA in 1994, we have made significant
strides in enhancing the criminal justice system's response to
stalking, and Congress has been a strong partner in our
national efforts to address this issue.
Since 1994, Congress has amended VAWA to address our
growing understanding of this crime, adding stalking to the
purpose areas of grant programs, broadening the Federal
interstate stalking statute to protect victims of cyber
stalking, and enhancing penalties for repeat stalking
offenders. Just last year, in the most recent VAWA
reauthorization, Congress closed a loophole in the Federal
cyber stalking statute to permit Federal prosecutors to pursue
cases where the offender and the victim both lived in the same
State. Congress also amended the Jeanne Clery Campus Security
Act to require that universities report crime statistics on
incidents of stalking.
As you both know, stalking is a complex crime, and it
continues to be missed, misunderstood, and very much
underestimated. Incidents of stalking behavior, when considered
separately, may seem relatively innocuous. However, stalking
behavior tends to escalate over time, and it is often paired
with or followed by sexual assault, physical abuse, or
homicide, as Chairman Franken has pointed out. Its victims feel
isolated, vulnerable, and frightened, and tend to suffer from
anxiety, from depression, and from insomnia.
Results of the 2010 National Intimate Partner and Sexual
Violence Survey, or NISVS, which was released by the Centers
for Disease Control in late 2011, demonstrate the grave scope
of this crime. Using a conservative definition of stalking, the
survey found that 6.6 million people were stalked in the
previous 12-month period and that 1 in 6 women and 1 in 19 men
were stalked at some point in their lifetimes.
The survey report noted that, although anyone can be a
victim of stalking, females were more than three times more
likely to be stalked than males, and that young adults had the
highest rates of stalking victimization.
The report also showed the too frequent nexus between
stalking and intimate partner abuse. For the overwhelming
majority of victims, the stalker is someone who is known to
them--an acquaintance, a family member, or, most often, a
current or former intimate partner. And the NISVS report
confirmed that most stalking cases involve some form of
technology. More than three-quarters of the victims reported
having received unwanted phone calls, voice messages, and text
messages; and roughly one-third of the victims were watched,
followed, or tracked with a listening or other kind of device.
The report authors noted that their findings showed a
higher percentage of stalking than previous national studies
and hypothesized that this increase could be due to new
technologies that make stalking behavior easier.
Technology has provided new tools for stalkers. For
example, the rapid increased use of cellular phones in recent
years has created a new market in malicious software that, when
installed on mobile devices, allows perpetrators to intercept
victims' communications without their knowledge or consent.
Through the use of this software, perpetrators can read
victims' e-mail and text messages, listen to their telephone
calls, trace their movements, and turn on the microphone in
their phone to record conversations occurring in the immediate
surrounding area. And all this can be done remotely and
surreptitiously.
A recent study conducted by the National Network to End
Domestic Violence, supported by the Department of Justice
Office for Victims of Crime, further suggests that technology-
enhanced stalking, including the use of mobile devices, is
neither novel nor rare. Of the more than 750 victims service
agencies that responded, 72 percent reported helping victims
who had been tracked by GPS either through a cell phone or a
GPS device.
The findings from NISVS and other surveys underscore how
critical it is that professionals who work with stalking
victims understand the dynamics of stalking, particularly how
stalkers use technology. We know that stalking is often a
precursor to other forms of violence. Because stalking can be
challenging to recognize, OVW grant programs support
specialized training for police, prosecutors, and others to
ensure that comprehensive services are available to victims.
We also fund a number of training and technical assistance
projects that target the intersection of technology and the
crimes of stalking, sexual assault, domestic violence, dating
violence, and there is more information on that in my written
testimony. And we have some of our grantees who are going to be
talking here later on the second panel.
I appreciate the opportunity to testify today, and I look
forward to continuing to working with Congress, working with
you all, as it considers these important issues. Thank you.
[The prepared statement of Ms. Hanson appears as a
submission for the record.]
Chairman Franken. Thank you, Ms. Hanson.
Ms. Rich?
STATEMENT OF JESSICA RICH, DIRECTOR, BUREAU OF
CONSUMER PROTECTION, FEDERAL TRADE COMMISSION, WASHINGTON, D.C.
Ms. Rich. Good afternoon, Chairman Franken and Ranking
Member Flake. My name is Jessica Rich, and I am the Director of
the Bureau of Consumer Protection at the Federal Trade
Commission. I very much appreciate this opportunity to present
the Commission's testimony on consumer protection issues
involving geolocation information and to offer some initial
views on the draft Location Privacy Protection Act.
Protecting consumers' privacy is a key focus of the
Commission's efforts, and we commend the Committee for its
continued attention to this really important issue.
Products and services that use geolocation data make
consumers' lives easier and more efficient, as you have noted,
Chairman Franken. Consumers can get turn-by-turn directions to
their destinations, find the closest bank, and check the
weather when they are traveling, among many other examples.
At the same time, the increasing collection, use, and
disclosure of this data presents serious privacy concerns. For
this reason, the Commission considers precise geolocation data
to be sensitive, warranting opt-in consent prior to collection
from a consumer's mobile device.
Why is this data so sensitive? A device's geolocation can
reveal consumers' movements in real time and over time and,
thus, divulge intimate personal details about them, such as the
doctor's office they visit, how often they go, their place of
worship, and when and what route their kids walk to school in
the morning and return home in the afternoon.
This data can be accessed and used in many ways consumers
do not expect, for example, collected through stalking apps,
sold to third parties for unspecified uses, paired with other
data to build detailed profiles of consumers' activities, or
stolen by hackers. The risks to consumer range from unwanted
tracking to threats to personal safety.
The Commission has taken action to protect this data
through law enforcement and outreach efforts. Using its
authority under the FTC Act, the Commission has brought cases
against companies engaged in unfair and deceptive practices
involving geolocation data. One example is our recent
settlement with Snapchat, the developer of a popular mobile
messaging app. In that case, the FTC alleged that, in addition
to misrepresenting that photo and video messages sent through
the service would disappear, which was what was publicized most
about that case, Snapchat also collected and transmitted
geolocation data from its app, even though its privacy policy
claimed it did not track users or access such information at
all.
In another case, this one involving the developer of a
popular flashlight app, the FTC alleged that the developer told
users that it would collect diagnostic and technical
information simply to assist with product support, but failed
to disclose that the app transmitted the device's precise
geolocation and unique device ID to ad networks.
Finally, in a series of settlements with rent-to-own
retailer Aaron's and its affiliates, the FTC alleged that the
companies' installation and use of software on rental computers
that secretly monitored and tracked consumers violated the FTC
Act. The software could log keystrokes, capture screen shots,
and take photo using the computer's webcam, all unbeknownst to
users. Notably, the FTC alleged that installing location-
tracking software on the rented computers without the renter's
consent and disclosing this geolocation to rent-to-own stores
was an unfair and illegal practice.
In addition to enforcement, the Commission also has
conducted studies, held workshops, and issued reports in this
area. For example, in 2012, FTC staff issued two reports about
the disclosures provided in mobile apps for kids. The report
showed that the apps collected data from the kids' devices,
including unique device ID and geolocation data, and shared it
with third parties, often without notice to parents.
And in February of last year, FTC staff issued a report
providing specific recommendations about how all players in the
mobile ecosystem--platforms, app developers, ad networks,
analytics companies, and trade associations--can and must
ensure that consumers have timely, easy-to-understand
disclosures and choices about what data companies collect and
use, including geolocation data.
Now, turning to a discussion of the Location Privacy
Protection Act, the Commission very much supports the goals of
this bill, which seeks to improve the transparency and consumer
control over the collection and use of sensitive geolocation
data. The bill really represents an important step forward,
notably by requiring clear and accurate disclosures and opt-in
consent from consumers before this sensitive data can be
collected.
The bill contains both civil and criminal provisions and
gives the Department of Justice sole authority to enforce both.
We very much support strong remedies for violations. However,
as the Federal Government's leading privacy enforcement agency,
we do recommend that the Commission be given responsibility for
enforcing the civil provisions of the bill.
Thank you very much for this opportunity to provide the
Commission's views. The FTC is very committed to protecting the
privacy of consumers' geolocation information, and we look
forward to continuing to work with the Committee and Congress
on this issue.
[The prepared statement of Ms. Rich appears as a submission
for the record.]
Chairman Franken. Thank you, Ms. Rich. I noted your
recommendation in your written testimony and again just now.
Ms. Rich. Okay. Thanks.
Chairman Franken. Mr. Goldstein?
STATEMENT OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL
INFRASTRUCTURE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE,
WASHINGTON, D.C.
Mr. Goldstein. Thank you. Good afternoon, Mr. Chairman,
Ranking Member Flake, and members of the Subcommittee. Thank
you for the opportunity to be here this afternoon and provide
testimony on consumers' location data.
Smartphones and in-car navigation systems give consumers
access to useful location-based services.
However, questions about privacy can arise if companies use
or share consumers' location data without their knowledge.
Several agencies have responsibility to address consumers'
privacy issues, including the FTC, which has authority to take
enforcement actions against unfair or deceptive acts, and the
NTIA, which advises the President on telecommunications and
information policy issues.
My testimony addresses: one, companies' use and sharing of
consumers' location data; two, consumers' location privacy
risks; and, three, actions taken by selected companies and
Federal agencies to protect consumers' location privacy.
Our findings were as follows in the two reports we released
over the last couple of years.
First, that 14 mobile industry companies and 10 in-car
navigation providers that GAO examined in its 2012 and 2013
reports, including mobile carriers and auto manufacturers,
collect location data and use or share them to provide
consumers with location-based services and improve consumer
services. For example, mobile carriers and application
developers use location data to provide social networking
services that are linked to consumers' locations. In-car
navigation services use location data to provide services such
as turn-by-turn directions and roadside assistance. Location
data can also be used and shared to enhance the functionality
of services such as search engines to make search results more
relevant, for example, returning results of the nearby
businesses.
Second, while consumers can benefit from location-based
services, their privacy may be at risk when companies collect
and share location data. For example, in both our reports, we
found that when consumers are unaware that their location data
are shared and for what purpose that data might be shared, they
may be unable to judge whether location data are shared with
trustworthy third parties. Furthermore, when location data are
amassed over time, they can create detailed profiles of
individual behavior, including habits, preferences, and roads
traveled--private information that could be exploited.
Additionally, consumers could be at higher risk of identity
theft or threats to personal safety when companies retain
location data for long periods of time or in ways that link the
data to individual consumers. Companies can anonymize location
data that they use or share in part by removing personally
identifying information. However, in our 2013 report, we found
that in-car navigation providers that GAO examined used
different de-identification methods that may lead to varying
levels of protection for consumers.
Third, companies GAO examined in both reports have not
consistently implemented practices to protect consumers'
location privacy. The companies have taken some steps that
align with recommended practices for better protecting
consumers' privacy. For example, all the companies we examined
in both reports used privacy policies or other disclosures to
inform consumers about the collection of location data and
other information. However, companies did not consistently or
clearly disclose to consumers what the companies do with these
data or third parties with which they might share that data,
leaving consumers unable to effectively judge whether such uses
of their location data might violate their privacy.
In our 2012 report, we found that Federal agencies have
taken steps to address location privacy data through
educational outreach events, reports with recommendations to
protect consumer privacy, and guidance for industry. For
example, the Department of Commerce's NTIA has brought
stakeholders together to develop codes of conduct for industry.
But GAO found that this effort lacks specific goals,
milestones, and performance measures, making it unclear whether
the effort would actually even address location privacy.
Additionally, in response to a recommendation in GAO's 2012
report, the FTC issued guidance in 2013 to inform companies of
the Commission's views on the appropriate actions mobile
industry companies should take to disclose their privacy
practices and obtain consumers' consent. GAO made
recommendations to enhance consumer protections in 2012. GAO
recommended, for example, that NTIA develop goals and
milestones and measures for its stakeholder initiative. GAO
will continue to monitor this effort in the future.
Mr. Chairman, this concludes my oral statement. I would be
happy to respond to any comments. Thank you.
[The prepared statement of Mr. Goldstein appears as a
submission for the record.]
Chairman Franken. Thank you, Mr. Goldstein. Thank you all
for your testimony.
Ms. Hanson and Ms. Rich, your agencies have already done
important work to combat cyber stalking and GPS stalking, but I
want to challenge you to do more. I want to press you to
investigate and shut down these smartphone stalking apps. They
hurt tens of thousands of people every year. They market
themselves directly and brazenly to stalkers, and they are
easily available on the Internet.
My bill will give you even more tools to go after these
apps, but will you pledge to me today that you will use all of
your existing tools to investigate and shut down these apps?
Ms. Rich. Yes, I will, within my powers. We do have a
Commission that needs to approve things, but I run the Bureau
of Consumer Protection. I will note that we did bring a case
against a similar service called Remote Spy. We litigated a
case against them that was providing this very same type of
service to spy on people, and we obtained a strong order
against the company, and we can use similar tools to pursue
these types of stalking apps.
Chairman Franken. Thank you.
Ms. Hanson. From my role at the Office on Violence Against
Women, we are a grant-funded organization, and we really want
to work with you and work together to address these issues
around stalking applications. This has been a huge, a big
priority for the Department. I would like to bring back to
those folks who actually do the prosecution and want to share
your concerns with the Criminal Division, specifically the
computer crime and intellectual property section, as well as
the U.S. Attorney's Office, Executive Office of the U.S.
Attorney who handles the criminal prosecutions, and I will
bring that back to them.
Chairman Franken. Well, thank you. And there is bipartisan
agreement on this. In 2011, I sent a letter joined by Senators
Grassley, Klobuchar, Cornyn, Blumenthal, Graham, Whitehouse,
Schumer, and Feinstein asking your agencies to crack down on
these apps. So I want to ask each of you to do everything you
can to shut them down.
Mr. Goldstein, some of the witnesses on our second panel
urge us to be cautious about legislating. They favor self-
regulation. As part of your investigation, you looked at
industry best practices for the collection and sharing of
location data. In an interview after the report, you said that
there were not very many rules in place and that in many ways
this was still ``the Wild West of the Electronic Era.''
Did you find that industry best practices were being
implemented consistently? And did you find that consumers were
being given the information they needed to make choices about
their privacy?
Mr. Goldstein. Thank you, Mr. Chairman. Our reports clearly
indicate that there is no comprehensive approach; that some
companies do pay attention very consistently to the rules, the
self-regulating rules that are out there, and some do not; and
that there is a great variety and not a lot of transparency.
Those seem to be the two principal problems, a lot of variety
and that some pay attention to some rules and not others, and
the lack of transparency and that consumers do not always have
enough information to make choices about what kind of
information is being retained, how long it is being retained,
by whom it is being retained and used, things like that.
So there are quite a lot of problems still out there with
the application of the rules.
Chairman Franken. And I see you are nodding, Ms. Rich.
Ms. Rich. Yes. Many industry groups and individual
companies say they implement opt-in or have opt-in as a best
practice. But our enforcement more broadly, even outside of
stalking apps, but related to the collection of geolocation
information, including the Snapchat case, the Goldenshores
case, which was the flashlight case, our case against Aaron's,
and also our survey of kids' apps shows that this opt-in
standard is not being complied with on a regular basis.
Chairman Franken. Yes, I found the Snapchat case
particularly ironic because their whole selling point was that
once you post a video or a photo, it would disappear.
Ms. Rich. And we allege that was not true, among other
things.
Chairman Franken. But it did not. Other than that, it was
exactly what it said.
Okay. I am running out of my time. I will ask one more
question, and we want to get to our other panel, so I will give
it to Senator Flake, and I will ask one more question of Ms.
Hanson.
Senator Flake. Thank you.
Mr. Goldstein, in your testimony you outline a series of
``what if's,'' asserting that location data could be used to
track consumers, and I think we all understand the potential of
this. You say that these--which can be used to steal identity,
stalk them, monitor them without their knowledge. You also say
that collection of data, location data, poses a threat. We all
understand that. You have explained that very well. But in your
study or in your investigation, did you uncover examples of
companies stealing customers' identities or stalking them or
criminals' obtaining location data? We know the potential
exists. Did you actually turn up any nefarious activity?
Mr. Goldstein. No, Senator, we did not. It was really a
look at the kinds of issues that were out there. It was not
really within the scope. But we also did not find any.
Senator Flake. Ms. Rich, you mentioned a few of them and
cases that have been brought. What has been out there in
popular media that has caught your attention? Is that usually
how you find these cases? Or how do you come on to these cases
where you decide to bring action against them?
Ms. Rich. We find cases in a variety of ways. We may be
tipped off by an insider. We may get referrals from businesses
or consumer groups or tech people. But responding to the
question you just asked my colleague, one thing that our cases
do show is that companies, even flashlights, are collecting
this data, contrary to the claims they are making, and then
they are sharing it. So it is being collected and used, and
given what it can show in terms of consumers' private
activities, that raises concerns.
Senator Flake. Yes, certainly I think we all recognize that
people use it for advertising and some of the disclosing--or
giving the opportunity to opt out. My question to Mr. Goldstein
was do we see criminals using it for purposes that are--the
potential certainly exists, but if there are examples of that
in a criminal way. We have seen some of the stalking, and
obviously we want to make sure that we crack down on that. But
I know that the potential exists. I was just wondering, in the
studies have we seen that actually occurring? We see some of it
on the commercial side, but not so much on the criminal side
yet. Is that an accurate statement?
Ms. Rich. I think that the stalking apps are the clearest
example of the harm that it can do. I agree.
Senator Flake. I mentioned in my opening statement that we
want to make sure that we do not stifle any development of new
technologies and new positive uses of this geolocation
information. Ms. Hanson, the Department of Justice, as you
know, works with law enforcement agencies across the country
and broadcasters, transportation agencies, and the wireless
industry to issue Amber Alerts. The National Center for Missing
and Exploited Children manages a secondary distribution of
these Amber Alerts. These are obviously only sent when a child
is at risk of serious injury or death.
Would Amber Alerts fall within one of the exceptions to the
bill?
Ms. Hanson. I would have to bring this back to the
Department about how this would be an exception or not. I know
that Amber Alerts have been important in identifying missing
children. I think we need to look at this issue more broadly,
and I can bring that back to the Department to take a look at
it.
Through our office, the Office on Violence Against Women, I
think, you know, we have seen and you will hear testimony from
folks on the second panel. If you look at the cases of cyber
stalking that we actually look at--when you look at it from the
perspective of victims of domestic violence, in actuality we do
have a large number of victims who have said that they have
been tracked. My testimony talked about 72 percent of those
reported, looking at victims service agencies, had been tracked
by GPS, through cell phone or GPS. So, you know, I think those
are important issues we need to look at, but I can bring back
this issue, the question about the Amber Alert.
Senator Flake. A hypothetical, and some people have talked
about and some are actually working on programs, I think, that
would send an Amber Alert to a specific location if a child was
lost in a mall and you do not need the Amber Alert at that
point because there are certain standards and thresholds at
which those are issued. But you might be able to send it at a
lower threshold if it could be confined to a specific location,
say a mall. But obviously, if the geolocation information of
individuals who were in that mall, they would not have
consented to receive that Amber Alert, they would not have
opted in, but could--would this be an exception? And how do we
work with the exceptions like that where useful information
could go out but not for regulations that could come? Does that
make sense? I am sorry.
Ms. Hanson. It makes sense. It is not the area that I work
in, so what I would like to do is bring that back to other
folks in the Department and get back to you on that.
Senator Flake. Okay.
[The information referred to appears as a submission for
the record.]
Senator Flake. You had a----
Chairman Franken. Well, I just wanted to clarify that an
Amber Alert would be--in Section 3 of the bill, we put in
exceptions, and any emergency, allowing a parent or legal
guardian to locate an emancipated minor child, and also it is
for fire, medical, public safety, or other emergency services.
So this is specifically in the bill. It would be exempted.
Senator Flake. Okay. There are some that are a little less
clear. I think Mr. Atkinson in the second panel will note that
there are certain programs like Circle of 6, Siren, these apps
allow women to share their precise geolocation information with
friends who are in an unsafe situation. These, I think we all
agree, can be used to help women who are in an unsafe
situation. We just want to make sure that we do not do
something that would prohibit those kind of uses, and that is a
little tougher or a little fuzzier than an Amber Alert. And so
I hope as we move through this process--and maybe the second
panel can shed some light on that as well.
Thank you, Mr. Chairman.
Chairman Franken. Thank you.
Senator Blumenthal has joined us.
Senator Blumenthal. Thank you, Mr. Chairman. Thank you to
you for having this hearing and for your really instrumental
work on a lot of this legislation. Thanks to this excellent
panel, and I want to thank particularly Bea Hanson for your
work on sexual assault on campuses and your help to me in the
roundtables that we organized around Connecticut and the
proposals that we formulated as a result, and the President's
great work on this issue, thanks to the wonderful staff that he
has working on this issue.
To that point, I wonder if you could talk a little bit
about what additional steps colleges and universities ought to
be taking with respect to cyber stalking and the relationship
or the intersection of cyber stalking with campus sexual
assault. You know, in Connecticut, more than 50,000 individuals
are stalked every year. A lot of it occurs on campuses because
college students tend to be more attuned to this technology.
And yet I found, as I went around the State of Connecticut,
that college administrators and officials there often were not
as focused as perhaps they should be on this issue of cyber
stalking and the technology that is available to enable it. So
perhaps if you could talk a little bit about that issue.
Ms. Hanson. Thank you, Senator Blumenthal. And thank you
for your work on addressing campus sexual assault and the
report that you put together as a result of all of the hearings
you did in Connecticut.
I think that nexus between campus sexual assault and cyber
stalking is important, especially when we look at the use of
cell phones and smartphones, especially among the college
campus students.
There is work that is being done, there is more work that
we need to do, in terms of looking at prevention messages and
incorporating issues of stalking and cyber stalking,
particularly into messages around sexual assault because we
know often that stalking is not something that occurs by
itself, but that it often escalates over time and can often be
a precursor to crimes like sexual assault or even homicide.
I agree with you on your point about the need to train and
talk to administrators about it. I think that there is a lot
more knowledge among the students than there is among the
administrators about the training that is needed to look at
cyber stalking and those connections. So we are more than happy
to work with you and the rest of the Committee if there are
ways that we can make those efforts even stronger.
Senator Blumenthal. I thank you. This technology has huge
promise, but also tremendous peril, and the awareness of the
peril is sometimes difficult among young people who think of
themselves as invincible. And yet because of that delusion,
they may be the most vulnerable, and the most vulnerable often
to their friends who seemingly want to befriend or support
them, and yet use this technology really to put them in great
peril. So I thank you for your focus on that.
I would like to ask, Ms. Rich, whether you believe under
your current authority you can take action against some of the
makers, the manufacturers who may be, knowingly or unknowingly,
promoting misuse or abuse of this technology.
Ms. Rich. To date, we have taken action--we did take action
and litigated a case against a promoter, a seller of spyware
that specifically sold it so that you could capture the
movements of somebody secretly. And we did that under our
existing authority. We also--I mentioned before you came in, we
brought several cases against companies that either under our
deception or unfairness authority shared geolocation without
consent or notice to consumers. So we do have authority, but we
do need to prove deception or unfairness. And the across-the-
board notice and consent requirements with exceptions for
legitimate use that are in the proposed--the law which make it
easier for us to enforce.
Senator Blumenthal. So you would welcome this additional
measure?
Ms. Rich. We very much support the goals and the basic
provisions of the bill, yes.
Senator Blumenthal. Do you plan to have roundtables or
workshops or other means of increasing awareness among students
and others?
Ms. Rich. We recently had a seminar on mall tracking, which
is not about stalking but it is about the use of GPS to track
consumers' movements in stores, and I think that raised
awareness about the use of geolocation, and we will be issuing
a report on that. And we will be--we continue to have workshops
and seminars on consumer protection issues like these.
Senator Blumenthal. Thank you.
Thank you, Mr. Chairman.
Chairman Franken. Thank you, Senator.
I am going to ask just one real short question of Ms.
Hanson, and it is mainly a short answer, I think, that will be
required. The latest statistics we have on the prevalence of
GPS stalking are from a 2006 study conducted by the Department.
Back then, an estimated 25,000 people a year were victims of
GPS stalking. That was, again, in 2006, before the explosion of
smartphones.
Today the vast majority of adults own a cell phone, and
most of them a smartphone. So we just intuitively know that
rates of GPS stalking must have increased since then.
Ms. Hanson, my bill will institute regular reporting on GPS
stalking, but in the meantime, will DOJ update its statistics
on GPS stalking as soon as possible? And if there are barriers
in doing that, would you tell me what they are?
Ms. Hanson. Yes, thank you. Thank you for that question.
This is a one-time supplement that we had put out in 2006 that
was funded by the Office on Violence Against Women. Since then,
as I said in my testimony, the National Intimate Partner and
Sexual Violence Survey came out in 2011, and the National
Institute of Justice as part of the Department of Justice has
been working with the CDC on that.
There are questions about stalking, and what I would like
to do is go back and talk to folks at BJS and talk to those
folks at NISVS to make sure that--to identify if there is any
additional stalking questions that would be helpful for us to
ask through the Department, just so that we are not duplicating
anything that would be in the NISVS report. But I would be
happy to go and look into that and get back to you on that, so
thank you.
Chairman Franken. Well, thank you very much. I have some
questions that I will submit to you for the written record, but
I would like to thank all three of you for your testimony and
invite up our second panel.
[The questions of Chairman Franken appear as submissions
for the record.]
Chairman Franken. All right. I would like to start by
introducing our panel.
Detective Brian Hill of Elk River, Minnesota, has served in
the Anoka County Sheriff's Office since 2000 and has been a
detective with the Criminal Investigation Division since 2008.
Detective Hill is an expert in digital forensics and has
trained over 3,000 law enforcement officers, prosecutors,
judges, advocates, and others across Minnesota on the use of
technology to facilitate stalking. He himself was trained by
the Minnesota Bureau of Criminal Apprehension, the FBI, and the
Secret Service. He also served our country as a member of the
Air Force Reserves and was deployed for 2 years for the wars in
Iraq and Afghanistan. We are very grateful for your service at
home and abroad, Detective Hill, and proud to have you here.
Thank you.
Mr. Lou Mastria is the executive director of the Digital
Advertising Alliance. He leads the DAA's effort on self-
regulation, consumer transparency, and consumer choice. Mr.
Mastria is a certified information privacy professional and has
served as the chief privacy officer for a range of
organizations. Thank you for being here.
Ms. Sally Greenberg is the executive director of the
National Consumers League, NCL. She has testified before
Congress on a variety of consumer protection issues, including
on fraud and excessive fees on car rentals. Previously, she
worked at the U.S. Department of Justice and the Anti-
Defamation League. Ms. Greenberg was also born and raised in
Minnesota and is a graduate of Southwest High School, close to
where I grew up in St. Louis Park.
Dr. Robert Atkinson is the founder and president of the
Information Technology Innovation Foundation. He holds a Ph.D.
in city and regional planning from UNC-Chapel Hill and is a
published author on economics and technology policy. Before
founding ITIF, he was vice president of the Progressive Policy
Institute and director of their new technology project.
Ms. Cindy Southworth is the vice president of development
and innovation at the National Network to End Domestic Violence
and founder of NNEDV's Safety Net Project. She is one of the
Nation's leading experts on stalking apps and has trained
thousands of people across the country on stalking apps and the
use of technology to facilitate stalking.
Thank you and thanks to all of you again for joining us.
Your complete written testimony will be made part of the
record. I will note for the record that Ms. Southworth's
written testimony on behalf of the National Network to End
Domestic Violence is also being submitted on behalf of the
Minnesota Coalition for Battered Women.
So why don't we start with Detective Hill. You each have 5
minutes for any opening remarks you would like to make.
Detective Hill, please go ahead.
STATEMENT OF BRIAN HILL, DETECTIVE, CRIMINAL INVESTIGATIONS
DIVISION, ANOKA COUNTY SHERIFF'S OFFICE, ANDOVER, MINNESOTA
Mr. Hill. Chairman Franken, Ranking Member Flake, and
distinguished members of the Subcommittee, my name is Brian
Hill, and I thank you for the opportunity to appear before the
Subcommittee to testify about law enforcement's support of the
Location Privacy Protection Act of 2014.
Since 2008, I have been a detective with the Criminal
Investigations Division of the Anoka County Sheriff's Office in
Minnesota. I investigate felony domestic and sexual violence
cases with access to Anoka County's state-of-the-art digital
forensics lab. I am a computer/mobile device forensic examiner/
investigator. The written testimony I submitted details my
trainings, certifications, and professional association
memberships.
Why is this legislation important? Imagine the trauma of
surviving domestic and sexual violence. Now add cyber stalking
to that trauma. Stealth stalking apps endanger domestic
violence victims' safety, financial stability, and social well-
being. As we all increasingly use our cell phones to work,
bank, text, access the Internet, e-mail, and pay bills,
stalking apps are a tool to isolate victims from the functions
and social connections their phones provide, including
isolating them from contacting domestic violence advocates or
law enforcement.
To be rid of a stealth stalking app, victims must buy new
phones, create new e-mail accounts, and change all passwords
and security questions. Although there are never any
guarantees, victims live with the frightening uncertainty of
whether the stealth stalking apps are really gone or if they
will reappear after removal. Victims' privacy and peace of mind
continue to be violated by this uncertainty, often long after
they have bought new phones or changed their passwords.
For instance, I have worked with a victim who suspected
that her estranged boyfriend put spyware on her phone. She
stated he knew about private phone conversations and text
messages. Also, he would show up randomly where she was. I
examined her phone and could not get a full data extraction to
determine if there was any spyware. Later, she brought in her
computer, and I had found her computer has accessed a stalking
program called FlexiSPY. There was then proof that the program
was installed on her phone. I worked with her on the expensive
and complicated tasks of getting a new phone and e-mail account
on a safe computer.
Proliferation of cheaper stalking apps has made these
harrowing experiences more and more common. In the last 3
years, our mobile forensic exams in our office have increased
exponentially by 220 percent in 3 years, averaging 30 exams per
month. After 7 years of experience, I continue to discover new
apps. For instance, our office is currently investigating an
attempted murder in the context of domestic violence. We
discovered Ti-spy, running in stealth mode on the victim's
mobile device. Ti-Spy advertises itself as a $7 parental
monitoring software which can be installed on smartphones to
track text messages, calls, GPS location, and basically any
phone data.
As in the case of discovering Ti-Spy, I typically become
engaged in a forensic investigation after victims or domestic
violence advocates detect the unsettling signs of digital
wrongdoing. They notice patterns of the abuser's knowledge
about the victim's life and whereabouts when the abuser has no
way of knowing.
While my department deals with only felony cases, stalking
apps are frequently used in misdemeanor domestic violence
cases. Investigating cyber stalking is labor intensive and
requires expensive, specialized equipment. Most law enforcement
agencies, however, do not have the resources, equipment,
staffing, or training to examine mobile devices for stalking
apps, which can limit data recovery of potential evidence.
Anoka County is fortunate to have eight different tools and
dedicated staff for mobile examinations. Because of our
county's resources, other counties and Federal agencies request
our assistance.
In a survey by the Minnesota Coalition for Battered Women
in conjunction with the courts, advocates indicated that cyber
stalking was the number one priority for law enforcement
training in the protective order context because technology is
frequently used to stalk victims and violate protective orders.
To address the need for training on cyber stalking, I have
worked closely with the Minnesota Coalition for Battered Women,
and its 80-plus member programs, to train over 3,000 domestic
and sexual assault advocates, law enforcement, prosecutors, and
judges since 2009. Our efforts have borne fruit, but strained
resources and the lack of awareness undercut law enforcement's
ability to recognize and respond to domestic violence victims'
increasing reports of cyber stalking. This erodes victim trust
in the criminal justice system. A common abuser tactic in
domestic violence is to convince the victim she is crazy.
Victims then feel more crazy when they report the abuser has
installed stealth stalking apps, only to be told, "We do not
believe you," or "We do not have the resources to examine your
phone." When law enforcement cannot effectively identify and
respond to cyber stalking reports, victims stop reporting
crimes and abusers win.
This Act is a major step in addressing the stalking app
problem. The most important part is that apps will be required
to notify the user a second time, 24 hours to 7 days after
initial installation, about the tracking implications. Victims
will then be notified when the perpetrator does not have access
to their phone. If this notice only applied to stalking apps,
they would simply change the name of the app or market it in a
different way. Just like in human trafficking, when Craigslist
no longer allowed certain ads, the company backpages.com
emerged and began to offer those ads. This Act would address
such evasion of the law. And it also comes down to economics.
By banning stealth GPS stalking apps, we make it unprofitable
for the companies to make these programs, which decreases
abusers' access to them.
Additionally, the Act brings national public awareness to
this issue by requiring information gathering, reporting, and
training grants for law enforcement.
Finally, the Act supports victim safety by requiring that
all apps get permission to collect or share location
information, making sure that a stalking app cannot disguise
itself as an employee or family tracking app--or simply as a
flashlight app.
I urge you to support the Location Privacy Protection Act
of 2014.
Thank you again to the Committee for reviewing my testimony
and for your support of law enforcement's efforts to keep
domestic violence victims and our communities safe.
[The prepared statement of Mr. Hill appears as a submission
for the record.]
Chairman Franken. Thank you, Detective Hill.
Mr. Mastria?
STATEMENT OF LUIGI ``LOU'' MASTRIA, EXECUTIVE DIRECTOR, DIGITAL
ADVERTISING ALLIANCE, WASHINGTON, D.C.
Mr. Mastria. Chairman Franken, Ranking Member Flake,
members of the Subcommittee, good afternoon and thank you for
the opportunity to speak at this important hearing.
My name is Lou Mastria. I am the executive director of the
Digital Advertising Alliance, and I am pleased to report to the
Committee on how industry has extended its successful online
program to mobile to ensure consumers have access to the same
transparency control in mobile as they do on desktop.
Of particular interest to this Committee today, our mobile
principles require consent for collection of location data and
an easy-to-use tool to withdraw such consent, leaving the
consumer ultimately in charge.
Last year, the DAA released its Mobile Guidance, providing
consumer-friendly privacy controls in this still very fast
growing medium. This important, self-initiated update to our
principles reflects the market reality that brands and
customers increasingly engage with each other on a variety of
screens.
The DAA is a cross-industry nonprofit organization founded
by the leading advertising and marketing trade associations--
the ANA, the 4As, DMA, IAB, AAF, and NAI. These organizations
originally came together in 2008 to develop the self-regulatory
principles to cover the collection and use of web-viewing data.
In 2012, the Obama administration publicly praised the DAA
program as a model of success, and more recently, Federal Trade
Commission Commissioner Ohlhausen was quoted as calling the DAA
``one of the great success stories in the [privacy] space.''
The Internet is a tremendous engine of economic growth,
supporting the employment of more than 5 million Americans.
Mobile advertising by itself in the U.S. totaled more than $7
billion last year, and that is more than a 100-percent increase
from the year prior. Revenue from online and mobile advertising
subsidizes the content and services we all enjoy.
Research shows that advertisers pay several times more for
relevant ads, and as a result, this generates greater revenue
to support free content. Consumers also engage more actively
with relevant ads. Simply stated, companies have a very vested
interest in getting this right.
Self-regulation like the DAA is the ideal way to address
the interplay of privacy and online and mobile advertising
while preserving innovation. It provides industry, as
demonstrated by the multiple updates to our program, with a
nimble way of responding to new market challenges presented by
a still evolving mobile ecosystem.
The DAA mobile program applies broadly to the diverse set
of actors that work together to deliver relevant advertising.
The DAA principles call for enhanced notice outside of the
privacy policy, consent for location data, and strong,
independent enforcement mechanisms.
Together these principles are intended to increase
consumers' trust and confidence in how information is gathered
in mobile by increasing transparency and control.
The mobile program leverages an already successful
universal icon to give consumers transparency and control about
data collection and use. In April of this year, DAA issued
specific guidance on how to provide this transparency tool in
mobile. This will provide companies and consumers a consistent,
reliable user experience in the multiple screens on which they
interact. This will also provide companies a consumer-friendly
way to provide notice and choice outside of the privacy policy.
This advancement builds on the unprecedented level of industry
cooperation which has led the DAA icon to being served globally
more than a trillion times each month.
In the coming months, DAA will also release a new mobile
choice app which will empower consumers to make choices about
data collected through mobile devices, including applications.
Of particular relevance to this hearing and today, cyber
stalking is a serious issue, as was detailed earlier. But
criminal activity is separate and apart from the legitimate
commercial uses covered by DAA. I want to note DAA's stringent
requirements for the collection and use of precise location
data for commercial purposes. The DAA program requires consent
prior to collection and the provision of an easy-to-use tool to
withdraw such consent.
We have required privacy-friendly tools, including notice
in the download process, notice at first install, or other
similar measures to ensure that companies are transparent in a
consistent manner about data collection and that consumers can
make informed choices.
To help ensure that both the mechanisms we require are used
and that consumer choices are honored, we rely on our
accountability programs. Accountability is a key feature of the
DAA program. All of our principles are backed by the robust
enforcement programs administered by the Better Business Bureau
and the Direct Marketing Association. There have been more than
three dozen publicly announced enforcement programs under this
program to date.
In summary, I would submit that the DAA is a story of
empowering consumers through transparency and control. It has
nimbly adapted consumer controls to meet quickly evolving
market changes and consumer preferences. And it has done so
while responsibly supporting the investment necessary to fund
free or lower-cost products and services desired by consumers.
I am pleased to answer any questions you might have.
[The prepared statement of Mr. Mastria appears as a
submission for the record.]
Chairman Franken. Thank you, Mr. Mastria.
Ms. Greenberg?
STATEMENT OF SALLY GREENBERG, EXECUTIVE DIRECTOR, NATIONAL
CONSUMERS LEAGUE, WASHINGTON, D.C.
Ms. Greenberg. Good afternoon, Chairman Franken, Ranking
Member Flake, and members of the subcommittee. My name is Sally
Greenberg, and I am the executive director of the National
Consumers League. The league was founded in 1899 and is the
Nation's pioneering consumer organization. Our nonprofit
mission is to advocate on behalf of consumers and workers in
the United States and abroad.
Supreme Court Justice Louis Brandeis, who served as NCL's
general counsel, noted in a landmark 1928 decision that the
right to privacy is ``the most comprehensive of rights, and the
right most valued by civilized men.'' We could not agree more.
Privacy is a cornerstone of consumer protection and a
fundamental human right.
The ubiquity of smartphones, tablets, and other mobile
devices has dramatically changed the way consumers interact
with the digital world. Thanks to the widespread use of
location data, consumers can now navigate to their favorite
coffee shops, discover the closest sushi restaurant, and be
more easily located by emergency response providers. This
technology has clearly provided immense consumer benefits.
However, as the collection and use of location data has
become an integral part of the mobile ecosystem, so, too, has
consumer concern over the use and misuse of these data.
According to a Consumer Reports poll from 2012, 65 percent of
consumers were very concerned that smartphone apps could access
their personal contacts, photos, location, and other data
without their permission.
A similar Los Angeles poll showed that 82 percent of those
surveyed were either very or somewhat concerned about the
Internet and smartphone firms collecting their information.
This should not be surprising. Unlike location data gained from
a non-mobile device, such as a desktop computer, data from
mobile phones is inherently personal and can be used to learn
and possibly disclose information that in many cases consumers
would rather be kept private. Justice Sotomayor summed this
concern up perfectly in her concurring opinion in U.S. v.
Jones. She noted that, ``Disclosed in [GPS] data . . . will be
trips . . . to the psychiatrist, the plastic surgeon, the
abortion clinic, the AIDS treatment center, the strip club, the
criminal defense attorney, the by-the-hour motel, the union
meeting, the mosque, synagogue or church, the gay bar and on
and on.''
The consensus among consumer privacy advocates and
government agencies such as the GAO and FTC that we have just
heard from a moment ago is that there is no adequate legal
framework protecting consumers' location data in the current
and ever-evolving mobile ecosystem. Absent such a framework,
consumers must rely on business to adhere to a variety of often
voluntary and inconsistently applied company policies and
industry best practices. That is why we believe so strongly
that this bill is absolutely necessary and will help to protect
especially sensitive types of information that consumers use,
such as location data.
S. 2171 would do just that. This bill would establish a
level playing field for businesses that seek to collect and
share location data. It would help to restore consumer trust
and location-based services and ensure that the many benefits
of this technology continue to flow to consumers and the
economy while adhering to uniform rules of the road for
protecting location privacy.
In particular, we believe that the bill's opt-in provisions
will allow consumers to take control over their private
location information, giving them the right to choose to share
that information, or not, and be informed how their location
data will be used and by whom. And by prohibiting so-called
stalking apps that we have heard so much about, the law will
appropriately outlaw a class of inherently deceptive and
predatory applications that compromise the personal safety of
domestic violence victims. No Federal law currently prohibits
the operation of these apps, which are designed to run secretly
without the user's knowledge. In addition, we strongly believe
that the section providing for private rights of action are
critical.
Given the limited resources of Federal enforcement
agencies, a narrowly defined private right of action with caps
on available damages gives an extra layer of protection to
consumers while addressing industry concerns about abuses of
that private right of action.
In closing, I would like to reiterate NCL's strong support
for S. 2171. In today's ever-changing digital economy,
consumers expect and deserve that the privacy of their location
information will be protected. Absent such protections,
consumers may indeed become less trusting in location-based
services, which would be harmful to innovation and the economy
as a whole.
Thank you, Mr. Chairman, Mr. Ranking Member, and members of
the Subcommittee, on behalf of the National Consumers League
and America's consumers, for your leadership in convening this
hearing and your invitation to testify on this important issue.
I look forward to answering any questions you may have.
[The prepared statement of Ms. Greenberg appears as a
submission for the record.]
Chairman Franken. Thank you, Ms. Greenberg.
Dr. Atkinson?
STATEMENT OF ROBERT D. ATKINSON, PH.D., PRESIDENT, THE
INFORMATION TECHNOLOGY AND INNOVATION FOUNDATION, WASHINGTON,
D.C.
Mr. Atkinson. Thank you. My clock is not working, so I will
look over here for it. I assume that means I get some time, not
zero.
Chairman Franken. I will account for the looking over.
[Laughter.]
Chairman Franken. Ten percent.
Mr. Atkinson. Thank you. Thank you, Chairman Franken,
Ranking Member Flake, and members of the Committee. I
appreciate the opportunity to submit testimony today. I am Rob
Atkinson, president of the Information Technology and
Innovation Foundation, which is a think tank focusing on
policies to support technological innovation.
This proposed legislation addresses two very distinct and
unrelated issues: One is commercial use of geolocation
information by third parties; the second is the use of that
information by individuals, particular around stalking. Since
these issues are separate and unrelated, I will address them
separately.
The issue of limiting the collection of geolocation data by
third parties, in our view would stifle innovation in an area
that is rapidly evolving. We have seen in the last few years
tremendous growth in innovation around location-based services,
and, importantly, the U.S. has led in this space. Of the top
ten Internet companies in the world, eight of them are
American. This is in part because our approach to regulation in
this fast-moving digital age has really been to not regulate
ahead of time. Unlike Europe, which is home to none of those
ten Internet firms, they have embraced the precautionary
principle to regulate well in advance of any real harms.
This principle I believe is important for location-based
services, especially in part because there is tremendous
innovation happening in this space, and innovation that will
continue to happen. In fact, we will probably see more
innovation in the next 5 years than in the last. Things like
in-car navigation and infotainment systems, connected devices
making up the Internet of things, facial recognition--these are
all interesting and important technologies that, unfortunately,
do not lend themselves to a slower-moving regulatory process.
I would support what Mr. Mastria said about industry-led
self-regulation being a better approach, at least in this
initial stage of technological change and innovation. Clearly,
as we heard from Director Rich, the FTC has already taken
actions and, in my view, has significant ability to take
continued actions.
We already see self-regulation working, for example, the
Digital Advertising Initiative, but also on the two major
platforms--iOS and Android--consumers have the ability to
notice when location is on, to accept it, to not, to turn it
off, turn it on.
Second--and I think this is an important point--there is
basically at this point no evidence or very little evidence of
actual harms arising from commercial use. I will get to the
stalking. There are clearly harms there. But in commercial use,
I do not believe there is really any evidence of harms.
Virtually all of the concern expressed to date by privacy
advocates stems from speculative harms that could happen, but
not actually ones that have happened.
Third, our view is that some of the provisions in the bill,
particularly the private right of action, could be stifling of
innovation, particularly in the app space where for the top 800
apps for Android and iOS (Apple), the average company size is
25 employees. A lot of these companies, if they were faced with
the potential of a $1 million fine for making a small coding
mistake or putting something inaccurate on a website, I believe
would think twice about developing a mobile app.
Another component that I think is important is there are
many apps that run in the background without the user's
knowledge that are actually very, very important. Carrier IQ is
an example of that. It is a diagnostic app that many of the
mobile carriers use, and it enables the cell system to work
effectively so carriers know when calls are dropped, where they
are dropped, where they might add cellular capacity. These are
apps we want to have running on the phone because they are
acting in the public good.
Finally, I would argue that some of the sections dealing
with notice can be problematic. For companies to have to list
every single company that they deal with from a business
perspective could compromise some of their commercial
information.
Moving on to the domestic violence issue, I commend you on
your efforts there, and I think this is really the most
important part of the bill. We certainly fully agree with the
outline in Section 4, Criminal Penalties, and Sections 5
through 10. But there are a couple of components that we would
want to provide some suggestions on.
The 24-hour to 7-day notice provision as it is written in
the bill now, it currently applies to all apps, including
applications like, for example, the Weather Channel or Google
Maps or Yelp. These are apps where an individual who might put
those apps on the phone, they simply cannot get access to the
geolocation data. That is third-party geolocation that stays
there. That is very different than one of these stalking apps.
It is very different than an app like Amber Alert GPS Teen,
which is for parents to put something on their kids' cell
phone. So I would urge you to think about confining that 24/7
rule only to apps where the individual can get access to the
GPS stream and not to have all apps, since the stalker cannot
use the Weather Channel, for example, to stalk his or her
victim.
I do not think that really mattered, the point that
Detective Hill made. The issue here is regulating the behavior
of the app. The app could call itself anything, and it would
still be under--it would still be subject to this rule if it is
allowing the data stream to go to an individual.
Another component I would urge you to think about, and that
is international access. One of the concerns we have is even if
we can shut down these abysmal stalking apps, stalkers may be
able to get access overseas, on overseas websites, and I think
thinking about that question, could there be blocking of
certain--if we know there is, you know, the same sort of I-Spy
site here and it just relocates to the Cayman Islands--could we
block access to those?
So, in summary, I will just say that geolocation offers
many opportunities for innovation, and regulation at this point
is premature. But, again, I commend you, Senator, for your
leadership on the criminalization of the stalking apps, in
particular, which I think are a serious problem and will help
with that.
Thank you.
[The prepared statement of Mr. Atkinson appears as a
submission for the record.]
Chairman Franken. Thank you, Dr. Atkinson.
Ms. Southworth?
STATEMENT OF CINDY SOUTHWORTH, VICE PRESIDENT,
DEVELOPMENT AND INNOVATION, AND FOUNDER, SAFETY NET TECHNOLOGY
PROJECT, NATIONAL NETWORK TO END DOMESTIC VIOLENCE, WASHINGTON,
D.C.
Ms. Southworth. Good afternoon, Chairman Franken, Ranking
Member Flake, and distinguished members of the Committee. My
name is Cindy Southworth, and I am the vice president of
development and innovation at the National Network to End
Domestic Violence. I am also representing our member, the
Minnesota Coalition for Battered Women, and I work closely with
the Arizona Coalition Against Domestic Violence and the
Connecticut Coalition Against Domestic Violence--in fact, all
56 coalitions.
I founded the Safety Net Technology Project in 2002 to
support survivors, help victim advocates, train police, and
work with technologists and policymakers on thoughtful
innovation. We work closely with many technology companies,
including Verizon and Google. We serve on the Facebook Safety
Advisory Board, and we work with the Application Developers
Alliance.
Since 2002, we have presented over 900 trainings to more
than 65,000 practitioners. My esteemed and brilliant colleagues
are with me today, and I want to say for the record that we
love technology. We affectionately think of ourselves as the
``geeks of the domestic violence movement.''
The previous panel covered the statistics at length, so I
will skip that. But I want to say that stalkers use location
tracking services, freestanding GPS devices, and smartphone
applications.
Phone spyware is one of the most problematic. It allows
abusers to monitor much more than location, but location is
indeed one of the most dangerous, and it is currently the
loophole. This phone spyware does not notify the victim that it
has been installed, so an abuser can install it without her
knowledge, consent, through any consents, and then it is done.
A standard feature that spy developers go to great lengths
to hide is that it is even installed. It does not show up in
most phones as an installed app, which seems to be going to
great length to hide it. These apps are often brazenly marketed
to stalkers, sometimes briefly mentioning employee monitoring
and child safety--almost as an afterthought or cover story--and
heavily focusing on the features that will help you ``spy on
your spouse.''
One of the most disturbing apps that I have seen recently
is called ``HelloSpy,'' and it has a long list of stalking
features and has a continuous animated image on their main web
page showing a scene from a movie where a man roughly shoves a
woman off the bed, backward, head first. It loops over and over
and over. And just in the time that I was taking those screen
shots, I had to witness that about 100 times to create that
poster.
On another HelloSpy web page, there is a photo of a man
grabbing a woman's arm, and the woman has visible abrasions on
her face. Next to this photo is a list of the features of
HelloSpy, including track phone location and many more.
Many of the apps on the next poster that you will see are
developed and advertised directly to stalkers to facilitate
crimes. In some tragic cases, GPS devices and apps may have
actually aided an offender in locating the victim to commit
murder. Or in other cases, location tracking was just one piece
of an overwhelming list of controlling tactics that preceded a
victim's death. For example, in 2009, in Seattle, a man used
the location service on his wife's phone to track her to a
local store. After finding her speaking to a man there, he shot
and killed their five children and then himself.
In Philadelphia, a man installed a tracking device on his
ex's new partner's car. Overnight he checked that GPS device
147 times in one night, hunted him down using the GPS, and
stabbed him to death 70 times.
The Electronic Communications Privacy Act, ECPA, prohibits
the manufacture, distribution, possession, and advertising of
communication intercepting devices; however, it does not cover
devices that surreptitiously track location information. Many
apps on the poster very likely violate ECPA, and I would be
happy to send this poster back with Director Hanson to give to
her prosecutor friends at DOJ. It is important to note,
however, that there are apps that track only GPS location and
do not offer eavesdropping capabilities--and, hence, are not
clearly prohibited under Federal law.
Unfortunately, I am aware of only one instance where the
Department of Justice has indicted a creator of spyware, and it
was the creator of Loverspy, and he promptly fled the country
and is now on the FBI's Cyber Most Wanted List. I would be
delighted if the developer of HelloSpy would join this creator
and be indicted shortly.
So the solution. Number one, we need to require consent
prior to tracking or sharing information. Survivors of abuse
must be informed about how their location information will be
used, disclosed, and shared. This consent process should be
prominent, transparent, and easy to understand.
Two, location tracking must be transparent and visible to
users. Consent is critical, but consent alone is insufficient.
Abusers often install these tracking apps without the knowledge
of the victim. Relatively simple safeguards can be added. In
fact, some of those safeguards already exist on the Apple
technology and even in the Droid technology, letting people
know that your location is being tracked.
If GPS technology is being used legitimately to monitor
children or employees, there is no need for a stealth mode. In
fact, the reputable family safety products are visible.
In 2005, the AntiSpyware Coalition created a consensus
definition of spyware, which stated that ``tracking software
done covertly is spying.'' And that was developed by technology
companies.
This provision, the transparent--the reminder provision is
probably the most important element of the bill behind the
criminalization. So number three, criminalize the operation,
sale, and marketing of technologies whose primary purpose is to
surreptitiously track someone's location and facilitate a
crime. It is past time to also criminalize intercepting
tracking location in addition to intercepting electronic
communication.
Four, allow law enforcement to seize the proceeds of those
sales. No one should profit from encouraging or enabling
criminal acts, and stalking app and device developers are
creating and selling crime-facilitating products with abandon.
Five, allow individuals an enforcement option through a
very modest private right of action. The proposed protections
for victims will be of little use without effective enforcement
mechanisms, and the threshold I think is quite low. In fact,
our organization has insurance that would cover the accidental
oversight, not the punitive but obviously it should not cover
that if you are doing it willfully with malintent.
Six, enact parallel State laws. Since the overwhelming
majority of stalking and domestic violence investigations are
completed at the local level, we are hoping that your bill will
become a model for State statutes.
In conclusion, NNEDV supports innovation and has seen
countless positive ways that technology can increase the safety
and support for survivors of abuse and stalking. We are proud
of the close working relationship that we have with
technologists, and we thank Verizon, Facebook, Google, Apple,
the Application Developers Alliance, and so many more for
working with us to increase victim safety. The Location Privacy
Protection Act of 2014 will narrowly impact a handful of bad
actors that design or operate products created and sold to
facilitate terrifying crimes.
Senator Franken, thank you for your tireless and ongoing
efforts to end violence against women. Thank you, Ranking
Member Flake, and the entire committee for your long support of
Violence Against Women Act and these important location
protections for survivors.
[The prepared statement of Ms. Southworth appears as a
submission for the record.]
Chairman Franken. Thank you, Ms. Southworth. Thank you all.
We are going to have 7-minute rounds for questioning. I
will start.
Detective Hill, your testimony mentioned that you are
investigating an attempted murder where the victim was being
tracked by a stalking app that advertised itself as a parental
monitoring software. I actually saw something like that myself.
When we had a public hearing to debate this bill 2 years ago, I
read from the website of a stalking app named ``ePhone
Tracker.'' It looked like this: ``Suspect your spouse is
cheating? Track every text, every call, and every move they
make using our easy cell phone spy software.'' And there was a
lot of press about that after that hearing.
Later the same day, we checked the website again. This is
what it looked like: ``Is your child exposed to sexting?'' And
all the stuff about your spouse was gone.
Is it common for stalking apps to disguise themselves like
this, Detective Hill?
Mr. Hill. Absolutely. They typically will advertise
themselves as being a family tracker or track your employees
because they seem more friendly that way.
Chairman Franken. Well, because a lot of people say, well,
why don't you just go after stalking apps? Why don't you leave
legitimate apps alone? These are really two separate issues.
Your answer tells me that if we want to stop stalking apps, we
cannot target just apps that label themselves as stalking apps.
We also have to lay down a few basic rules of the road for any
app that is collecting your basic--your location information.
Mr. Hill. Oh, absolutely, because they will just change the
title of their app to something else that stalkers will
eventually figure out.
Chairman Franken. Ms. Southworth, we sort of have a needle
and thread, I guess. We do not want to interfere with the
legitimate parental monitoring apps, but we do want to block
stalking apps that are pretending to be something that they are
not. How do you do that?
Ms. Southworth. Legitimate parental monitoring apps, if
they follow along with the best practice of the computer-based
monitoring apps, are visible. With the Microsoft Family Safety
product, the child knows they are being monitored and their
parents have control functions. From the moment they turn the
computer on, they can see that there is monitoring occurring.
The same with employee monitoring products. There is absolutely
no problem with knowing that your device or your computer is
being monitored. So it is--in fact, the spyware industry
definition says if it is a monitoring product, it is spying if
is not visible to the user, and there is no exception for child
or employee. I understand that a child would not need to
consent in the U.S. under our law, but they would still need
notice.
Chairman Franken. Well, thank you, and I agree with you
that the reminder provision is absolutely critical here. Dr.
Atkinson has actually raised a couple of concerns about the
reminder provision, so I want to turn to those. Dr. Atkinson,
in your testimony, you say that reminders might make it harder
for parents to keep track of their kids because the kids will
know they are being tracked. As you just heard, though, we
cannot limit reminders only to apps that call themselves
stalking apps. A lot of stalking apps pretend to be parental
tracking apps and things like that.
More importantly, though, I disagree with you that the
reminder provision ``would be applied too broadly to all apps
using geolocation data,'' from your testimony. My bill requires
reminders only if an app is running in a way that is
imperceptible. I am not sure--you seem to miss that because in
your testimony you cite the Passbook app, in your written
testimony, for the iPhone as a legitimate app that ``is
arguably `imperceptible to the user.' ''
Well, I took a look at my home screen on my iPhone, and
there it was. This was not my iPhone, but it is second from the
left on the top there, and it shows up on your home screen by
default. In fact, you cannot delete it. It is impossible to
delete, and every time it gets your location, a little arrow
pops up. Show the arrow next to the 92 percent. I do not know
if you can see this. It is also in your privacy settings under
location services.
So the Passbook app that your testimony says is
imperceptible is really easy to perceive, at least to me. Any
app like the Passbook app would not have to remind their users
of anything under my bill. My point, though, is that it is not
a fluke that Passbook app is running transparently. That is
just the industry best practice. So right there, any app that
follows best practices will not have to send any extra
reminders.
So, Dr. Atkinson, isn't it already industry best practice
that location apps run in a way that are transparent to the
user?
Mr. Atkinson. So my point with that was twofold. One was--
and I may have made--should have made that clear.
``Imperceptible'' is perhaps a vague standard and perhaps you
might look at what would be a better definition in the bill of
what is actually imperceptible. Is imperceptible related to the
size of the icon? Is it related to being able to see in the
list? That was one point I was trying to make there.
I fully agree with you that--there are tracking apps, if
you will, are apps that report location that do run in the
background, like Carrier IQ. And those are used--those, again,
are not applications that an individual can access. I cannot go
to the Carrier IQ website and find out where my phone was. So
that was really the point I was making, is make sure that--I
would encourage you to make sure that the definition of any of
these applications is only for those apps where an individual
could put something on the phone and then the individual could
get access to that geo data stream. Otherwise, there are other
apps that are sometimes used for system performance where you
would not want that to be the case.
Chairman Franken. Well, I really do not think Carrier IQ
should be a model here. In 2011, in fact, we had--people were
outraged when they found out that the software was running in
secret, and so outraged that Sprint, the single biggest user of
Carrier IQ, removed the software from tens of millions--26
million devices. And I am sure that there are isolated cases
where the reminder provision might be superfluous and where it
might be difficult. But, I mean, imperceivable, when it is on
the home page, is--I do not know exactly--this just seems
very--by and large, very straightforward to me.
But I have run out of time, and I will go to the Ranking
Member.
Senator Flake. Well, thank you.
Mr. Atkinson, in your testimony, you note in the written
testimony there are number of innovative new products that
would be considered mobile devices under the legislation, but
they are not smartphones. These are like smart shoe apps or
watches or other help devices that use location data to tell
you how many steps you have walked that day. But these do not
allow notification. There is no interaction with the user.
Would that stifle innovation in these areas if you have issues
or regulations that cover that?
Mr. Atkinson. I think it could. Ms. Southworth mentioned an
app which is just simply a GPS device. And, in fact, the
company I mentioned, the Amber Alert company, they actually
sell just a pure GPS device you could put in your child's
backpack so you can follow them around and make sure you know
where they are.
There is no real way to do notification on that device, so
a stalker, for example, could, as she said, put one of those
devices in someone's trunk of their car. While I support the
notion that we should have notice on those for stalking apps,
there are certainly other technologies where you could not do
that. And then obviously on some of the new things that we are
going to get, how would you do a notice, for example, on a shoe
or a shirt or other things like that? It could be hard to do
notice. Notice is easier when you are dealing with an actual
computer-like device.
Senator Flake. Right. Mr. Atkinson, following up on that,
Ms. Southworth at the end of her testimony said that the
Location Privacy Protection Act will ``narrowly impact a
handful of bad actors that design or operate products created
and sold to facilitate terrifying crimes.'' Is that an accurate
description of the legislation, that it would simply impact a
handful of bad actors?
Mr. Atkinson. Certainly the component--some of the
components, particularly toward the end of the bill, would
certainly do that and are needed. But half of the bill or some
share like that is really focused on just broad generalized
commercial use of geolocation data, which has, frankly, nothing
to do with stalking, has no relationship to stalking or
identity theft or other problems. And the bill would address
those issues, and I think in a way that perhaps could limit
innovation.
Senator Flake. I certainly agree on the point, and like I
said, there is a big part of the bill that I support, the
stalking legislation part of it. But I remain concerned about
some of it stifling innovation you were talking about.
Mr. Mastria, do you want to address that as well?
Mr. Mastria. Senator Flake, thank you. We see that self-
regulation has been both effective and up to the task to give
consumers transparency and control around the--certainly on the
desktop environment, and will bring that to the mobile
environment. The desktop environment we have been in for over 3
years. Later on this year we will be releasing our mobile
choice app, which has been a work in progress now for about a
year. We released our Mobile Guidance last year. We released an
industry code for how to display notice earlier this year. The
mobile app will be the third step in a four-step process that
will actually make the guidance enforceable.
Senator Flake. Do you share Mr. Atkinson's concerns that
some of these new devices are not interactive and there is no
way for even best practices or businesses to band together for
notification if there is no interaction with the user? Does
that, in your view, stifle innovation?
Mr. Mastria. So one of the reasons that we think that self-
regulation works--and I just want to limit my answer to the
scope of the program that I run. One of the reasons that we
think that innovation is better served by self-regulation is
that we can quickly adapt and quickly move to new business
models. Not that many folks were simply thinking about apps and
cross-app data, precise location data many years ago, but we
have not only a set of principles in place and guidance for
companies to follow, but we are also putting out tools for
consumers to be able to make choices.
So that has happened in a fairly quick amount of time. I
think if there are challenges in the future around that, self-
regulation seems to be a quick way to adapt to those changes.
Senator Flake. In your view that could be far more nimble
than perhaps Government regulation in this regard?
Mr. Mastria. I think that is more eloquently put than I
did. Yes, thank you.
Senator Flake. Ms. Greenberg, you state in your testimony,
``. . . if companies affirmatively state in their privacy
policies that they will collect and share their users' location
data without consent with any third party they wish, they are
free to do so and the FTC has little power to stop them.'' But
in that scenario, doesn't the consumer have the ability not to
use the company's service or the app?
Ms. Greenberg. Well, certainly that is true, but there are
many, many apps that consumers find very useful. I do not think
that should mean that they sacrifice their privacy or their
ability to say, ``What are you using this data for? Don't I
have the right to say you need to let me know that this
information is being shared and with whom it is being shared?''
So I think we can bridge that gap without interfering with
companies' ability to innovate.
Senator Flake. Mr. Atkinson, again, you noted in your
testimony there were many beneficial uses of tracking apps. You
mentioned examples of the loved one locator, Project Life
Saver; if someone has autism or dementia or Alzheimer's, family
members are able to track and make sure that there is a safe
zone that they stay within.
There are exceptions in the bill, exemptions in the bill
for that, but some concerns have been raised where there are
situations where a sibling or a close family friend or others
who are not a parent or legal guardian might want to be
involved in that. Do you want to address that again or in more
detail?
Mr. Atkinson. Sure. I think it is important to understand
that ``stalking'' is not a technological term. It is a
behavioral term. ``Tracking'' is the technological term. And I
do not believe--nor does the bill do this--that we should ban
tracking applications. There are enormous benefits for
families, for other people to want to know where their device
is, where their family members are. And we need to make sure
that we can go forward with those.
What I am somewhat concerned about--I do not believe we
will end up with a situation where we can--I think companies
will change their names. They will just be Family Trackers, or
stalkers will just use Family Trackers. But fundamentally I do
not know how we can solve the problem, because, for example, on
the notification, any person who installs an app on a phone, on
the iOS or Android, you can turn off notification.
Now, you can hope that the person whose phone it is
understands that and looks at it, and I think that would be
part of the education effort we need to do. But how do you
monitor your phone? How do you look at the apps running list,
all those things? But there is simply--in both of those
operating systems right now you can just say, ``Turn off
notification.''
So I think it is a little more complicated, I think, than
just simply taking a set of apps that are bad actors who have
used them for bad purposes.
Senator Flake. Thank you.
Thank you, Mr. Chairman.
Chairman Franken. Thank you. The emergency exception and
public safety exception are not limited to parents. I just
wanted you to know that.
Let us talk about a couple things. Mr. Mastria, both you
and Dr. Atkinson have referred to Digital Advertising
Alliance's self-regulatory program for mobile marketing as a
model program. But just so I am clear, you issued this code in
July 2013, but you are not enforcing it. Is that correct?
Mr. Mastria. The code was issued in July 2013. There had to
be several operational steps that have to be put into place
before it can become operational. One of them is that there had
to be a standardized way for companies to display the notice to
consumers. That happened in April. And the next step is to have
an app so that consumers can express their choices. The next
step after the app would be that enforcement would come. Once a
consumer makes a choice, we want to make sure that that choice
is honored and that companies are held to honoring that choice.
Chairman Franken. So it is a model program in theory.
Mr. Mastria. No. The desktop program version of this has
been around for almost 3\1/2\ years.
Chairman Franken. Okay.
Mr. Mastria. So we have a great pedigree to show that, in
fact, we do put the tools in market that we say we will.
Chairman Franken. Okay. Well, can I ask, Ms. Greenberg,
about what your opinion is of--you know, what the reality you
see is in best practices?
Ms. Greenberg. Well, it seems that DAA's code is coming
late in the game--other industry players like CTIA and the
Direct Marketing Association put codes in place years ago. And
so with all due respect to Mr. Mastria--and we have looked at
his code, it is full of holes. We would argue that it feels
like a PR gesture and may be driven, in fact, by the
introduction of this legislation.
And I would also take issue with the idea that self-
regulation is working. There is monumental evidence that self-
regulation is not working. We have heard witnesses from GAO and
the FTC say as much. The Wall Street Journal did an article
that you mentioned with 101 apps being tested, and 47 of those
disclosed users' location to a third party without user
consent.
So I would say we very much need this bill because self-
regulation is not protecting consumers.
Chairman Franken. You know, there is the point that the
Ranking Member made: Has there been any evidence of harm? I
think that most Americans believe in that they have some right
to privacy. Do you think that there is harm that individuals
can feel if their privacy is not being protected?
Ms. Greenberg. Yes, the notion that there is no real harm
from the tracking and using of location data for consumers
really strikes at the heart of our notions of consumer
protection and the idea that privacy is a bedrock American
principle. We know that Justices of the Supreme Court whom I
mentioned, Brandeis and Sotomayor, have articulated that that
is a bedrock right. And we see from the Consumer Reports
surveys, from the L.A. Times survey, the vast majority of
consumers do care about their location data not being shared
without their consent and do want to know where that location
data is being sent and that it is being shared and for what
purpose.
So I think that flies in the face of what we know about how
consumers feel about their privacy.
Chairman Franken. Dr. Atkinson, last year your organization
published a blog post about my location bill, and in it said
that, ``The evidence for the use of stalking apps by stalkers
and harassers is somewhat thin.''
Dr. Atkinson, I can understand how an economics think tank
might think that, but I am curious what folks in the field have
actually seen.
Detective Hill, are stalking apps common or is the evidence
of their prevalence somewhat thin?
Mr. Hill. They are very common, and the more exams we have
done--like I said, you know, our exams have increased 220
percent. The more exams we do, we are finding more and more
that these apps do exist and are on phones.
Chairman Franken. Ms. Southworth?
Ms. Southworth. A week does not go by where our national
office--we are not even set up to do direct services, but we
get calls every single week from survivors who are really
trying to figure out is the GPS device on my car, is it on the
phone, is it an app, is it a setting. And we have a lot of work
to do to help them try to figure it out, and we just do not
have enough Detective Hills out there to send them to have
those phones examined.
Chairman Franken. Right, and that is why we are hoping--and
I think Dr. Atkinson has stated his general approval of the
stalking apps piece of this, so I do not want to send that
wrong message. Just in the execution of it, in terms of
giving--how important is it--and I will go to you again, Ms.
Southworth--that people have a reminder that this is happening?
And how realistic is that? Because Dr. Atkinson talked about
your being able to suppress that.
Ms. Southworth. It is vital, and the behavior is not new.
As all the witnesses have said, you know, there is general
support around helping victims. The challenge is offenders will
do anything they can to control and monitor their victims, and
back in the day they would look at the odometer when a victim
went to the grocery store and see if she perhaps stopped to
pick up a prescription because that is outside of the bounds of
what she was allowed to do that day, that just phenomenal,
crazy, and out of control that offenders do.
What happens with some offenders is they will actually tell
the victim, ``I am putting this stalking app on your phone, and
I am going to be tracking you.'' If she knows it is there, when
she comes to meet with Detective Hill to file a report, or she
goes to the local advocate to meet and talk about a protection
order, she can accidentally let the battery run dead. She can
leave the phone behind. But if she does not know it is on the
phone because either the offender did not tell her or she does
not see it, there is no little arrow on the top, she cannot do
anything to stay safe.
Chairman Franken. Before I run out of time, I mean, this
goes to the resources, because someone who feels like they are
being tracked, saying it must be in this thing, what happens
when they go to a police station routinely?
Mr. Hill. Routinely what happens is the agencies do not
have the tools to look at it, so they say they cannot, or they
may only have one tool to look at it, and they quick take a
look at it and do not see anything, and then send the victim on
their way, which can be very frustrating.
Chairman Franken. This is why we need and the bill does get
resources for being able to do exactly what victims need.
Mr. Hill. Absolutely.
Chairman Franken. Okay. I am out of time, and we will go
back to the Ranking Member, if you have any more questions.
Senator Flake. Well, I appreciate that. Let me just say,
like I said, the portions of the bill that deal with stalking,
I applaud the Chairman for his dedication on this, and those
who have testified, and groups and organizations that have
worked on this for a long time. And I do think we definitely
need action in those areas. My concern is just we in other
areas, the other part of the bill, that we do not unnecessary
stifle innovation that could help with some of these same areas
we are talking about.
But, Mr. Mastria, I think concerns have been raised about
this legislation, that it might require notice to be provided
and consent be obtained for individuals using a device. But
some devices are used not just by one individual, a family
table or a GPS in a car. Is there a concern among some members
in your organization that notification may be given to an
individual but not others who use the same device? Is that a
concern?
Mr. Mastria. Senator, I can speak to what the program code
is, and the program says that if you are transferring location
information, you have to get consent, and you have to get it
either at the download or on install, at some point that is
obvious. It has to be clear, meaningful, and prominent.
I would like to take a step back and just answer a point
that Ms. Greenberg made. Thank you for mentioning CTIA and DMA.
They were both participants in the development of our code, and
our code will be enforceable later on this year.
In terms of the PR piece, our program has announced more
than 30 public actions against both participants of the DAA and
non-participants alike. That is not PR. It is not an easy
conversation to have with a company that they are somehow
noncompliant with our program. But the reality is that that is
the mission that we have set out to do. The FTC had asked us to
mount a program, challenged industry to mount a program to
deliver transparency, control, and accountability, and we do
that every single day. And that is the program that we have,
and we think that it serves both industry and consumers well.
Senator Flake. Thank you. That was my next question,
actually, to describe the program you have with companies to,
you know, give some discipline to what you are talking about.
And you have actually referred companies for investigation. How
many did you say?
Mr. Mastria. There have been 33 public compliance actions.
That number, I think it is in the 60 or 70 individual companies
that are named in there, and of those, we get compliance from
most of them eventually. But one of them did get referred to a
Federal authority.
Senator Flake. Well, thank you. That does it for me, and I
really appreciate this hearing, and thank you for your
testimony, everyone.
Thank you, Mr. Chairman.
Chairman Franken. Well, I would like to thank all the
witnesses. Very, very quickly, because I do not want to have a
long back-and-forth, but would you like to respond to that, Ms.
Greenberg. But, again----
Ms. Greenberg. Yes, if I could just take a----
Chairman Franken. If you take a lot of time, I am going to
go back to Mr. Mastria.
Ms. Greenberg. I will just take a moment to say it is not
that we are arguing with the idea that they may have pursued
investigations. It is the code itself that is weak. The way we
read the code, an app does not need to get permission if they
do not share the data and they keep it to themselves under the
code. And if the app does share precise location with a totally
different company, they still do not need to get permission to
share it if they are doing so for a variety of purposes, like
market research or product hits.
So, in other words, it is the code itself that is weak, and
when I described it as full of holes, that is what I was
referring to.
Chairman Franken. I will go back to Mr. Mastria, just in
fairness.
Mr. Mastria. The code does call for consent when there is a
transfer of location information, and the reason we do that is
that we focus on when information is being transferred to
unrelated apps or unrelated sites. And so that is the code, and
that is part of the transparent----
Chairman Franken. Well, was her characterization of the
code not accurate?
Mr. Mastria. Yes; not accurate. I think that we focus on
transfer of information to unrelated apps, unrelated sites, and
we want to make consumers aware of that. We want to give them
control over that. That is the part of the code that is really
kind of the most--the essential piece of the DAA program.
Chairman Franken. Okay. We may follow up.
Mr. Mastria. Yes.
Chairman Franken. I do not want to--okay. I do not want to
do whatever I would be doing if I did it.
So, in closing, I want to thank obviously the Ranking
Member, Senator Flake, thank you, and I want to thank each of
the witnesses, and every one of you who appeared today, and
particular Detective Hill, who took time out of his job to
travel here and to testify to us. We heard a lot of valuable
testimony today. I think that my bill is going to protect our
privacy without--I think it would not create difficulties for
industry, and I am going to think about today's testimony,
though, and other feedback that we get, and we will work to
address that feedback to make any needed improvements in the
bill between now and the time it gets a vote.
So I thank all of you, and I mean that sincerely, I thank
all of you for being here. But I think there is one thing that
there is absolutely no question about. Stalking apps must be
shut down. It is unacceptable that in this day and age
companies are making money off of stalking and brazenly
marketing themselves to stalkers. It is equally unacceptable
that our laws have loopholes that let them do this. No matter
what we do, no matter what form this bill takes, we have to
stop these apps. I think there is agreement here.
So we will hold the record open for 1 week for submission
of questions for the witnesses and other materials. Thank you,
thank you, thank you again. This hearing is adjourned.
[Whereupon, at 4:32 p.m., the Subcommittee was adjourned.]
A P P E N D I X
Additional Material Submitted for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Bea Hanson
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Jessica Rich
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Mark L. Goldstein
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Brian Hill
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Luigi Mastria
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Sally Greenberg
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Robert D. Atkinson
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Cindy Southworth
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Chairman Leahy
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Prepared Statement of Chairman Franken
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Questions Submitted to Robert D. Atkinson by Senator Flake
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Questions Submitted to Luigi Mastria by Senator Flake
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Questions Submitted to Mark L. Goldstein by Senator Franken
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Questions Submitted to Jessica Rich by Senator Franken
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses of Robert D. Atkinson to Questions Submitted by Senator Flake
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses of Luigi Mastria to Questions Submitted by Senator Flake
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses of Jessica Rich to Questions Submitted by Senator Franken
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses of Mark L. Goldstein to Questions Submitted by Senator
Franken
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Submission for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�