Mobile Device Privacy Act: The Good the Bad, and the Ugly
On Monday, January 30, Congressman Edward Markey (D - Massachusetts) has proposed a draft bill called the Mobile Device Privacy Act (pdf). The bill was designed to respond to situations like the Carrier IQ debacle, where a researcher determined that mobile phones were sending vast amounts of data without the user being aware of the transmission. Carrier IQ hit that researcher with a cease and desist order, and later claimed they weren’t sending personal information. There are some strong aspects to the bill and one major potential drawback.
The first thing to celebrate in this bill is the definition of monitoring software:
MONITORING SOFTWARE. The term ‘‘monitoring software’’ means software that has the capability automatically to monitor the usage of a mobile telephone or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.
This definition includes both usage of the phone and location, and the key phrase - "whether or not such capability is the primary function". This language is valuable in protecting privacy because it leaves very little wiggle room when defining "monitoring software".
The policy is also extensive; it covers every entity I could think of in the mobile phone ecosystem including:
- Businesses selling phones to consumers
- Service providers both when the customer is first signing a contract and after a contract is signed - no sneaky downloads or "upgrades"
- Manufacturers of phones and phone operating systems
- And a person or company who operates a website, or other service that allows users to download monitoring software - app developers on services like Itunes and Android market would be covered here.
The section covering information disclosure also covers most of what a privacy advocate would hope for. Companies are required to disclose to consumers the fact that monitoring software is installed or that the software being downloaded is "monitoring software". This disclosure includes the types of information the software is capable of transmitting, the identity of the person or entity the information will be transmitted to, and how much of the information will be "used".Continued on the next page