Apple introduced its Macintosh computer in 1984 with a now-famous Super Bowl commercial that showed a lone rebel striking out against Big Brother. So it was ironic that researchers recently accused the company of an Orwellian intrusion into consumer privacy: Its iPhones and iPads appeared to be tracking their users' movements. Apple eventually offered a rebuttal, and it hustled out a software update to address the concerns. Nevertheless, the episode helped strengthen the push in Congress for some basic consumer privacy protections.
Such safeguards are amply justified, given the burgeoning business that has emerged around the collection and dissemination of personal information. But as the Apple controversy illustrates, there is an important distinction between collecting information about individuals and invading their privacy.
The brouhaha began late last month after researchers for the O'Reilly Radar technology blog drew attention to a file on iPhones and iPads that recorded the GPS coordinates of nearby Wi-Fi access points and cellphone towers. The record stretched back for months, with the location information time-stamped and frequently updated.
The outcry lasted about a week, until Apple finally issued a statement declaring that it was "not tracking the location of your iPhone." The file in question, the company said, was a widely sourced database of Wi-Fi and cellular landmarks used to calculate the device's location faster while using less battery power. It acknowledged that its devices were sending location information back to Apple, but it insisted that the data were anonymized and collected merely to improve its databases of location and traffic information.
Apple has updated its software to minimize the amount of location data stored on the devices, and the episode seems to be over. The fuss it generated, though, is instructive. It shows that many people consider information about their location to be sensitive; they're willing to share it as part of a mobile service, but they don't want it to be recorded. It also shows that the public recoils from anything that smacks of corporate surveillance, even if the purported snoop is a company that makes a wildly popular product.
The public is concerned about being tracked online too, and for good reason. Numerous companies are collecting vast amounts of information about individuals' browsing habits, sometimes combining it with personal information gleaned from public records or disclosures made on social networks. The collection and use of these data may not only be invisible to users but also surprising.
A good example is what Facebook is doing with the "Like" button it has persuaded more than 2.5 million websites to display. The button ostensibly lets Facebook users recommend things they encounter online — a blog post, for example — to their friends on the social network. But researcher Arnold Roosendaal of the Netherlands found that once a Facebook user has clicked on a single "Like" button, Facebook will be alerted to all of his or her subsequent visits to any Web page with a "Like" button. The company even tracks individuals who aren't Facebook members, Roosendaal reported, although it cannot identify them by name.
Facebook's approach is similar to what many online advertising networks do in order to target pitches based on people's browsing behavior. To some technology advocates, this sort of data gathering is harmless. In fact, they say, "behavioral targeting" benefits Internet users in at least two ways: It reduces the number of irrelevant ads they see, and it generates significantly more revenue for sites than non-targeted ads. That revenue helps sites offer content for free.
Individuals should have a say in the matter, however, when sensitive and personally identifiable information is collected and shared. Simply using the Web shouldn't be tantamount to consenting to electronic surveillance. The challenge for policymakers is figuring out how to give consumers the right degree of control without making it impractical for companies to make innovative uses of personal information — in other words, to balance privacy concerns against the demand for ever-more-functional devices and services.
Several proposals are circulating in Congress, including a bill by Rep. Cliff Stearns (R-Fla.) that would require companies to develop easy-to-understand privacy policies and alert users when they decide to disclose or sell personally identifiable information; a measure by Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.) that would require companies to obtain users' permission before collecting sensitive personal information; and a proposal by Rep. Jackie Speier (D-Hillsborough) to require the Federal Trade Commission to adopt a system enabling consumers to prevent companies from tracking their movements online.
We'll save the discussion of the various proposals' pros and cons for another day. For now, we urge lawmakers to stay out of the FTC's way as it seeks to enforce the principles it recently enumerated in a consent degree regarding Google Buzz, a social network that many Google email users were thrust into unwittingly. Those include a duty to design products and services to protect personal information against unintended disclosures, and to seek users' permission before making new and unexpected uses of the information previously collected. Both of these ideas draw on the clear and straightforward "Fair Information Practices" that a federal advisory panel laid out almost four decades ago — well before Apple warned Super Bowl audiences about Big Brother's prying electronic eyes.