Individual Privacy Challenges in the Smartphone Age: Commerce and Law Enforcement Implications

September 14, 2016

Let’s face it.  Your ability to function in today’s digital economy, workplace, and world depends on your ability to access information quickly and from anywhere.  The smartphone is the tool de jour for keeping up and staying informed, and digital trends say that our collective dependence on the smartphone will only increase.  Today in America, more than 64 percent of adults own a smartphone as opposed to 10 percent in 2009, and now 72 percent of children under the age of 8 have used a smartphone to connect online.
But with each seemingly innocent use of a smartphone do we know what amount of control or personal privacy we surrender?  The truth is that the answer is still to be determined.  The rights and expectations of privacy in your everyday phone use are being decided by private companies, government agencies, and federal courts, and two significant events provide us the latest indicators of that struggle.

  1. Government defends privacy rights: The FTC’s InMobi Settlement

The popularity and ubiquity of smartphone usage has fueled many companies’ efforts to exploit the mobile platform to sell targeted products to consumers.  Enter mobile ad network companies, such as InMobi, who make money by providing software that collects massive amounts of user data from mobile networks, including location, and matches targeted ads with websites and applications.
But InMobi went one step further, deciding to crowd-source its location information from consenting users to track users who specifically declined geolocation tracking and continued to provide targeted advertising based upon those inferred locations.  Specifically, InMobi built a database with location information from consenting users and recorded those locations with the Base Service Set Identification (BSSID) addresses from Wi-fi access points those consenting users were utilizing.  Then, when a user who did not consent to the use of their location accessed data through a recorded BSSID, InMobi used its database to infer the user’s location and push location-specific advertisements even after the user never consenting to location tracking.  The scale of this effort was also alarming, as InMobi claims to reach more than 1.5 billion unique mobile devices worldwide, and is the first of such mobile ad networks to reach that number.
Many smartphone applications utilized InMobi’s software toolkit, including those applications specifically designed for children’s use, which ran directly afoul of the Children’s Online Privacy Protection Act. The Federal Trade Commission (FTC) stepped in and, in its first action against a mobile ad network, settled a suit in June with InMobi, requiring the company to change their location tracking policies, pay $950,000 for their improper collection and use of the location of hundreds of millions of users without their consent, and delete all location data collected or inferred without consent.
The civil penalties the FTC dealt to InMobi put all other software developers and businesses on notice that trying to skirt around the express consent requirement to track geolocation data from smart phone users will not be tolerated in the U.S., and also highlighted the lack of security of BSSID information as it correlates to individual users.  The settlement, although indicative of increased privacy protection to smartphone users, did not establish new case law or regulations.  In fact, the law’s current status as it pertains to cell phone, cell site, and wi-fi location privacy rights is less optimistic.

  1. Government attacks privacy rights: CSLI and the Fourth Circuit ruling in United States v. Graham

While June’s FTC ruling reinforced some privacy expectations in smartphone users, a federal appeals court’s en banc decision in May dealt privacy proponents another strong defeat in the cell phone arena.

The Fourth Circuit, in United States v. Graham, ruled 12-3 that an individual does not have any expectation of privacy in their historical cell site location information (CSLI) that is delivered to a (third-party) cell phone service provider, and that the government can obtain the information without a warrant.  The opinion clearly stated that it was bound by precedent from a 1979 Supreme Court case.
What is crucial about CSLI, is that your phone sends this information without any action on the part of the user.  Because cell phones independently seek the closest cell tower and push data without request, this sharing of sensitive information is automatic between a cell phone user and the service provider.  This type of information is also the most popular form of law enforcement cell phone surveillance – AT&T fielded more than 57,000 requests for such data last year alone.
This Fourth Circuit opinion marks the fourth time a court of appeals ruled in this way, presaging an appeal to the Supreme Court to resolve the conflicting applications of the third-party doctrine with regard to cell phone location information privacy.