Interconnectivity and Lack of Transparency

iBeacon is a new location-based technology that Apple recently announced on iOS. Instead of relying on GPS data, iBeacon uses a Bluetooth low energy signal to identify nearby iPhone, iPad and iPod Touch devices with a high degree of precision [1]. Several retail stores, including Apple and Macy’s, have started using the technology to alert customers of special deals related to merchandise in their vicinity through beacons located throughout the store [2]. This new way to track iPhone users inside buildings raises some serious concerns about consumer privacy, and how well users understand the possible ramifications of setting this micro-location tracker to “on” or “off”. Released last February, the exposition of such Consumer Privacy Bill of Rights principles as Individual Control, Transparency, Respect for Context, and Focused Collection, not only dusts off familiar concerns about how, when, and to what extent companies like Apple, Facebook, and Google might collect personal data, but it also, most remarkably for our purposes, raises questions about the roles, rights, and responsibilities that third-party companies have in the use of consumer personal data.

In the case of iBeacon, Apple clearly states that allowing third-party apps and websites to access your device’s location puts you under the third party’s privacy policy and terms of use, rendering Apple not responsible or liable for how data is collected or shared. But often, apps connect their data to other third-party apps, making it even more difficult for consumers to understand what kind of data they are sharing, and with whom. The privacy policy for a shopping assistant app called inMarket, for example, warns users that third parties may collect many types of data about them by downloading the app: “They may use Tracking Technologies in connection with our Service, which may include the collection of information about your online activities over time and across third party sites or services. Their privacy policies, not ours, govern their practices.” [3]. The assiduous inMarket user might notice that the company considers Unique Device Identifiers as “non-personally identifying information” and asserts that “If we de-identify data about you, it is not treated as Personal Information by us, and we may share it with others freely.” While inMarket may distinguish between personal and non-personal data in its privacy policy, it undermines the Transparency Consumer Privacy Bill of Rights principle by making this information nearly impossible to find (especially on the small screen of a mobile device), and so vague that users are left with a less than meaningful understanding of the privacy risks and options associated with their use of the product.

Issues of companies leaving their users in the dark about what data collection contexts they are in were raised again in late 2013, when Google came out with a new feature for their advertising system called “Shared Endorsements,” which could put users’ names, photos, and Google+ profile next to advertisements for companies that they have endorsed, for each user’s social network to see. [4]  Such a personal recommendation system for advertising raises several questions about the Consumer Bill of Rights, namely its Individual Control, Respect for Context, Transparency, and Focused Collection principles. While Google has apparently taken a cue from Facebook—who at the time of the Shared Endorsements rollout, had just been sued for $20 million for not allowing users to opt out of their similar system, “sponsored stories”—and given users an option to opt out of the service, the implications for Google’s implementation of personal recommendation advertising differ from other social networks. As one news source notes, for example, the victories for consumer privacy gained by the Shared Endorsements opt-out option “may not extend far beyond that,” as, technically, users are opting out of their photo being shown in advertisements, not necessarily in other Google products. [5] In fact, it is due to the diversity, interconnectedness, and sheer number of Google products, that the company is in more in a position than Facebook, for example, to redefine and potentially violate the Consumer Privacy Bill of Rights’ principles of Respect For Context and Focused Collection principles, which qualify the appropriate context and amount of data users can expect companies to collect, use, and disclose.