jump to navigation

iPhone 4S’ Siri and EU privacy law November 7, 2011

Posted by Brandon in Technology Forum - the Art.
Tags: , , , , , ,

Since the release of the iPhone 4S, some consumers have discovered troubling technological gaps in its new marquee feature.  Siri, known as Apple’s “humble personal assistant”, is raising privacy concerns.  But this shouldn’t be surprising even to the most loyal of Apple product lovers.

Released on the new iPhone 4S, Siri can be asked questions, make appointments, dictate text and activate numerous commands with normal language.  It can also answer the user’s questions and comments using normal speech.  However, Siri does not appear to deactivate when the iPhone is locked, meaning that even password protection will not stop Siri from functioning with an unauthorized user.  As MacWorld found, “we had a PCWorld editor pick up my locked iPhone 4S, activate Siri, and compose a resignation letter that was sent from my MacWorld email address”.  While this was performed on the default Siri setting, it appears that even modifying the settings does not stop this functionality.

Apart from unauthorized use, Apple may be capable of collecting personal information through Siri.  While just an interface, meaning that Siri doesn’t collect or store information, but rather transmits it, the information given Siri is saved to Apple’s local servers.  Not your iPhone. This ostensibly allows Apple to collect personally identifiable information, including the iPhone 4S user’s first and last name, relationships with address book contacts, and other personal data.

Technically however, this should not surprise users as Apple has their consent to this collection once users clicked through a license to get the ios5 update.  Under Apple’s software license agreement, part 4(c), those who download the ios5 software update, “agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing and use of this information, including your voice input and User Data, to provide and improve Siri and other Apple products and services”.  Some have argued that this release makes phone hacking legal under Apple’s terms, but this has yet to be tested.

Assuming Apple makes no modification to affect their license or does not otherwise address unauthorized use of Siri, some consumers could consider taking action to protect the use and distribution of their personal information.

Apart from common law actions, domestic and foreign privacy legislation has been enacted to protect citizens’ personal information.  Unfortunately, US privacy law is not well-developed, and otherwise emphasizes self-regulation.  US regulations have been developed on an ad hoc basis, often after a problem has developed, making the legal protections particularly fact and industry specific. This reactionary approach could be attributed to American laissez-faire economics or the 1st amendment in the US, coupled with the precedent of only implicit privacy rights being recognized in US courts (See Griswold v. Connecticut).  What is more, the Patriot Act has arguably been used to undermine general concepts of privacy.  While this may finally force the court’s to determine privacy rights, fortunately some states including Massachusetts have taken the lead in addressing privacy concerns through direct regulation of the use and collection of personal information.

Conversely, iPhone 4s users in the EU and United Kingdom are currently better situated to protect their privacy rights.  Data privacy law in the European Union is a highly developed and constantly evolving area and has been given considerable political attention when compared to the United States.  Remarkably there are no less than three directives directly on point to the protection of digital information.  Personal information under these directives is defined very broadly, covering “any information relating to an identified or identifiable person”. Directive 95/46/EC, known as the Data Protection Directive, protects member state’s citizens from the unauthorized processing of personal data.  Accordingly, Directive 2009/136/EC or the Cookie Directive, personal info collected over the internet must remain confidential and citizens must opt into communications. Directive 2002/58/EC, or the E-Privacy Directive, further regulates the use of internet cookies, spam, user location information and the transmission of that digital data.  However, none of these laws appear to protect anonymized or aggregated data.

In the United Kingdom, the Data Protection Act of 1998 was enacted in part to bring the UK in line with the Data Protection Directive.   However, similar to EU regulations, this UK privacy law does not cover anonymized or aggregated data. While this provision plays more to Apple’s favor, EU member states will certainly have powerful tools to compel Apple to take this newly-discovered Siri matter seriously.

*Update 3/15/12: Apple among 18 firms sued for privacy-invasion in mobile apps.


1. Jim - November 8, 2011

Great post. Lots of Information I had no idea about. Thanks for sharing.

Brandon - November 8, 2011

Absolutely, thanks for reading and glad I could help out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: