jump to navigation

iPhone 4S’ Siri and EU privacy law November 7, 2011

Posted by Brandon in Technology Forum - the Art.
Tags: , , , , , ,

Since the release of the iPhone 4S, some consumers have discovered troubling technological gaps in its new marquee feature.  Siri, known as Apple’s “humble personal assistant”, is raising privacy concerns.  But this shouldn’t be surprising even to the most loyal of Apple product lovers.

Released on the new iPhone 4S, Siri can be asked questions, make appointments, dictate text and activate numerous commands with normal language.  It can also answer the user’s questions and comments using normal speech.  However, Siri does not appear to deactivate when the iPhone is locked, meaning that even password protection will not stop Siri from functioning with an unauthorized user.  As MacWorld found, “we had a PCWorld editor pick up my locked iPhone 4S, activate Siri, and compose a resignation letter that was sent from my MacWorld email address”.  While this was performed on the default Siri setting, it appears that even modifying the settings does not stop this functionality.

Apart from unauthorized use, Apple may be capable of collecting personal information through Siri.  While just an interface, meaning that Siri doesn’t collect or store information, but rather transmits it, the information given Siri is saved to Apple’s local servers.  Not your iPhone. This ostensibly allows Apple to collect personally identifiable information, including the iPhone 4S user’s first and last name, relationships with address book contacts, and other personal data.

Technically however, this should not surprise users as Apple has their consent to this collection once users clicked through a license to get the ios5 update.  Under Apple’s software license agreement, part 4(c), those who download the ios5 software update, “agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing and use of this information, including your voice input and User Data, to provide and improve Siri and other Apple products and services”.  Some have argued that this release makes phone hacking legal under Apple’s terms, but this has yet to be tested.

Assuming Apple makes no modification to affect their license or does not otherwise address unauthorized use of Siri, some consumers could consider taking action to protect the use and distribution of their personal information.

Apart from common law actions, domestic and foreign privacy legislation has been enacted to protect citizens’ personal information.  Unfortunately, US privacy law is not well-developed, and otherwise emphasizes self-regulation.  US regulations have been developed on an ad hoc basis, often after a problem has developed, making the legal protections particularly fact and industry specific. This reactionary approach could be attributed to American laissez-faire economics or the 1st amendment in the US, coupled with the precedent of only implicit privacy rights being recognized in US courts (See Griswold v. Connecticut).  What is more, the Patriot Act has arguably been used to undermine general concepts of privacy.  While this may finally force the court’s to determine privacy rights, fortunately some states including Massachusetts have taken the lead in addressing privacy concerns through direct regulation of the use and collection of personal information.

Conversely, iPhone 4s users in the EU and United Kingdom are currently better situated to protect their privacy rights.  Data privacy law in the European Union is a highly developed and constantly evolving area and has been given considerable political attention when compared to the United States.  Remarkably there are no less than three directives directly on point to the protection of digital information.  Personal information under these directives is defined very broadly, covering “any information relating to an identified or identifiable person”. Directive 95/46/EC, known as the Data Protection Directive, protects member state’s citizens from the unauthorized processing of personal data.  Accordingly, Directive 2009/136/EC or the Cookie Directive, personal info collected over the internet must remain confidential and citizens must opt into communications. Directive 2002/58/EC, or the E-Privacy Directive, further regulates the use of internet cookies, spam, user location information and the transmission of that digital data.  However, none of these laws appear to protect anonymized or aggregated data.

In the United Kingdom, the Data Protection Act of 1998 was enacted in part to bring the UK in line with the Data Protection Directive.   However, similar to EU regulations, this UK privacy law does not cover anonymized or aggregated data. While this provision plays more to Apple’s favor, EU member states will certainly have powerful tools to compel Apple to take this newly-discovered Siri matter seriously.

*Update 3/15/12: Apple among 18 firms sued for privacy-invasion in mobile apps.


Massachusetts data privacy law, outwards and upwards September 28, 2011

Posted by Brandon in Tenet Forum - The Law.
Tags: , , , , , ,

Last week, Massachusetts Attorney General Martha Coakley announced that she may be investigating Apple Inc. for breaches of personal data laws in Massachusetts, and is otherwise stepping up enforcement.  With 480 reports of data breaches this year, Coakley has estimated that 1 in 3 Massachusetts residents are victims of personal data breach.  Her comments leads some to believe what some may consider an obscure law will be enforced not just in Massachusetts, but nationwide.

In 2007, Massachusetts enacted a new law in Chapter 93H to protect security breaches of personal data.  Under the law and its accompanying regulations, anyone who owns or licenses personal information of Massachusetts citizens must develop a plan to protect that personal data, report security breaches, and dispose of personal information.  Ostensibly, this means that any company in any jurisdiction, worldwide, may breach the law if they maintain accounts containing personal data of Massachusetts’ residents.

Chapter 93H was spurned on in part by a major data breach at the Massachusetts company TJX, in 2007.  In that incident at least 45.7 million credit and debit card numbers were stolen by hackers who accessed the TJX computer systems.  However, the regulations promulgated under Chapter 93H did not go into effect until March 2010, and the first fine was not issued until a year later.

The Massachusetts regulations for the data protection laws, 201 CMR 17, sought to change the conception of personal data for the commonwealth, and are written to be technology neutral.  The law is enforced by the Massachusetts Attorney General’s Office, and there is no private right of action under Chapter 93H. Katz v. Pershing, No. 10-12227-RGS, at 9 (D. Mass. August 23, 2011).  This lack of a private right of action in Chapter 93H may be to blame for a lack of enforcement, as public resources have been strained since the laws went into effect.  Nonetheless, the regulations are prescriptive rather than reactionary to illegal conduct by requiring companies to draft and maintain a “written information security plan”, or a WISP.

Under a company’s WISP, there must be procedures for how employees access and use client’s personal information, and a specific description for how personal information will be protected.  “Personal Information” is defined as the first and last name of the Massachusetts citizen, combined with a social security number, credit card number, account number or state ID number.  It is not clear at this point whether numbers for documents such as rental applications are considered personal information, or if  personal information must be protected after the person is deceased.

Liability for breach of the Massachusetts data protection laws extends to contractors and agents of the company, and penalties may be severe, extending to each and every breach.  Where breaches accumulate, the damage awards can be high.  For example, the Briar Group, a conglomerate of Boston area restaurants and taverns, settled for $110,000 with the government last year.  If you are a company which handles personal data, it may be advisable to keep detailed and clear records of your compliance with the law, including your procedures for an internal breach and reporting mechanisms.  Other solutions may include encrypted emailing with customers, security assessments, policy development and employee trainings.

Some commentators note that a private right of action may exist for breaches of data privacy under Chapter 93A as an unfair and deceptive trade practice.  Outside Massachusetts, while there may be practical enforcement and jurisdictional issues with policing Chapter 93H and 201 CMR 17, Coakley could be signaling that her office will bring the issue to the courts.  Her comments should signal companies both in and outside Massachusetts to tighten up their privacy policies.

Do you agree or have other points on this topic?

%d bloggers like this: