Senate Tackles Mobile Location Restrictions—And Does So Very Poorly

Two U.S. Senators have introduced a pair of competing bills intended to make it more difficult to track consumer locations on mobile devices, which is a very rich area for retailers. But the bills suffer the same critical flaws that have inflicted earlier Senate technology efforts—such as one dealing with data-breach disclosures and another trying to limit E-Commerce tracking attempts—namely that they are sufficiently vague to completely undermine the intended restriction.

The first bill, introduced by Senator Al Franken (D-Minn.), is called The Location Privacy Protection Act of 2011. It is trying to force telcos and retailers to get the consumer's "express consent before collecting his or her location data and to get that customer's express consent before sharing his or her location with third parties." The second bill, introduced by Senator Ron Wyden (D-Ore.), is called The Geolocational Privacy and Surveillance (GPS) Act. It is designed to restrict how government investigators can access mobile-location data.

The key problem is that these bills are focused on location-based mobile services, and they tend to forget that the most common location-based mobile service is getting the phone to ring when receiving a call. Second, there are no significant instructions about how telcos are supposed to notify consumers and get their consent.

This creates a very easy way to comply with the wording of the law, while cleanly sidestepping its intent. What's to prevent a company from burying a few extra lines in the middle of the small-print legal documents that consumers need to agree to before receiving phone service? Something like "We need to know your phone's location so your calls will reach you. Accepting this service will mean that we may therefore track your location. We sometimes use third parties to help route and manage our calls. Accepting this service means that we have permission to share with these firms the data they need to perform their duties."

That sounds innocuous—for the nine people who end up reading the fine print. But there's no viable way for the consumer to opt out. But there's a better way: Force telcos to offer two services—one with tracking to make the phone ring and to support emergency services and one with all tracking enabled. And then borrow the techniques from the U.S. Surgeon General, whose cigarette warning dictates font size in relation to the package size and specifies the exact wording.

Senator Franken's bill, though, has an honorable objective. Here's part of The Location Privacy Protection Act of 2011's summary. Here's part of The Location Privacy Protection Act of 2011's summary. "Current federal laws allow many of the companies that obtain location information from their customers' cellphones and smartphones to give that information to almost anyone they please—without their customers' consent. While the Cable Act and the Communications Act prohibit cable companies and phone companies offering telephone service from freely disclosing their customers' whereabouts, an obscure section of the Electronic Communications Privacy Act allows smartphone companies, app companies and even phone companies offering wireless Internet service to freely share their customers' location information with third parties without first obtaining their consent," the bill's official summary says. "This legal landscape creates a confusing hodgepodge of regulation. Thus, when a person uses a smartphone to place a phone call to a business, that person's wireless company can't disclose his location information to third parties without first getting his express consent. But when that same person uses that same phone to look up that business on the Internet, because of ECPA, his wireless company is legally free to disclose his location to anyone other than the government."

The bill, though, only requires the "express authorization of the individual that is using the electronic communications device," something that can be easily satisfied by burying in the standard agreement.

The Wyden bill, which doesn't impact retailers as directly, is more strict when it comes to restricting government use of location data. Well, actually, it sounds like it is, until it gets to the exceptions area. That bill says it will not be illegal to access mobile-location data if the government employee is "lawfully engaged in an investigation and the person acting under color of law has reasonable grounds to believe that the geolocation information of the other person will be relevant to the investigation."

If the intent of the Wyden bill is to prevent law enforcement agents from using this mobile-location data carelessly, why has an exclusion been included that J. Edgar Hoover could have written? Unless the FBI agent is herself committing a theft, the above exception will allow a warrantless search of all such data if the agent believes the data "will be relevant" to an investigation.

Note to Senators: Want to propose laws that actually close the loopholes you publicly condemn? Next time, don't let the lobbyists for the entities you want to restrict write the exemptions. There's a reason they offer their writing services for free.