Mobile companies will have to obtain users' express consent before installing monitoring software if a bill floated Monday by Rep. Ed Markey (D-Mass) becomes law.
The draft bill, named the Mobile Device Privacy Act, is aimed at addressing “the threat to consumers’ privacy posed by electronic monitoring software on mobile phones,” Markey stated. The lawmaker specifically cited software developed by the company Carrier IQ as an example of the type of monitoring software that should only be installed with users' consent.
Last November, researcher Trevor Eckhart sparked controversy by posting a video showing how the company's software can log users' keystrokes. Since then, the company was hit with dozens of lawsuits over the software. The keystroke logging accusations also spurred lawmakers to question officials from Carrier IQ, as well as wireless companies about the technology.
Carrier IQ issued a 19-page report last month acknowledging that a bug in its software sometimes results in the logging of messages. The company also said that the data is encoded and “not human readable.”
The bill floated by Markey would require mobile companies to disclose the existence of monitoring software, the types of data collected, and the names of third parties that receive data. The bill also requires consumers to consent before the software begins collecting or transmitting data.
The measure provides for damages of at least $1,000 per consumer per violation.
Advocacy group Free Press praised the proposal. “Third-party companies with no relationship to the consumer must not be allowed to collect or sell user data under a veil of secrecy,” stated action fund political adviser Joel Kelsey.
But Jules Polonetsky, director and co-chair of the Future of Privacy Forum, suggested that the bill should be refined to distinguish between transmission of diagnostic information and transmission of data that could be used for marketing.
Ensuring that personal data is not used for profiling or marketing without user permission makes good sense. Interrupting necessary quality-of-service information may be less then beneficial to users,” he said in an email to Online Media Daily.
He added that most Web users currently decline to send information to browser companies after a crash. “Some users may be concerned about privacy, some think it will slow their browsing, and others are just annoyed to be asked,” he said. “If users are asked about sending back diagnostic data from their phones, most will decline without thinking about the long-term consequences, leading to less feedback about why calls are dropped or data connections interrupted.”