ISPs and Mobile Apps: Prying “Eyes” are Watching You

A few months ago, the Federal Trade Commission (“FTC”) released a Staff Report that confirmed our worst fears about internet service providers (“ISPs”): namely, that they are collecting vast amounts of data from their customers, which they are sharing with unknown third parties. The report is the culmination of two years of voluntary reporting (at the agency’s request) by the six largest mobile ISPs, comprising 98.8% of the mobile internet market, and three affiliated online advertising firms. According to the report, ISPs track individuals and their use of online services across multiple devices, websites, and geographic locations, and their data collection includes web searches, mobile app usage, and the content of unencrypted text messages and emails, among other data points.

Most ISPs have affiliates that provide services other than internet access—e.g., telephony, cable or streaming video, and “smart home” services (e.g., personal assistants, alarm monitoring)—and those ISPs aggregate information collected by their affiliates about identified individuals to compile profiles that could include sensitive personal information (“PI”), such as ethnicity, gender, sexual orientation, economic status, religious beliefs, political affiliation, movements throughout the day, persons with whom they communicated and visited, and highly personal interests and tastes.

Such profiles are extremely valuable to online advertisers, as well as to other economic actors, including property managers, bail bondsmen, bounty hunters, and others with less-than-honorable intentions. (For the record, after the press reported in 2018-19 that wireless carriers were providing real-time location information to assist in locating individuals without those individuals’ knowledge or consent, the carriers claimed to have abandoned the practice.)

The ISPs that participated in the FTC Staff Report admitted to storing personal data for months or years after they needed it to provide service. Although virtually all ISPs claim to store PI only as long as they need it for a “business purpose,” they are free to define what their “business purpose” is, which, the FTC Staff Report pointed out, gives them virtually unfettered discretion to store PI as long as they like.

The FTC Staff Report came on the heels of a similar disclosure, about a year earlier, that a federal government contractor, Anomaly 6, had built functionality for collection of end users’ location and other personal information (“PI”) into a Software Development Kit (“SDK”) that it licenses to mobile app developers. In fact, its SDK is embedded in more than 500 mobile apps; however, because the SDK is an “add-in,” and the PI it collects is directed to Anomaly 6, rather than to the app developers, most app developers have not felt the need to inform their users that their PI is being collected and subsequently sold to third parties! (For their cooperation, the app developers received a share of the revenues that Anomaly 6 earns from selling PI.) This activity is essentially unregulated because the law in most jurisdictions hasn’t caught up with what is known as the “secondary data market,” the market for selling and using consumers’ personal information that is one step (or more) below the consumer-facing app or service provider.

The Risks of the Secondary Data Market

The secondary data market is a huge problem. Anomaly 6’s SDK alone has collected location or other PI from over 500 million individuals worldwide. And Anomaly 6 is just one player in an ocean full of these bottom feeders, who unfortunately are extremely sophisticated but virtually unknown. Merely knowing that a particular Mobile Telephone Number (“MTN”) was located at certain coordinates at a particular time of day, by itself, does not seem particularly intrusive, but if you can tie that same MTN to a home address, where the phone “resided” overnight, as well as to a few e-commerce transactions or Apple Pay in-person transactions, or perhaps to a trip on the subway or in an Uber, now you have the ability, through data analytics, to identify the individual whose phone is using that MTN and to create an accurate profile of the person’s likes, dislikes, habits, and tendencies. And through geolocation and data analytics of the motions of individual mobile devices (reported by their internal accelerometers), marketers and others can identify individuals who were together at a particular time and place—e.g., a group walking together on a city street, all carrying location and motion-reporting mobile devices.

If there is any doubt regarding the nefarious uses to which online information can be put, consider these examples: In connection with the 2016 U.S. presidential election, Cambridge Analytica used profile data assembled from online activity to micro-target 87 MILLION Facebook users with political messages (not all of which were obviously such). A marketing firm used location information to target individuals who visited family planning clinics and methadone clinics, and then sent them targeted ads for birth control and substance abuse treatment, respectively. The U.S. Department of Defense has banned fitness tracking apps and devices because they can be used to track the location of military personnel and to identify the locations of secret installations.

As disturbing as these anecdotes are, the fact remains that the users in each case probably consented to the collection and use of this sensitive information as the quid pro quo for a free app or in a software license that they never read or did not understand. For years, U.S. data protection laws have been premised on the flawed notion of informed consent; essentially, a data broker can collect practically any information an adult user agrees to provide and use it in any lawful manner to which the “data subject” agreed it may be used.

The terms of use and licenses that contain these grants of rights to data brokers are written so broadly that almost anything goes. The recent FTC Staff Report found that almost no consumers bother to read privacy disclosures. It revealed that only between 0.55% and 6.7% of total subscribers, depending on the ISP, ever review the privacy disclosures. But even where consumers do read such disclosures, they can’t do much to protect the information communicated over the services at issue—as the FTC Staff wrote, “[t]he privacy policies for several of the ISPs in our study reserve extremely broad rights as to how they will use consumer data, essentially permitting these ISPs to use consumer data for virtually any purpose.” And even where ISPs offer users privacy options through their settings, navigating the multiple layers of settings is often confusing, time consuming, and complicated.

Any enterprise that provides mobile devices to its employees should be concerned about these practices. Data brokers consider location information to be the most valuable type of PI, and for that reason alone, enterprises should be aware of the risks of allowing third parties to track their employees’ every move. Consider litigation filed against your company that depends on proving that certain employees were in certain places at a particular time. Information about the web searches an employee conducts or the goods or services an employee purchases can be enormously valuable to a competitor or a prying reporter looking for a scandal to unveil. A third party holding that information could make or break the case for the plaintiff—assuming that the court allows the evidence to come in.

For at least ten years it has been common practice among lawyers representing plaintiffs injured in a vehicle crash to first obtain the driver’s mobile phone records to try to prove that the driver was on the phone (talking or texting) at the time of the crash. If the driver was engaged in company business, the plaintiff can name the company as a co-defendant under the theory of respondeat superior, upping the plaintiff’s potential recovery. It is not hard to see how this “blame-the-employer” tactic could be extended to a host of other torts and crimes.

Consider also the fact that Artificial Intelligence-powered “assistants” such as Siri, Google, Alexa, and Cortana are always listening, analyzing the data they are gathering, and storing it for future use. Indeed, even the microphones on company-issued or personally-owned laptops and workstations can be hijacked for use as listening devices, and the webcams on those devices can give bad actors a view of users’ whereabouts. Any computing device used for work (phone, tablet, laptop or desktop) should disable these electronic bugging devices when not necessary.

Finally, well-intended (and other) employees may find it irresistible to record a meeting, teleconference, or web-based video conference to preserve the information and avoid having to take notes. Not only could unannounced recording of such discussions be illegal (depending on the states where participants are located), but the recording itself, which at some point will be backed up to the cloud or elsewhere, could contain competitively sensitive or damaging information that could find its way into the media or a courtroom.

Protecting the Enterprise

Enterprises can take several actions to prevent unknown operators from collecting and sharing sensitive information about employees—which could theoretically be used to hold the employer liable for employee actions or omissions.

• Limit work-related activities to enterprise-issued devices. First, employees should be prohibited from using personally owned devices for work-related calls, texts, emails, posts, web searches, or creating, reviewing, or editing any work-related document. It is simply too difficult to manage personally owned devices and the apps they run, even if you require BYOD employees to install a Mobile Device Management (“MDM”) client on their mobile devices. While MDM solutions can go a long way toward protecting your data on portable devices, employee resistance to job-related control of their personal devices will create behavioral, practical, and technical implementation issues and leave your data vulnerable to unauthorized access. Requiring any employee whose job requires them to use a mobile device (including a laptop) to only use enterprise-issued and -controlled devices running enterprise approved software and utilizing enterprise-contracted communications and data services is the sine qua non of data protection with a mobile workforce.
• Prohibit employees from conducting personal activities on enterprise-issued devices. Conversely, company-issued devices and apps should never be used for personal correspondence (including text messages, which are archived and discoverable), web-based research, or purchases, whether online or in person. A strong company policy prohibiting the intermingling of business and personal use should be adopted and enforced with meaningful sanctions.
• Fully vet and secure applications. Be sure that employees are unable to install any apps that your IT department has not fully vetted and approved. That vetting process should include careful scrutiny of software licenses and terms of use and, if necessary, conversations with the app developers to ascertain (i) the scope of user data they seek to collect and use, and (ii) what measures they offer (if any) for users or licensees to manage that collection and usage.
• Carefully negotiate agreements and licenses. Be sure your agreements with service providers, device manufacturers, and app developers do not try to force you to agree to standardized one-size-fits-all license terms or terms of use. If you are purchasing goods, services, or apps in bulk, use your leverage as a large customer to insist on full disclosure of the types of user information the provider (or third parties) collect, how they use it, and with whom they share it. Affirmatively disclaim any click-through or shrink-wrap license terms in your agreements with providers; insist on a signed written agreement before you agree to be bound to any terms of use.

Taking these protective actions is an excellent starting point, but adopting policies means nothing without implementing them in practice. Regularly check in with your employees and IT professionals to ensure that they’re adhering to your requirements and best practices. There is too much for your enterprise and your employees to lose if you permit third parties to vacuum up information about them, their communications, and their daily habits and share that information with others, including those who may want to assert a claim against your business.