The report - requested by Sen. Al Franken, the Minnesota Democrat who chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law and published Oct. 11 - points out that mobile industry associations and privacy advocacy groups have proposed voluntary practices to protect consumers' privacy while making use of customers' personal information in these location services. But mobile companies examined by GAO, the investigative arm of Congress, have been inconsistent in implementing these practices.
- See Best Practices Guidelines at End of this Article
"In particular," the GAO says, "the lack of clear disclosures to consumers about how their location data are used and shared means that consumers lack adequate information to provide informed consent about the use of these data. Consumers are therefore unable to adequately judge whether the companies with which their data are shared are putting their privacy at risk."
GAO says a key federal effort to address these privacy risks is the National Telecommunications and Information Administration's planned multi-stakeholder process, which seeks to develop industry codes of conduct. But GAO says NTIA, the Commerce Department unit that advises the president on telecommunications and information policy issues, has yet to set performance goals, milestones or deliverables, meaning it's unclear if this process will address the risks to privacy associated with the use and sharing of mobile location data.
While NTIA recommended that the Federal Trade Commission should be given the authority to enforce any industry codes of conduct that are developed from the multi-stakeholder process; the current process relies on the industry's voluntary compliance with resulting codes of conduct before the FTC could enforce the provisions, according to the congressional investigators.Story continues after graphic.
Regardless of what results from the multi-stakeholder process, GAO says, the FTC has authority to take action against companies that engage in unfair and deceptive practices. However, the FTC has yet to issue comprehensive industry guidance establishing its views on the appropriate actions that mobile companies should take to protect consumers' mobile location data privacy. "Without clearer expectations for how industry should address location privacy, consumers lack assurance that the aforementioned privacy risks will be sufficiently mitigated," the GAO report says.
GAO recommends that NTIA work with stakeholders to outline specific goals, milestones and performance measures for its process to develop industry codes of conduct and that the FTC consider issuing guidance on mobile companies' appropriate actions to protect location data privacy.
To prepare the report, GAO auditors examined mobile carriers AT&T, Sprint-Nextel, T-Mobile and Verizon; operating system developers Apple, HTC, Motorola, Research in Motion and Samsung; and application developers Facebook Google, Pandora, Angry Birds creator Rovio Entertainment and Yahoo.
In June 2011, Franken introduced the Location Privacy Protection Act, which would prohibit businesses offering services based on location to disclose to non-governmental entities a mobile device users' locations without their consent.