APF urges criminal penalties for smartphone privacy breaches
Smartphone vendors should face criminal penalties if they fail to adequately protect personal data, according to Australia's privacy watchdog. The call comes in the wake of recent revelations that Apple's iPhones and iPads log location data, and of the Sony PlayStation Network data breach.
"We've been laying off these organisations, permitting them to 'self-regulate', ha ha. It is simply inadequate," said the chair of the Australian Privacy Foundation, professor Roger Clarke. "The law has to get to grips with detail now. It's got to be technology-specific, and it's got to create teeth. We've got to have criminal offences for organisations that are insecure, or that don't provide appropriately structured consent mechanisms."
A much-delayed review of Australia's privacy laws, which began in 2008, covers issues relating to new technology. Draft legislation is currently being reviewed by the Senate, with a report due 1 July. However, criminal sanctions are not being considered.
The Senate has also conducted an inquiry into the protection of privacy online. Its report, published on 7 April, recommends that all Australian organisations that transfer personal information offshore be made fully accountable for protecting it, but it also stops short of recommending criminal sanctions. The government has another two months remaining to respond to that report.
"Legislators have got to get their acts together," Clarke said.
Speaking on this week's Patch Monday podcast, Clarke also called for Apple to "come clean and tell us what they actually do" and provide a more granular way of giving consent for location data to be used.
"It appears that by switching on any location-dependent feature in any piece of software, you've automatically granted access to the organisation for all purposes. That's ridiculous," he said. "You've got to be able to turn on features one at a time. Some will be more desirable that others, some will create risks of a different kind, so you have to have granular consent."
Granular consent mechanisms would offer a set of permissions for users to consent to, either tiered or a flat list.
"Each of these organisations — Apple, Google in respect of Android, Microsoft in respect of [Windows] Phone 7 — the whole lot of them need to get that sorted out," Clarke said.
Clarke is currently conducting a study into the terms of service offered to consumers. Most give the service provider "enormous" scope for using personal data.
"The limitations are normally expressed nicely and vaguely, clearly written by a lawyer, and on careful examination the limitations are quite limited. That is to say, they can do almost anything with it," he said.
Typically, the use of personal data isn't restricted to providing a subcontractor with the specific data that they need to do their job, something that Clarke believes most people would be comfortable with. Instead, the use of personal data is authorised for wide-ranging purposes, typically "for the purposes of delivering the service".
"I can argue that 'for the purposes of delivering the service' means that I need all the data from all of my customers, I need to keep it all so that I can analyse it and data mine it, and therefore there's effectively no limitation there because I can use sub-contractors for data mining. It's enormous scope these organisations give themselves," Clarke said.