Mobile Device Location Data:
Additional Federal Actions Could Help Protect Consumer Privacy
GAO-12-903: Published: Sep 11, 2012. Publicly Released: Oct 11, 2012.
Audio interview by GAO staff with Mark Goldstein, Director, Physical Infrastructure
What GAO Found
Using several methods of varying precision, mobile industry companies collect location data and use or share that data to provide users with location-based services, offer improved services, and increase revenue through targeted advertising. Location-based services provide consumers access to applications such as real-time navigation aids, access to free or reduced-cost mobile applications, and faster response from emergency services, among other potential benefits. However, the collection and sharing of location data also pose privacy risks. Specifically, privacy advocates said that consumers: (1) are generally unaware of how their location data are shared with and used by third parties; (2) could be subject to increased surveillance when location data are shared with law enforcement; and (3) could be at higher risk of identity theft or threats to personal safety when companies retain location data for long periods or share data with third parties that do not adequately protect them.
Industry associations and privacy advocates have developed recommended practices for companies to protect consumers' privacy while using mobile location data, but companies have not consistently implemented such practices. Recommended practices include clearly disclosing to consumers that a company is collecting location data and how it will use them, as well as identifying third parties that companies share location data with and the reasons for doing so. Companies GAO examined disclosed in their privacy policies that the companies were collecting consumers' location data, but did not clearly state how the companies were using these data or what third parties they may share them with. For example, some companies' policies stated they collected location data and listed uses for personal information, but did not state clearly whether companies considered location to be personal information. Furthermore, although policies stated that companies shared location data with third parties, they were sometimes vague about which types of companies these were and why they were sharing the data. Lacking clear information, consumers faced with making a decision about whether to allow companies to collect, use, and share data on their location would be unable to effectively judge whether the uses of their location data might violate their privacy.
Federal agencies have held educational outreach events, developed reports with recommendations aimed at protecting consumer privacy, and developed some guidance on certain aspects of mobile privacy. The Department of Commerce's National Telecommunications and Information Administration (NTIA) is implementing an administration-proposed effort to bring industry, advocacy, and government stakeholders together to develop codes of conduct for industry to address Internet consumer privacy issues generally. However, NTIA has not set specific goals, milestones, and performance measures for this effort. Consequently, it is unclear if or when the process would address mobile location privacy. Furthermore, the Federal Trade Commission (FTC) could enforce adherence to the codes if companies adopted them, but since adoption is voluntary, there is no guarantee companies would adopt the resulting codes. While FTC has issued some guidance to address mobile location privacy issues, it has not issued comprehensive guidance that could inform companies of the Commission's views on the appropriate actions companies should take to protect consumers' mobile location data privacy.
Why GAO Did This Study
Smartphones can provide services based on consumers' location, raising potential privacy risks if companies use or share location data without consumers' knowledge. FTC enforces prohibitions against unfair and deceptive practices, and NTIA sets national telecommunications policy. GAO was asked to examine this issue. GAO reviewed (1) how mobile industry companies collect location data, why they share these data, and how this affects consumers; (2) actions private sector entities have taken to protect consumers' privacy and ensure security of location data; and (3) actions federal agencies have taken to protect consumer privacy and what additional federal efforts, if any, are needed. GAO analyzed policies and interviewed representatives of mobile industry companies, reviewed documents and interviewed officials from federal agencies, and interviewed representatives from industry associations and privacy advocates.
What GAO Recommends
GAO recommends that NTIA work with stakeholders to outline specific goals, milestones, and performance measures for its process to develop industry codes of conduct and that FTC consider issuing guidance on mobile companies' appropriate actions to protect location data privacy. Because the agencies had concerns about certain aspects of GAOs draft recommendations, GAO revised them by including that NTIA should work with stakeholders in the process to develop industry codes and removing from the draft FTC recommendation that the guidance should include how FTC will enforce the prohibition against unfair practices.
Recommendations for Executive Action
Status: Closed - Not Implemented
Comments: In its December 2012 response, the Department of Commerce states that it disagrees with the recommendation. The letter states it is the role of stakeholders, not the Department of Commerce's National Telecommunications and Information Administration (NTIA), to develop goals, time frames and performance measures for the multistakeholder process. However, the letter states that stakeholders have made progress to develop their own goals, time frames and performance measures for their efforts to create a code of conduct for mobile application transparency.
Recommendation: To address privacy risks associated with the use and sharing of mobile location data, the Secretary of Commerce should direct NTIA, in consultation with stakeholders in the multistakeholder process, to develop specific goals, time frames, and performance measures for the multistakeholder process to create industry codes of conduct.
Agency Affected: Department of Commerce
Status: Closed - Implemented
Comments: Smartphones combine the telecommunications functions of a mobile phone with the processing power of a computer, creating an Internet-connected mobile device capable of running a variety of software applications for productivity or leisure. As of June 2012 Partnership for Public Service , smartphones accounted for just over half of all mobile phones in the United States, up from less than one-quarter in early 2010. Smartphones use increasingly precise information about a user's current location determined by Global Positioning System and other methods. This functionality allows mobile industry companies to offer a diverse array of services that make use of location information, such as services providing navigation, the ability to keep track of family members, local weather forecasts, and the ability to identify and locate nearby businesses. These location-based services provide many benefits to consumers. However, in providing such services, smartphones and the companies that support their functions are able to collect and retain precise data about users' locations. Concerns have been raised about how mobile industry companies that provide or enable location-based services use and share consumers' location data, raising the potential that consumers' privacy could be violated if their location data are used in ways they did not intend or authorize. In a 2012 report, we found that by allowing companies to access their location data, users expose themselves to privacy risks. These risks include, but are not limited to, disclosure to unknown third parties for unspecified uses, consumer tracking, identity theft, threats to physical safety, and surveillance. Industry associations and privacy advocates have developed recommended practices for companies to protect consumers' privacy while using mobile location data. However, we found that companies have not consistently implemented such practices. Further, we found that Federal Trade Commission (FTC) had not issued comprehensive industry guidance establishing its views on the appropriate actions that mobile companies should take to protect consumers' mobile location data privacy. Therefore, to protect consumer privacy, we recommended that FTC consider issuing industry guidance that established the Commission's views of the appropriate actions by mobile companies with regard to protecting mobile location data privacy. In February 2013, FTC issued a staff report on mobile privacy disclosures; the report provided guidance for mobile companies to consider with respect to disclosing their information collection and use practices. In particular, the report set forth best practice recommendations for platforms, application developers, advertising networks and other third parties, and trade associations and other experts and researchers. For example, FTC recommended that platforms provide just-in-time disclosure to consumers and obtain their affirmative express consent before allowing applications to access sensitive content like geolocation. By providing clearer expectations for how industry should address location privacy, FTC helps assure that consumers' privacy risks will be sufficiently mitigated.
Recommendation: To further protect consumer privacy, the Chairman of FTC should consider issuing industry guidance that establishes FTC's views of the appropriate actions by mobile companies with regard to protecting mobile location data privacy. In developing the guidance, FTC could consider inputs such as industry codes developed through the NTIA multistakeholder process, recommended practices from industry and privacy advocates, and practices implemented by mobile industry companies.
Agency Affected: Federal Trade Commission