Fact Sheet 2b:
Privacy in the Age of the Smartphone


Send to PrinterSend to Printer

Copyright © 2005-2010
Privacy Rights Clearinghouse / UCAN
Posted August 2005
Revised November 2009

  1. Introduction
  2. Who can access my cell phone records and information?
  3. What are the limits on advertising?
  4. Is there a wireless 411 directory?
  5. Can my location be tracked using my cell phone?
  6. How do I protect my smartphone?
  7. How can I be sure my personal information is deleted when I sell, donate, or trash my old phone?
  8. What is expected in the future?
  9. Resources
  1. Introduction

    In 1995, cell phones were a luxury only 11 percent of the population enjoyed. As of December 2008, 84 percent of people in the United States used a cell phone. www.ctia.org/consumer_info/index.cfm/AID/10323. Increasingly, individuals are replacing their traditional phones with cell phones.

    The number of U.S. households opting for only cell phones has for the first time surpassed those that just have traditional landlines. Twenty percent of households had only cell phones during the last half of 2008, according to a Centers for Disease Control and Prevention survey released in May 2009. The 20 percent of homes with only cell phones compared with 17 percent with landlines but no cell phones. www.cdc.gov/nchs/data/nhis/earlyrelease/wireless200905.pdf

    The sophistication of cell phone technology is increasing at a rapid pace. It is important to consider how this technology impacts your privacy when you purchase and use your cell phone. Below are some common questions that you may have about your cell phone.

  2. Who can access my cell phone records and information?

    A lively debate is taking place in courts and police stations around the country concerning the amount of privacy people can reasonably expect from the use of their cell phone. The criteria for access by law enforcement varies among jurisdictions.

    Some courts have allowed police to search a suspect’s phone without a search warrant, holding that a person does not have a reasonable expectation of privacy in the phone directory of his cell phone. In contrast, other courts held that it was an invasion of privacy for a wireless company to disclose the content of text messages a police officer sent to coworkers without the officer’s consent. http://www.ca9.uscourts.gov/datastore/opinions/2009/02/06/0755282o.pdf Other courts require the government to obtain a warrant establishing probable cause of criminal activity before a wireless carrier is permitted to turn over phone records.

    While this debate continues, it is safe to assume that your phone records may be accessed by law enforcement or the court system under some circumstances. Updates on current court decisions concerning cell phone tracking can be found at the web site of the Electronic Frontier Foundation, www.eff.org/issues/cell-tracking.

  3. What are the limits on advertising?

    In response to consumer watchdog groups’ complaints, the Federal Trade Commission (FTC) investigated advertisers’ behavioral targeting campaigns and whether the industry’s self regulation approach has been effective. The FTC established a set of four principles, which are currently non-binding on the industry. But that may change if the industry does not respond. The principles cover mobile advertising and situations where data is collected for behavioral targeting. www.ftc.gov/os/2009/02/P085400behavadreport.pdf

    The four principles are:

    • Transparency and consumer control: Every website that uses behavioral targeting should clearly and concisely spell out what theyíre doing. The FTC recommends that users be given the simple method to opt-out of the siteís targeting tools.
    • Reasonable security, and limited data retention, for consumer data: Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
    • Affirmative express consent for material changes to existing privacy promises: In other words, a company must keep its promises that it makes with consumers when it comes to protecting their data. If they get bought or merge with another company, those pledges still hold, unless consumers agree to the changes. If the company revises its policies on privacy, they must receive usersí consent before implementing the new rules.
    • Affirmative express consent to (or prohibition against) using sensitive cata for behavioral advertising: If companies want to collect ìsensitiveî personal data, it must get usersí permission before, not after, it starts collecting.

    Advertisers are increasingly developing ways of sending advertisements based on your location and interests you have expressed through the use of your phone. For example if you are near a movie theater, an advertiser might send a text message or email with coupons for a nearby restaurant. Or if you download the ring tone for a popular song, you might soon receive a message offering concert tickets. The scope of this type of advertising is unknown at this time. Privacy advocates believe that “opt-in” is the appropriate consent mechanism for mobile adverting.

    The legal standards of privacy for use of your location data are inconsistent, depending upon who is holding the data. Telecommunications carriers generally may not disclose your location data without a consumer’s opt-in. Other entities with access to your location information may not be subject to that standard.

    In a 2009 FTC complaint, the Center for Digital Democracy and US Public Interest Research Group asked for an investigation into a number of practices involving tracking and targeting, including location-based advertising. A copy of the complaint is available at www.democraticmedia.org/current_projects/privacy/analysis/mobile_marketing.

  4. Is there a wireless 411 directory?

    There has been much confusion about the answer to this question. The confusion arises from recent discussions in the wireless phone industry about establishing a wireless 411 phone directory, much like the traditional (wired) 411 phone directory. A number of e-mail campaigns suggest that if your wireless telephone number is listed in a wireless 411 directory, it will be available to telemarketers, and that you will start to receive telemarketing calls. In addition, some of these e-mails suggest that there is a separate do-not-call “cell phone registry,” which you must call to have your wireless phone number covered by the do-not-call rules. This information is incorrect.

    Currently, there is not a comprehensive wireless 411 directory. A wireless 411 directory is only in the idea stage. Even if a wireless 411 directory were established, most telemarketing calls to wireless phones would still be illegal. For example, it is unlawful for any person to make any call (other than a call made for emergency purposes or made with express prior consent) using any automatic telephone dialing system or any artificial or prerecorded voice message to any telephone number assigned to a paging service, mobile telephone service, or any service for which the called party is charged for the call. This prohibition applies regardless of whether the number is listed on the national Do-Not-Call list. www.fcc.gov/cgb/consumerfacts/tcpa.html (scroll to “Automatic Telephone Dialing Systems and Artificial or Prerecorded Voice Calls”) .

    A company called Qsent (owned by the credit bureau TransUnion) was hired by the major cell phone companies to produce a wireless 411 directory. Nothing has come of this plan. Any wireless 411 directory is likely to operate on an “opt-in” basis. That is to say, only customers who choose to be included would be listed in the directory.

    Since most telemarketers use auto-dialers to place their calls, the likelihood of a telemarketer calling your cell phone is reduced, even if your cell number were listed in a directory. However, because not all calls are eliminated, it is a good idea to add your cell phone number to the National Do-Not-Call Registry either online at www.donotcall.gov or by calling toll-free at (888)-382-1222 from the telephone number you wish to register.

    Please note that there is not a separate Do-Not-Call Registry for cell phones. The current Do-Not-Call Registry covers both traditional (wired) and wireless (cell) phones. Registrations become effective within 31 days of signing up.

  5. Can my location be tracked using my cell phone?

    Increasingly, the answer is yes. In the past, your general location could be verified by looking at your phone records to determine which tower was used to connect your call. Now, your location can often be pinpointed in real time if your phone is turned on.

    Location tracking is not just a single technology. It actually combines several technologies. Three basic techniques can be used to determine the location of a cell phone or other similar device:

    • GPS compares the timing of radio signals from satellites in space.
    • Triangulation collects directional signals from cell phone towers.
    • Wi-Fi local area networks track high-frequency radio signals from transmitters.

    It is likely that the trend of including location-tracking components will continue as cell phone manufacturers comply with the Federal Communications Commission (FCC) Enhanced 911 (E911) rule. The FCC's E911 initiative requires cell phone carriers to be able to pinpoint their customers' locations within 100 meters, so emergency responders can reach them in a crisis.

    Although the impetus behind location-based tracking was public safety, many companies are exploring commercial opportunities as well. Several companies now offer non-emergency tracking for a monthly fee (about $15-25).

    One of the newest commercial forms of non-emergency tracking is aimed at parents who want to know the location of their children. These services enable parents to monitor their child's location by tracking their cell phone. A parent is able to locate their child by accessing a web site that monitors where they are. In addition to tracking the location, these monitoring services can send text messages to children who travel too far from parent-approved locations. Text messages may also be used to alert parents if a stranger or hacker attempts to use the service to locate their child.

    For example, Verizon offers a service for a monthly fee called, Chaperone. The service displays the child’s location on a map and also allows parents to set up geographical boundaries around such locations as school, home or soccer practice. When the child carrying the phone arrives at or leaves the Child Zone, the parent can be notified via text message. The child’s phone lights up and says “locating” once the parent searches for the child. http://products.vzw.com/index.aspx?id=fnd_chaperone (no endorsement implied)

    Cell phone applications (apps) like Loopt and Google Latitude allow friends to track each other’s location. The applications allow the user to specify who can track the user’s location. Google allows users to limit the tracking to a city-level location only. Both Google and Loopt say they do not store historical locations, only your last location. Users of location tracking services should be aware that current privacy protections can be changed by the providers at any time. These are company policies, not legal requirements.

    As a general matter, tracking by GPS can be limited in two ways. Its use can sometimes be limited when the cell phone user is indoors. In addition, many GPS-equipped phones have two settings: 911-only or location-on. You should examine your phone and select the appropriate setting for your personal needs. If you utilize a tracking service or GPS directions and maps, be aware that your travel history and location may be provided to law enforcement, as part of litigation, or utilized by advertisers.

    Also, be aware that if you are using a phone or vehicle provided by your employer, under the current law your employer can use GPS to monitor you during work hours. For more information on employer monitoring see our Fact Sheet 7 available at www.privacyrights.org/fs/fs7-work.htm.

    For an in-depth discussion of locational privacy, read the Electronic Frontier Foundation's Whitepaper: On Locational Privacy, and How to Avoid Losing It Forever.

  6. How do I protect my smartphone?

    Many large and small businesses provide their employees with phones, such as BlackBerries or other PDA/phone models that serve more than one function. These "smartphones" function as wireless hand-held computers with small keyboards that can send and receive e-mail, browse the Internet, and make phone calls. If you own or use a phone that handles more data than your average phone contact list, there are extra precautions you need to take to protect your personal data.

    First, if your boss provides your smartphone, you should be aware of the possibility of monitoring. For more information see our Fact Sheet 7 on workplace monitoring available at www.privacyrights.org/fs/fs7-work.htm.

    The second precaution to keep in mind is that when you synchronize your cell phone with your computer you are putting both devices at risk for viruses. Take similar precautions that you would with personal computer use: Do not open unfamiliar attachments or files on your phone because they are likely to be harmful. Currently, cell phone viruses are designed in such a way that they can only infect your phone if you click "yes" to a request to install a document or application, such as games, pictures, songs, or ringtones. You should only download documents or applications from trusted sources.

    An additional threat to mobile devices takes the form of malware that appears as a digitally signed legitimate application.  It may steal the user's subscriber, phone, and network information, and connects to a Web site in order to pass on the information.

    The best way to protect yourself is to be familiar with the features of your phone and the built-in security components. For instance, many phones now come equipped with Bluetooth, a feature that allows your phone to swap information with other wireless devices that are within a short distance (30 feet on average). If your phone has Bluetooth technology, one option would be to disable the function until it is needed.

    Another concern is the loss or theft of your phone. To prevent a stranger from downloading programs to your cell phone or accessing confidential information without your permission, consider locking your phone when you are not using it or creating a password for phone access. Another option is installing software that allows you to remotely lock the phone or erase the data if the phone is stolen or lost. Some phone carriers may also offer remote access that will either lock the phone or erase the data. If you do not have the capability yourself to remotely access your phone, contact your carrier if you are concerned about lost data.

  7. How can I be sure my personal information is deleted when I sell, donate, or trash my old phone?

    Many users of cell phones may choose to donate, sell, or trash their old phones when they are replaced with newer models. A 2008 study revealed that almost half of donated smartphones in the 160-phone sample contained sensitive information. The information revealed the prior owner of the phone and/or the owner’s employer. http://news.glam.ac.uk/news/en/2008/sep/26/one-five-second-hand-mobiles-contain-sensitive-dat/

    The study found that over 20% of donated traditional cell phones contained identifying information. Be aware that your personal information needs to be "permanently" or "safely" deleted. In other words, on most cell phones the process for deleting your information is more complicated than simply selecting a delete function. Similar to computers, choosing to delete information simply creates new space but the data is retained until enough new information is added to write over the old information.

    To permanently delete your information, follow the instructions in your manual, call the manufacturer, or consult your employer/s information technology department. The web site Recellular provides a handy deletion guide for most cellular phone models: www.recellular.com/recycling/data_eraser/default.asp. For more information see our alert at www.privacyrights.org/ar/CellDelete.htm.

  8. What is expected in the future?

    Web applications

    The only limit to what a phone can do these days is from our own imaginations. It is now commonplace to use one’s cell phone for e-mail. But there are many more applications on mobile phones than text messaging and e-mail. One author even thumb-typed a sci-fi novel onto his Nokia phone during his train ride to work.

    As of April 2009, there are over 250,000 web application for the iPhone and some Blackberry devices. Web applications are created by third parties. They vary from trivial to extraordinary. For example, a Philadelphia cardiologist created an application that analyzes blood gas levels.

    Debt collection

    Debt collectors are now expanding their collection strategies to contacting you with text messages to your cell phone. See, for example, www.golivesms.com

    A consumer filed a lawsuit alleging that a car loan company harassed her by sending threatening text messages in an effort to repossess a car for which she was behind on payments. Read the complaint at www.courthousenews.com/2009/04/28/AutoWebSiteCollect.pdf

    The FTC has issued a report urging that the Fair Debt Collection Practices Act be modernized and reformed to reflect changes in consumer debt, the debt collection industry, and technology. Recognizing that the law generally should allow debt collectors broad use of communication technology to contact consumers, the report recommends that the law prevent consumers from incurring charges for these contacts or otherwise being subject to unfair, deceptive, or abusive acts and practices. The report recommendations include:

    • Prohibiting collectors from contacting consumers via their mobile phones, including by text messaging, without prior express consent; and
    • Requiring collectors who use new payment technologies to obtain express verifiable authorization from consumers before accessing their accounts.

    More information is available at www.ftc.gov/opa/2009/02/fdcpa.shtm

    Telemarketing scams

    Although it is illegal for telemarketers to use auto-dialers to call your cell phone, there has been an increase in the number of telemarketing scams targeted at cell phone users. One of the most popular is a call regarding your car’s warranty. This type of scam can easily be recognized as a scam because the caller often does not know any details about the car you may own. If you receive a telemarketing call to your cell phone, be aware that it may be a scam because legitimate telemarketers know that using auto-dialers to call cell phones is illegal. If you receive one of these calls you may file a complaint with the FCC. http://esupport.fcc.gov/complaints.htm

    The FTC is asking a federal court to shut down the unlawful car warranty telemarketing scam. In two related complaints filed in federal court, the FTC took action against both the promoter of the phony extended auto warranties, as well as the telemarketing company that it hired to carry out its illegal campaign. The complaints charge that the defendants’ deceptive practices violate the FTC Act, and that the defendants also have violated the FTC’s Telemarketing Sales Rule by calling consumers whose numbers were on the National Do Not Call Registry.

    The complaints further charge that the defendants violate the TSR by calling consumers who previously had asked not to be called; by concealing their phone numbers so they would not show up on caller ID, a practice known as “spoofing”; by failing to identify themselves to the consumers they called; and by failing to disclose that the call was a sales pitch. www.ftc.gov/opa/2009/05/robocalls.shtm

    Law enforcement and mass alerts

    Local and federal government are exploring using text messages as a new method for mass communication. After a successful pilot program, AMBER alerts (America's Missing: Broadcast Emergency Response) are now available as text messages. The smaller carriers are expected to be incorporated in the future. The carriers who are participating in the Wireless AMBER Alerts Initiative have entered into an agreement with the National Center for Missing & Exploited Children that requires them to provide these alerts at no additional cost to consumers.

    If you want to receive text message AMBER alerts, you must opt-in to the program at https://www.wirelessamberalerts.org/index.jsp.

    The FCC has also established the Commercial Mobile Alert System. The system allows participating carriers to send emergency text messages to subscribers. Emergency alerts will be classified in one of three categories:

    • Presidential Alerts - Alerts for all Americans related to national emergencies, such as terrorist attacks, that will preempt any other pending alerts;
    • Imminent Threat Alerts - Alerts with information on emergencies, such as hurricanes or tornadoes, where life or property is at risk, the event is likely to occur, and some responsive action should be taken; and
    • Child Abduction Emergency/AMBER Alerts - Alerts related to missing or endangered children due to an abduction or runaway situation.

    More information is available at: www.fcc.gov/cgb/consumerfacts/cmas.html.

  9. Resources


Note: Some commercial products and features are named in this guide. No endorsements are implied.

Acknowledgement: We acknowledge the assistance of attorney Leslie Flint in the research and writing of this guide.

 

 

Tags:
Copyright © Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.