The federal probe aims to discover if any apps built for iOS, Android, or other smartphones are illegally collecting or transmitting personally identifying information, such as the phone’s unique device identifier (UDID), to app makers or third parties without consent from end users. Gathering information that can be used to personally identify an individual without adequately disclosing what data will be collected and how it will be used could violate the Computer Fraud and Abuse Act
designed to prosecute hackers.
The investigation, which could continue for months, appears to be in a preliminary phase. In a document filed with the Securities and Exchange Commission on Monday, the online music service Pandora
revealed it had been “served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms.” The Oakland, CA, company added that it’s “not a specific target of the investigation” and believes the subpoenas were issued “on an industry-wide basis to the publishers of numerous other smartphone applications.”
“They’re just doing information-gathering to get a better understanding,” Anthony Campiti, creator of Pumpkin Maker
, told The Journal after receiving a subpoena. “We’re not doing anything wrong and neither is anyone else doing anything wrong.”
It’s unusual for companies to face prosecution for privacy violations, legal experts told The Journal. Although, some think this investigation could lead to criminal charges for numerous companies. “This is a big hammer if the government chooses to use it,” Orin S. Kerr, a law professor at George Washington University, told The Journal.
The Wall Street Journal appears to have prompted the federal grand-jury investigation with an article it published last December. For the article, the publication tested 101 apps and found that 56 of them sent the phone’s UDID to the app developer or a third party without notifying the user. CNET observes
the UDID “can be used by third parties to know which apps you download, how frequently you use those apps, and for how long.” And a recent lawsuit alleges the UDID data can be combined to determine a person’s gender, location, income, ethnicity, sexual orientation, and political views — all without the user’s knowledge or consent.
Even if the investigation doesn’t lead to any charges, it should raise awareness of the new privacy issues affecting the smart devices we keep in our pockets. Hopefully, the probe will, at minimum, motivate Apple, Google, other smartphone makers, and app developers to re-focus their efforts on protecting customers’ personal data.