The first thing to celebrate in this bill is the definition of monitoring software:
MONITORING SOFTWARE. The term ‘‘monitoring software’’ means software that has the capability automatically to monitor the usage of a mobile telephone or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.This definition includes both usage of the phone and location, and the key phrase - "whether or not such capability is the primary function". This language is valuable in protecting privacy because it leaves very little wiggle room when defining "monitoring software".
The policy is also extensive; it covers every entity I could think of in the mobile phone ecosystem including:
- Businesses selling phones to consumers
- Service providers both when the customer is first signing a contract and after a contract is signed - no sneaky downloads or "upgrades"
- Manufacturers of phones and phone operating systems
- And a person or company who operates a website, or other service that allows users to download monitoring software - app developers on services like Itunes and Android market would be covered here.
The policy also requires information security practices to be in place to protect these sensitive data. The requirements include an information security policy, a named, individual responsible for security, a vulnerability management program, and a record destruction program.
Enforcement will be the responsibility of the FTC, and it has teeth; the FTC can require a change, impose $10,000 per day fine for non-compliance, and impose an injunction.
The Bad and the Ugly:
This could easily become an addition to the click-wrap agreements we all already ignore. Rather than imposing limitations on the collection of data, this bill allows companies to collect whatever they want, even if they aren't using it. Simply add another section to your 500 page click through agreement and you are covered. In all fairness, a few geeks, like myself, will read the thing and report back to the rest of the world, but what choice does this leave us? If you want the software, you will agree to the collection of data - even if those data have nothing to do with providing the service.
The last, and biggest, most intractable problem - third party disclosures aren't mentioned at all. If we impose a law that makes it slightly more difficult to collect personal information, we are effectively increasing the market value of that information. Making consumers aware of the collection of these data is a great first step. If the collecting companies can then sell or share those data to other third parties, our ability to control our personal information is exponentially diminished.
A clause that requires companies deploying monitoring software not to disclose or sell it to any other company would be a revolutionary shift in U.S. technology policy and our IT economy, but I had to bring it up.
Image courtesy: http://www.flickr.com/photos/garryknight/
Article first published as Mobile Device Privacy Act: The Good the Bad, and the Ugly on Technorati.