Mobile privacy policy becoming a truly big deal

Now comes yet another reason to respect the heck out of your privacy policy: The U.S. Supreme Court is considering making it a determining factor for whether your customers have an expectation of privacy.

Legislation of privacy security keyboard law legal gavel court ruling
Pixabay

A company's mobile privacy policy is becoming a really big deal. We already knew that privacy policies are a nice piece of low-hanging fruit for Federal Trade Commission (FTC) investigators to examine, to see whether a company is living up to its own promises — as Snapchat learned the hard way. And the European Union's GDPR requirements — which will kick into effect globally in May — also focus on privacy policies, since they are typically a GDPR regulator's first stop. You remember GDPR? That's the one that can fine your company as much as 4% of annual revenue.

Now comes yet another reason to respect the heck out of your privacy policy: The U.S. Supreme Court is considering making it a determining factor for whether your customers have an expectation of privacy. In short, what you must protect and/or turn over to law enforcement or a shareholder pushing a lawsuit could well be partly determined by how you phrase things in your privacy policy. (I'll pause while you look up your current version and freak out.)

The Supreme Court matter cropped up on Nov. 29 during oral arguments before the full court. The case, Carpenter v. U.S., involved law enforcement tracking — without a search warrant — 127 days' worth of mobile phone location information of a U.S. citizen accused in a series of armed robberies of RadioShack and T-Mobile stores in Michigan and Ohio. Just for the irony of it, the only items stolen were mobile phones.

This column has looked at this case before, but the oral arguments shed a lot of light on the thinking of the Court's current justices. Some of the questions from Justice Samuel Alito explored whether mobile phone geolocation details should be considered more sensitive — more worthy of constitutionally derived privacy protections — than other kinds of information that today also do not require search warrants, such as bank data.

"Why is it more sensitive? Why is cell site location information more sensitive than bank records, which, particularly today, when a lot of people don't use cash much, if at all, a bank record will disclose purchases?" Alito asked defense attorney Nathan Wessler. "It will not only disclose everything that the person buys, it will not only disclose locations, but it will disclose things that can be very sensitive."

Replied Wessler: "I absolutely agree, Justice Alito, that the information in bank records can be quite sensitive, but what it cannot do is chart a minute-by-minute account of a person's locations and movements and associations over a long period regardless of what the person is doing at any given moment."

That prompted Justice Anthony Kennedy to ask again why phone records are more sensitive than financial records. "Particularly because the information in the bank records that Justice Alito referred to are not publicly known. Your whereabouts are publicly known. People can see you. Surveillance officers can follow you. It seems to me that [phone location records are] much less private than" bank records, Kennedy said.

Wessler countered: "When a person is engaged in a financial transaction, passing a check, a negotiable instrument, that's an interpersonal transaction where a person has full knowledge that they are putting something into the stream of commerce to transfer funds directed at their bank. Although we may, when we step outside, have a reasonable expectation that someone may see where we go in a short period, nobody has expected in a free society that our longer-term locations will be aggregated and tracked in the way that they can be here," with phone geolocation data.

Justice Sonia Sotomayor later asked about the long-term privacy implications of mobile device tracking. "Because right now we're only talking about the cell sites records, but as I understand it, a cell phone can be pinged in your bedroom. It can be pinged at your doctor's office. It can ping you in the most intimate details of your life. Presumably at some point even in a dressing room as you're undressing," Sotomayor said. "So I am not beyond the belief that someday a provider could turn on my cell phone and listen to my conversations."

And then Alito brought up a point that should awaken privacy officers everywhere. In discussing a citizen's expectations of privacy, he wondered how much weight to give what companies directly tell their customers. "The contract, the standard MetroPCS contract seems to say — and I guess we don't have the actual contract in the record here — does seem to say, to advise the customer that we can disclose this information to the government if we get a court order," Alito said. "So I don't know whether that will hold up. And even if it were to hold up today, what will happen in the future if people — everybody begins to realize that this is provided? If you have enough police TV shows where this is shown, then everybody will know about it, just like they know about CSI information."

Wessler responded by first pointing to a survey "that I think quite strongly shows that a strong majority of Americans do not understand that this information is even accessible to, much less retained by, the service providers. I think I should caution the Court that relying too heavily on those contractual documents in either direction here would, to paraphrase the Court in Smith, threaten to make a crazy quilt of the Fourth Amendment because we may end up hinging constitutional protections on the happenstance of companies' policies. But those contractual documents to a company restate and contractualize the protections of the Telecommunications Act and quite strongly promise people that their information will remain private without consent."

Let's be clear here who is potentially impacted. Although this specific argument relates to mobile carriers — since they hold the initial geolocation data — the implications extend to any company with mobile geolocation data. That includes payment companies and retailers that use geolocation to authenticate purchasers. For that matter, retailers and related businesses collect geolocation data that has nothing to do with authentication, such as determining in which aisle in a store a customer is standing.

And once the door is opened, there's no reason to believe it will be limited to geolocation data. This could open government/law enforcement access — without a warrant — to all manner of mobile data. What if a suspect is known to use a specific retailer or even to read a specific online media outlet? (Computerworld perhaps? Nah, who reads that anymore?) Could those businesses have to release those records to law enforcement without a warrant?

This brings us back to your privacy policy. Whether you do it for FTC reasons, GDPR reasons or mobile data access reasons, your privacy policy can determine a lot about how your company will be treated. If you don't want to have to share sensitive mobile records, stress in plain language that it's your policy that you won't. Publicize that policy every way you can, to do what you can to make it clear that your customers have a right to expect privacy on mobile data.

That alone may not prevent you from having to reveal that data, but the justices are making it clear that it's a good first step.

Related:
How to protect Windows 10 PCs from ransomware
Shop Tech Products at Amazon