The nation's four largest wireless carriers say they obtain customer permission before using a subscriber's physical location to provide driving directions, family-finder applications and other location-based services, and before sharing a subscriber's location with any outside mobile apps that provide such services.
But in letters to Congress released Thursday, the wireless companies also say they have no power to require device makers like Apple or independent developers of location-based apps to get similar user consent if these apps don't rely on the carriers themselves to track a user's whereabouts.
"While new third-party applications bring many consumer benefits, there are risks too," Kent Nakamura, vice president for policy and privacy for Sprint, wrote in a letter to Reps. Joe Barton, R-Texas, and Ed Markey, D-Mass. "And because mobile devices are now an open platform, consumers can no longer look to their trusted carrier ... to answer all of their questions."
The letters from the four carriers — AT&T Wireless, Verizon Wireless, Sprint Nextel and T-Mobile USA — were released one day after Apple admitted that its popular iPhone stores data used to help the device locate itself for up to a year. Faced with an uproar among privacy watchdogs and lawmakers after two researchers revealed iPhone location tracking practices last week, Apple said Wednesday that it will no longer store the data on phones for more than seven days, will encrypt the data and will stop backing up the files to user computers.
Google, too, acknowledged last week that phones running its Android software store some GPS location data for a short time.
Privacy watchdogs warn that location data that gets stored over time can provide a window into very private details about a person's life. Databases filled with such information, they fear, could become inviting targets for hackers, stalkers, divorce attorneys and, of course, law enforcement agents.
Representatives from both Apple and Google are expected to testify at a Senate Judiciary Subcommittee hearing on the matter next month. The Senate Commerce Committee is also planning a hearing.
Despite this week's intense focus on location privacy, the letters from the four big wireless carriers are actually in response to requests for information issued by Barton and Markey in late March.
The lawmakers asked the wireless companies to explain their policies for handling location data after The New York Times reported that a Deutsche Telekom customer had discovered that the German phone company had kept detailed information about his phone's location over a period of months. Deutsche Telekom owns T-Mobile USA, but is seeking to sell the company to AT&T.
One theme running through the letters released Thursday was that the wireless carriers all comply with federal rules that prohibit phone companies from using customer data — including location information — for purposes other than providing service, or from sharing it with outside parties, without first obtaining subscriber consent.
But those rules do not encompass device makers such as Apple, software providers like Google or mobile apps. Although many apps rely on cell tower triangulation provided by wireless carriers to determine a user's location — and may therefore be indirectly bound by federal rules — many others depend on GPS technology, Wi-Fi hot spot databases and even Internet Protocol addresses to pinpoint a user's location. Right now, few government privacy rules apply when those technologies are used.
Companies are experimenting with various approaches to help users understand that locations are being tracked. Popular apps such as the social networking service FourSquare asks users to actively "check in" to the places they visit. Many also notify users that they collect location data — and require users to agree— before an app can be downloaded. Apple requires iPhone apps to obtain user permission to gather location information
Meanwhile, CTIA -The Wireless Association, the wireless industry's top trade group, has developed a voluntary set of industry guidelines to ensure that location-based services adequately notify consumers about location tracking and obtain consent.
Still, government officials may get involved. The Federal Communications Commission is looking at what rules could — and should — apply. The issue is also on the radar screen at the Federal Trade Commission, which wants to ensure that apps and other mobile services that gather location data do so with the full understanding and permission of users. And Barton hinted Thursday that Congress may weigh in too.
"After thoroughly reviewing the responses from the wireless carriers, I am left with a feeling of uneasiness and uncertainty," Barton said in a statement. "The companies informed us that customer consent before access of location data is a common practice, but the disconnect is when third-party applications come in to play ... It is time we hold third-party developers accountable, and I am determined to work with other members of Congress to get this done."