How the Legislature can help protect your digital privacy

How many more times will people have to pay the price for big mistakes with our private information before we value it more as a society and demand more private control? In the just the last two months, we have learned that the personal information of hundreds of millions has been compromised by the Equifax security breach and that the personal information of nearly every voter in America is stored on an unsecure server that has the potential to be hacked at any moment through a largely unheard of government program called “Crosscheck.”

Despite these clear breaches of trust and ever-relaxing social media norms, we still generally expect a level of privacy, even in our digital lives. At any rate, most don’t expect to be surveilled through their phones. Yet mobile phone users have this basic assumption violated daily, sometimes every minute their phone is on. Apps stored on the phone may run silently in the background, tracking the user’s specific locations and movement. The geolocation data contains personally identifiable information, is vulnerable to hacking, and is often sent or sold to unregulated data brokers and marketers.

In response, the Illinois General Assembly passed House Bill 3449, the Geolocation Privacy Protection Act, a bill to address massive secret tracking and sale of consumer location data. The legislation required a brief one-time disclosure to consumers of any location tracking practices in the first instance. It informed our choices and let us compare by giving us the ability to know when our apps track where our child attends school, how frequently we see the doctor, and when we are home or not. Without honest disclosure of tracking practices, we can’t make an informed choice, and the end result will continue to erode our trust in technology, and that’s a shame.

Gov. Bruce Rauner chose to side with billion dollar corporations and data brokers over consumers by vetoing the Geolocation Privacy Protection Act in late September. As legislators work to override the veto, they should note the benefits of passage and the blatant fallacies in the governor’s veto statement, which mimics the talking points used by the Silicon Valley tech giants.

The governor wrote, “Consumers already have full control of geolocation data capture in their device settings through most operating systems….”

The evidence completely contradicts the governor’s simplistic and outdated understanding. No law or rule requires Apple, Android, or the thousands of app developers themselves, to disclose tracking practices up front. The currently optional disclosure standards are therefore incomplete and misleading, reducing both user awareness and control.

Moreover, apps can and do track consumers’ location, both without asking permission and against privacy preferences explicitly indicated in the user’s device settings. Last year, we learned a single company used stealth geolocation to track consumers and sell their data to serve 6 billion targeted ads per day, despite the device privacy settings in place. Earlier this year, security experts caught leading app AccuWeather doing the same thing. App makers bypass already weak geolocation notices offered by Apple and Android. The Geolocation Privacy Protection Act fills this gap in consumer privacy protection and establishes a level playing field for all app developers.

And while the governor’s veto statement conveniently ignores technology and facts, it also denies accountability. Gov. Rauner stated, “If further privacy legislation is required, it should be enacted by the U.S. House and U.S. Senate.”

The governor is well aware that in 2016, the Federal Communications Commission passed rules requiring internet service providers, such as Comcast, AT&T, and Verizon, to get customers’ permission to sell, record or track their information for profit. In March of 2017, Congress repealed those protections following large, orchestrated political contributions from industry, and President Trump blithely signed off. When Congress abandons the public interest, it’s time for the states to step in.

It’s time for Illinois lawmakers to once again step up for citizens’ right to privacy, be bipartisan stewards of our private information and demand transparency on our behalf. Urge your lawmaker to override the Governor’s veto of HB 3449.

Jeff Hamburg is an Illinois attorney and policy director for the Digital Privacy Alliance.

Send letters to: letters@suntimes.com