The US state of Illinois is poised to pass a law that makes it illegal to track a phone’s location without the owner’s consent.
The law, the Geolocation Privacy Protection Act (HB3449), was passed in both houses of the state legislature last week. It’s now on the desk of Governor Bruce Rauner, ready to be signed into law.
The bill will make it illegal for a company to track a person’s geolocation without first getting permission. It sets criminal penalties and damages of at least $1,000, plus attorney’s fees and court costs, for working out a person’s whereabouts from their device without permission.
From the bill’s full text:
‘Geolocation information’ means information that: (i) is not the contents of a communication; (ii) is generated by or derived from, in whole or in part, the operation of a mobile device, including, but not limited to, a smart phone, tablet, or laptop computer; and (iii) is sufficient to determine or infer the precise location of that device.
IP addresses aren’t covered by the bill. It also includes exceptions for finding a missing child or to enable emergency responders to locate somebody. Breaking the new law will be considered a violation of the Consumer Fraud and Deceptive Business Practices Act.
Some question whether the bill will have any real-world impact, given that most devices, apps and websites now ask people for permission before they use location data.
True, and good for their developers. But there’ve been plenty of times when that permission wasn’t sought or granted, yet still our locations have been tracked. There are other times when our locations have been shared without our permission simply because some developer along the line introduced location-sharing by accident.
Here are a few such:
- Apple got hit with a class-action lawsuit a few years back over tracking users without consent, allegedly using the location service function on its iPhones to track users, record their location, send it to Apple, and potentially give it to third parties.
- Researchers in 2014 noticed that when WhatsApp shared their location, the app “called out” to Google Maps without using Secure HTTP, better known as HTTPS. WhatsApp thankfully fixed that glitch, given that attackers who can sniff network traffic between your phone and Google’s servers could have pinpointed users as soon as they shared location with other WhatsApp users.
- We found out in September that Google Play tracks you even if other apps don’t, given that there’s no per-app choice. It can only be denied access to your location data if you turn location collection off entirely, unlike other apps such as Google Chrome or Sophos Mobile Security, where the per-app toggle works as expected.
Time will tell whether the bill have any impact on situations such as those. Good luck, after all, with trying to outlaw “Oops! We were sharing location by mistake!” glitches.
Besides penalizing those entities that fail to ask for permission to track people’s geolocation, the Illinois bill would also require that companies inform users of how they plan to use the information they collect (share it with third parties, etc).
At any rate, it’s not surprising that Illinois would pass a law to protect our geolocation privacy; the state has a history of strict data privacy legislation.
As we’ve reported in the past, the Electronic Privacy Information Center (EPIC) considers the Illinois Biometric Information Privacy Act – which prohibits companies like Snapchat, Facebook, or Google from using facial and eye scans, fingerprints, or voiceprints without prior, written consent — to be the toughest law of its kind in the US.
Besides the Geolocation Privacy Protection Act, the Illinois Senate has also passed the Right to Know Act. Approved in May but since put on hold, it requires companies such as Google, Facebook and Amazon to disclose what data has been collected on consumers and shared with third parties.
There are those who consider Illinois’ fixation on privacy to be an utter waste of resources: one that’s bound to produce little but “a tsunami of ‘gotcha’ litigation,” to quote Forbes contributor and University of Chicago law professor Omri Ben-Shahar.
The Illinois legislature — the nation’s most defunct lawmaker — is active these days not in resolving the state’s ongoing pension and budget crises (Illinois has the worst budget deficit in its history and has not managed to pass budget legislation for over a year*). Rather, exhibiting a stunning attention to minutiae, Illinois is worrying itself with so-called “privacy”. Already the state with the most aggressive privacy protection law, the Illinois House is now considering three new privacy bills that would blaze a new trail of class action activity. Illinois, in other words, is solidifying its stature as the Mecca for privacy litigation pilgrimage.
(*On Tuesday, the Illinois Senate approved spending and revenue bills and then overrode the governor’s immediate vetoes of the legislation.)
At Naked Security, we tend to be cheerleaders for privacy protection legislation, but Ben-Shahar raises some points that are worth considering.
Regarding Illinois’ biometrics law, for example. As Ben-Shahar frames it, users who sign on with their fingerprints, for one, know perfectly well that Apple et al are using their biometric information. Yet there are a slew of lawsuits alleging technical violations in the presentation of the consent forms, none of which have been prompted by consumer harm or complaint, and none of which have demonstrated concrete injury.
One of those suits is against Google. Two Illinois residents have filed a class action lawsuit over Google’s creation of face templates from their photographs. In March, the US District Court for the Northern District of Illinois ruled that the lawsuit could proceed.
What’s the big deal with Google creating face templates from photos uploaded to Google’s cloud-based Photos service, which enables sharing and storage? … And from creating face templates with users’ unique facial geometry?
For one thing, it was allegedly done without consent. Nor did Google publish a data retention or destruction schedule, as the plaintiffs allege.
As the Illinois General Assembly has noted, victims of identity theft can always change their taxpayer IDs, but barring violence or surgery, they can’t rearrange their face:
Biometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
Is Illinois’ attention to the minutiae of data privacy, be it geolocation, biometrics or data collection, a waste of time? Or an (unfortunately) rare, but welcome, instance of attention being paid to potential avenues of identity fraud and privacy invasion?
I’m going with the latter. We don’t need concrete harm to be done before we take action to prevent it.
Readers, your thoughts?
Anonymous
Incredible job by the Illinois Legislature.
Anonymous
Obviously you’re not from Illinois…
EJ
Consumer protection is easy. Budgets, not so much. And the pension debacle in Illinois will likely never be resolved short of bankruptcy.
Laurence Marks
When geolocation apps are outlawed, only outlaws will provide geolocation apps.
Anonymous
Does a sentence in the middle of a 300-page “Terms and Conditions” presented in 2-point type constitute permission?
Bobby
“Some question whether the bill will have any real-world impact, given that most devices, apps and websites now ask people for permission before they use location data. True, and good for their developers.”
You’re missing the point here. Apps/Websites don’t ask for permission to use location data because they are being good citizens. They do it because access to location data is controlled by the Apple/Android/Windows operating system and they wouldn’t be able to view that data at all without the user clicking Agree. The dialog comes up because the developer has specifically requested access to that data, so really any app/site asking at all except where genuinely needed should be a stike against the developer.
Bob
Lawyers and lawmakers are pushing the agenda for themselves, not for the public. There is money to be made. Public service is dead.
Follow the money.
My Name isn't important.
We need this like we need concrete divider in multilane highways to seperate oncoming traffic. The fact that a major accident hasn’t happened yet, doesn’t mean that it won’t. And with foragers (foreign agents both state sponsored and criminal organizations) at work targeting the area mining ID data for specific use in ID fraud and thus money extraction, we need heightened privacy and data security legislation more and more every day.
What the CIA used to do in south America with cocaine to fund its engagements in the Middle East and Afghanistan, Russia and China now do with hacking in the US to fund their off the books stuff in their hotzones like the Ukraine and Taiwan.
No vedroid here
poor android users being taken.
again
Anonymous
I hope with time the collection of any private information will require the consent of the user around the world
Liz McIntyre (@LizMcIntyre)
Kudos to the forward-thinking Illinois legislators who work to protect consumer privacy. However…
If you read the passed House bill, there are crazy exceptions that remove the teeth.
For example, if I’m reading it correctly, political parties are exempt. Governmental agencies are exempt. A host of other parties are also exempt. In fact, I am hard pressed to find any organization that could be held accountable.
In addition, it looks like the bill would remove the right of Illinois citizens to bring actions against companies violating the Act, which is the biggest deterrent:
“Section 15. Violation.
(a) A violation of this Act constitutes a violation of the Consumer Fraud and Deceptive Business Practices Act. Only a State’s Attorney or the Attorney General may enforce a violation of this Act as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act, including when an agreement is void and unenforceable pursuant to Section 20 of this Act.
(b) A private entity, other than an individual, that is in violation of this Act shall have 15 days after being notified of a violation to rectify that violation before the Attorney General or appropriate State’s Attorney’s Office may seek an enforcement action against that private entity.”
Is this bill simply a finessed, politically palatable way to remove the right of Illinois citizens to sue companies and government entities for unconscionable tracking of mobile devices?
Steve
Liz, I would nominate you for the Best Comment Award if there was one. Excellent, thank you.
This seems to be much like the infamous CAN-SPAM Act, and will likely prove to be just as “effective”.
Keith Scott
Great job by the Illinois Legislature.