Focusing public attention on emerging privacy and civil liberties issues

Samsung "JAY-Z Magna Carta" App

Top News

  • California Attorney General Releases Mobile App Privacy Guidelines: California Attorney General Kamala Harris has issued a report describing best practices for mobile application privacy. The report, "Privacy on the Go," recommends that app developers implement safeguards such as privacy-by-design and notice, but stops short of setting forth a comprehensive set of Fair Information Practices. The report follows a law that requires all service providers doing business in California, such as mobile app developers, to have a privacy policy available to consumers. The report also occurs while the White House's privacy multistakeholder process is attempting to develop a voluntary code of conduct for mobile app transparency. For more information, see EPIC: Mobile and Location Privacy. (Jan. 10, 2013)
  • Pew Survey Finds Most Mobile Users Avoid Apps Due to Privacy Concerns: A survey by the Pew Research Center found that the majority of mobile phone users have uninstalled or avoided apps due to privacy concerns. According to the report, 54% of mobile users have decided to not install an app after discovering the amount of information it collect, and 30% of mobile users uninstalled an app after discovering that it was collecting personal information that they didn’t wish to share. Owners of Android and iPhone devices are also equally likely to delete (or avoid entirely) cell phone apps due to concerns over their personal information. Younger cellphone users were also twice as likely as older users to report that "someone has accessed phone in a way that felt like privacy invasion." This poll follows another survey by Pew that found that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Sep. 5, 2012)
  • EPIC Urges FTC to Develop Meaningful Privacy Protections for Mobile Services: EPIC has submitted comments to the Federal Trade Commission concerning "Advertising and Privacy Disclosures in a Digital World". The FTC is currently exploring ways businesses could improve privacy notices for mobile devices. EPIC pointed out that many of the techniques, such as privacy icons, suffer from the same problems as traditional privacy notices. EPIC recommended that the FTC focus instead on substantive privacy protections, such as those found in the federal Privacy Act, sectoral privacy laws, and the Consumer Privacy Bill of Rights, proposed by the White House. An earlier FTC report called for new privacy legislation and an FTC investigation documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (Jul. 11, 2012)
  • EPIC Calls on FTC to Develop Substantive Privacy Protections at Workshop on Mobile Advertising: EPIC submitted comments to the Federal Trade Commission for the May 30 workshop on mobile advertising disclosures. EPIC recommended that the agency focus on the development of substantive privacy protections, such as the Consumer Privacy Bill of Rights announced by the President earlier this year, for mobile services. EPIC also recommended that the workshop address a series of problems with the "notice and consent" approach, as well as the merits of innovative, nonverbal approaches proposed by privacy scholars. The workshop follows an FTC report calling for privacy legislation and an investigation that documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (May. 11, 2012)
  • EPIC FOIA - New Details About Automated License Plate Readers Obtained: In response to an EPIC Freedom of Information Act request, Customs and Border Protection has disclosed nearly 1,000 pages of documents on automated license plate readers and border body scanners. The documents include contracts with several companies, such as Rapiscan and L3, for vehicle and cargo screening x-ray devices. Previous documents obtained by EPIC revealed that the agency is developing integrated vehicle scanners, with backscatter x-ray, Closed Circuit Television, and automated license plate readers, that would be used with human subjects. Radiation experts have questioned the safety of these systems, which produce ionizing radiation. For more information see EPIC FOIA: Automated License Plate Readers and Border Checkpoint Body Scanners. (Feb. 14, 2012)
  • iPhones, iPads Collect and Store User Location Data: Security researchers have found that Apple records detailed location data of iPhone and iPad users. The information, which includes latitude/longitude and a time stamp, is captured by the devices and then transferred to a user's computer where it is stored unencrypted. It is not clear whether Apple is able to access the file directly. Senator Al Franken (D-MN) and Rep. Ed Markey (D-MA) have asked Apple CEO Steve Jobs to explain why the company is storing information on its users in a secret file. Apple may have violated Section 222 of the Communications Act, which requires companies to obtain customer consent before location data is used or disclosed for commercial purposes. A recent Nielsen poll finds that US smartphone users are concerned with privacy when it comes to location. For more information, see EPIC: iPhone and Privacy, EPIC: Locational Privacy and EPIC: Consumer Proprietary Network Information. (Apr. 21, 2011)

Background on The Magna Carta App

In a promotional deal, Samsung bought one million digital copies of Jay Z’s new album “Jay-Z Magna Carta Holy Grail” to distribute to users of certain Samsung smartphones and tablets. Samsung developed a mobile application, called “Jay-Z Magna Carta,” and required Samsung users to download and use the app in order to participate in Samsung’s promotional offer. The Magna Carta App provided certain Samsung mobile device users the ability to download Jay Z’s new album for free on July 4th, three days before the album was set to be released. Once downloaded, the application prompted a permission window that a user had to accept before the application would install. The user was required to agree to all of the permissions in order to access any of the content provided by the Magna Carta App.

Permissions Requested

The application required permissions to:

  • modify or delete contents of phone USB storage
  • prevent the user's phone from sleeping
  • view and record data regarding all running apps
  • read phone status and identity (i.e. who the user is talking to on voice calls)
  • run automatically at startup and to continue running in the background the entire time the phone is on
  • test access to protected storage
  • receive data from the Internet, view Wi-Fi connections, and view network connections
  • control the phone's vibration
  • search through accounts on the device and collect account information (gathering e-mail addresses and social-media user names connected to the phone)
  • and access the user's precise (GPS) and approximate (network-based) location.

The application also required permission for full network access. As New York Times reporter Jon Pareles noted, the number of permissions requested "verges on parody."

Information Collected

The Magna Carta App accessed a vast amount of users’ personal information, including:

  • Approximate user location using cell site locations and Wi-Fi networks
  • Precise user location using precise location using the Global Positioning System (GPS), cell site locations, and Wi-Fi networks
  • Mobile device identifiers, including the International Mobile Subscriber Identity and International Mobile Station Equipment Identity numbers, both of which are unique identifiers
  • Time periods during which the phone is active
  • Telephone numbers dialed
  • The identity of other applications installed on the device
  • The identity of user accounts associated with other applications Sensitive log data
  • The identity of Wi-Fi networks and other devices connected to Wi-Fi networks

Social Media Requirement

Furthermore, in order to download the Magna Carta App, users were forced to register with or sign into Facebook or Twitter to access the album. Once users signed in to their Facebook or Twitter accounts, they had to pass through an age gate. Entering an age below 13 had no impact on their ability to re-enter a higher age. Additionally, the Magna Carta App required permission to post on users’ behalf on those accounts, presumably to create social buzz. In the run-up to the album’s release, the Magna Carta App allowed users to view song lyrics, but only if the user posted a tweet or Facebook status update promoting the fact that they had unlocked each lyric.

Privacy Risks Posed by the Magna Carta App

Mobile applications that require overbroad data collection permissions violate a number of the fundamental privacy rights established by both the FTC in its prior decisions, and by the White House in the CPBR.

Samsung Did Not Disclose To Users Why It Collected So Much User Data

In listing the permissions requested by the Jay-Z Magna Carta App, Samsung failed to disclose the purposes for which it collected users’ information as required by law and public policy. For example, Samsung did not explain why it collected users’ approximate location, precise location, unique device identifiers, phone numbers and phone numbers called, application usage information, log files, and Wi-Fi network and connected device identifiers. Facts about the purpose for which data was collected would be material to users in their decision to use and install the App.

Samsung Prevented Users From Making Meaningful Privacy Choices

Integrating users' social media accounts into the Magna Carta App unfairly restricted user choice. Samsung requires users of the Jay-Z Magna Carta App to also have either a Facebook or Twitter account. By tying the Magna Carta App to Facebook and Twitter, Samsung required consumers who consented to using the Magna Carta App to also consent to the full range of Facebook or Twitter’s business practices, thereby depriving them of the choice to use the Magna Carta App alone. Public policy and FTC precedent establish that users should have meaningful choices regarding the collection and use of their data. Users of the Magna Carta App, however, could not reasonably avoid this restriction of choice.

Samsung Collected Unnecessary Data

Samsung collected vast quantities of user data, most of which were unnecessary to run the app. The Magna Carta App served no useful purpose other than to capture user data, to control access to music downloads, and to provide incremental access to lyrical content in exchange for access to social media accounts. After the user finished downloading content and sharing information, the Magna Carta App served no purpose at all—the music became part of the user’s regular download library.

Samsung had other primary means of distributing digital music and lyrics that did not involve sharing extensive personal data. Much of the data collected, e.g., account usernames and passwords, in no way supported the implied entertainment purpose of the Magna Carta App. Public policy establishes that companies should operate according to reasonable data collection limits. Samsung did not establish reasonable data collection limits in the App.

Samsung Did Not Immediately Discard Unnecessary Personal Data

Samsung retained the data it collected from consumers even after that data no longer aided the functionality of the Magna Carta App. Public policy establishes that companies should operate under sound data retention practices and data minimization procedures. In violation of FTC precedent and firmly established public policy, Samsung did not incorporate data minimization procedures into its data collection practices.

The Magna Carta App Interfered With the Users' Ability to Operate Their Smartphones

The Magna Carta App unfairly interfered with mobile device functionality, and in ways that users could not reasonably have expected. For instance, the user had to agree to allow the Magna Carta App to accept cloud-to-device messages sent by the App’s service. The Permissions explanations page noted, “Using this service will incur data usage. Malicious apps could cause excess data usage.” The Magna Carta App affected the smartphone’s battery by controlling the device’s vibration and preventing the device from going into “sleep” mode.

The Magna Carta App also affected the device’s speed and efficiency. The last term on the Permissions page noted, “[This permission] allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.” This activity is likely to cause substantial injury to consumers. (“Substantial injury” has been found where unauthorized implementation of anti-spyware software on users’ computers affected the computers’ functionality.)

However, users could not switch off or opt out of any of these functions. All of the Permissions were prerequisite for the user to run the Magna Carta App. Consumers who wished to use the Magna Carta App could not do so without allowing the software to access their personal information. If a person is subject to the potential for "always on" recording, that fundamentally alters how that person behaves. Privacy is the ability to control how and to whom one expresses oneself. If a person cannot control to whom they are expressing themselves, they will tailor the nature of their expression. Without the ability to control one's audience, individuals will fear reprisals for non-conforming, unusual, or unprofessional behavior. The resulting chilling effect will stifle creativity, innovation, and self-discovery.

The FTC's Interest

The Commission’s decisions in cases such as In re HTC and U.S. v. Path established protections against material omissions and poor privacy practices in mobile privacy.

In Path, Inc., the Commission required that a social media application display a prominent explanation of the types of information it collected. The version of the application that could be installed on a mobile device would gather information from the user’s address book and contacts lists. The Commission explained, “The feature provided users with three options: ‘Find friends from your contacts;’ ‘Find friends from Facebook;’ or ‘Invite friends to join Path by email or SMS.’ However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the ‘Find friends from your contacts’ option. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.”

In HTC America, Inc., the Commission found that mobile application providers may not misrepresent, even by implication, the security protections they use when gathering and storing user data. The Commission noted that HTC "failed to detect and mitigate these vulnerabilities, which, if exploited, provide third-party applications with unauthorized access to sensitive information and sensitive device functionality." The Commission also noted that HTC secretly installed Carrier IQ on its devices, which collected "GPS-based location information; web browsing and media viewing history; the size and number of all text messages; the content of each incoming text message; the names of applications on the user’s device; the numeric keys pressed by the user; and any other usage and device information specified for collection by certain network operators.”

The Consumer Privacy Bill of Rights and the FTC's Privacy Report

The Obama Administration's Consumer Privacy Bill of Rights ("CPBR") lists "Respect for Context" as one of its seven principles. This principle provides that "Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data."

The CPBR lists "Control" as another of its seven principles. The Control principle provides that "Consumers have a right to exercise control over what personal data companies collect from them and how they use it." The CPBR establishes that "Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place." The CPBR states that, in cases involving sensitive data collection, companies should offer "fine-grained control of personal data use and disclosure."

The CBPR also lists lists “Focused Collection” as one of its seven principles. The Focused Collection Principle provides that “Consumers have a right to reasonable limits on the personal data that companies collect and retain.” Further, “Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it[].”

Additionally, the Commission’s March 2012 report “Protecting Consumer Privacy In an Era of Rapid Change” sets out “Privacy By Design” as one of its three principles. “Privacy By Design” encompasses the principle of “Reasonable Collection Limitation: Companies Should Limit Their Collection of Data.” “Reasonable Collection Limitation” provides that “Companies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business[].” The report further clarifies that “Reasonable Collection Limitation” is analogous to the CPBR’s “Respect for Context” principle.

The Commission has established meaningful consent as a foundational privacy practice. The Commission’s 2012 Privacy Report states that “a company should provide the choice mechanism at a time and in a context that is relevant to consumers - generally at the point the company collects the consumer’s information.” In particular, the Commission explained that “businesses should not offer consumers a “take it or leave it” choice when collecting consumers’ information in a manner inconsistent with the context of the interaction between the business and the consumer.”

The Commission has also identified “Sound Data Retention” as one of the defining principles of Privacy By Design in its 2012 report. The Sound Data Retention principle provides that “Companies Should Implement Reasonable Data Retention and Disposal Rules.” The report further clarifies that “companies should implement reasonable restrictions on the retention of data and should dispose of it once the data has outlived the legitimate purpose for which it was collected.”

EPIC and the FTC

EPIC is the group responsible for several of the Federal Trade Commission's major privacy decisions, including:

Samsung's Response

"We are aware of the complaint filed with the FTC and believe it is baseless. Samsung takes customer privacy and the protection of personal information very seriously. Any information obtained through the application download process was purely for customer verification purposes, app functionality purposes, and for marketing communications, but only if the customer requests to receive those marketing communications," Samsung said in a statement to the L.A. Times. "Samsung is in no way inappropriately using or selling any information obtained from users through the download process."

Music and Tech Industry's Response

"If Jay-Z wants to know about my phone calls and e-mail accounts, why doesn’t he join the National Security Agency?"
- Jon Pareles, music writer, New York Times

"This app's very existence is vaguely bewildering. The number of permissions it asks for verges on parody. Its (previous) ability to spam up your social feeds is obnoxious. Its presentation is perfunctory at best. It does nothing to protect the songs from downloading and sharing—of course, this would have happened with Samsung's cooperation or not, but if the point was "exclusivity," then somebody missed a memo somewhere."
- Andrew Cunningham, technology writer, Ars Technica

"When an artist self-identifies as a corporate entity, are we still Jay-Z fans? Or are we Jay-Z customers? The answer to that late-capitalist riddle arrives with the rap icon’s insidious new album, “Magna Carta . . . Holy Grail” — which first appeared last week as a data collection exercise disguised as a smartphone app capable of delivering a bundle of mediocre rap songs to your mobile device."
Chris Richards, music writer, Washington Post

"Such auto-posting is usually endemic to spam, not apps released by a major IT company and a top-selling pop artist."
- Robert Schoon, technology writer, Latinos Post

"Now consider the three-way trade that has been done here. Jay-Z gets paid directly for his music in a way that wouldn’t be quite so likely if he had to rely on traditional record sales and “traditional" digital downloads. You, the listener, get free (or almost-free) music, which is what you’re used to at this point. It’s a frictionless transaction, to borrow a Silicon Valleyism. And Samsung — which is not a cellular provider and would therefore not normally have access to this, I don’t think — gets some of that raw uncut data, which is all anybody wants anymore."
- Willy Staley, writer and editor at New York Times magazine

"I read this and .... "Naw I'm cool"
- Killer Mike, rapper

Resources

News Reports