Senator Hawley Asks Tim Cook to Provide Apple Customers with a “Do Not Track” Option

Tuesday, June 04, 2019

As Apple convenes its Worldwide Developers Conference (WWDC), Senator Josh Hawley (R-Mo.) sent a letter to Apple CEO Tim Cook asking him to voluntarily provide Apple customers with a “Do Not Track” option. Senator Hawley recently introduced the Do Not Track Act, which would create a system similar to the “Do Not Call” list, but for data tracking.

Sen. Hawley’s letter follows a report that Apple’s App Store does not stop developers from hiding software in their apps designed to track users and harvest massive amounts of data unrelated to app functionality. In his letter, Senator Hawley notes that Cook has been highly critical of such practices in the past, famously writing, “Let’s be clear: you never signed up for that.”

In his letter, Sen. Hawley writes, “I am optimistic that Congress will give my bipartisan bill serious consideration, but you have the power to provide these protections to your customers even before Congress acts. If your company is serious about protecting privacy, you should give your customers the power to block all companies from collecting or sharing any data that is not indispensable to the companies’ online services.”

Sen. Hawley ends his letter by noting that Cook has a chance to “make good on [his] promise to be an industry leader” by implementing the principles of the Do Not Track Act.

Read the full letter here or below:

Mr. Tim Cook
Chief Executive Officer
Apple, Inc.
1 Apple Park Way
Cupertino, CA 95014

Dear Mr. Cook:

Your company enjoys a better reputation than most large tech firms when it comes to privacy. I was pleased, for example, to see Apple announce yesterday that it will restrict the ability of apps to request blanket, permanent consent for location services and that Apple will prohibit apps from capturing information about which Wi-Fi signals users access.

But you can still do better. Recent reports reveal that the App Store does not stop developers from hiding software in their apps designed to track users and harvest massive amounts of data unrelated to app functionality.[1] To use your own words, we “never signed up for that.”[2]

These reports reveal widespread abuse of user trust by app developers. They note that, without adequately informing users, developers hide trackers that transmit reams of data to ad networks and other third parties. Your policies allow users to limit app permissions for system-level data like personal contacts and location services. Yet these reports reveal that your policies do not prevent apps from pilfering mountains of other data and then sharing it with third parties.

Even worse, the use of middleware drastically enhances the scope of this abuse. Developers typically incorporate bundles of code from other developers. So a person who uses an app potentially exposes her data not only to the app developer, but also every app developer on which the principal developer relied. These sub-developers routinely design their software to thwart reasonable attempts to restrict tracking. For example, experts recommend limiting tracking by resetting device advertising IDs. But apps often include middleware that frustrates these efforts by collecting permanent device IDs. And because app developers either don’t police middleware creators or consciously allow those creators to abuse the app interface, these apps regularly expose users to alarming violations of federal privacy law. For example, the developer of Angry Birds, Rovio, sends data through its apps to 43 different companies, at least three of which are almost certainly violating the Children’s Online Privacy Protection Act.

Fortunately, there is a simple solution. I have introduced bipartisan legislation, cosponsored by Senator Feinstein, to end these abusive data practices. The Do Not Track Act would prohibit any company from collecting any data beyond what is indispensable to its online services.[3] All a person would need to do to obtain this protection is click a single button one time.

I am optimistic that Congress will give my bipartisan bill serious consideration, but you have the power to provide these protections to your customers even before Congress acts. If your company is serious about protecting privacy, you should give your customers the power to block all companies from collecting or sharing any data that is not indispensable to the companies’ online services. And you can do so without having to pore through every line of middleware code.

The method for doing so is simple. You need only require app developers, as a condition for appearing in the App Store, to certify that their apps will not collect data beyond what is indispensable to the companies’ online services if a user activates the “Limit Ad Tracking” feature that you already provide. If a company collects this data after certifying otherwise, it would clearly violate federal and state prohibitions on unfair or deceptive trade practices, and existing remedies would be available to protect consumers.

My bill takes a giant leap toward ending the greedy data-grabbing practices of bad-actor companies. But this effort should not be led by Congress alone. You have it in your power to make good on your promise to be an industry leader. You should do so by implementing the principles behind my Do Not Track bill immediately.

Thank you for your attention to this matter. I look forward to your response.

Sincerely,
Josh Hawley

[1] https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talkinghttps://www.vox.com/explainers/2019/5/7/18273355/angry-birds-phone-games-data-collection-candy-crush.
[2] http://time.com/collection/davos-2019/5502591/tim-cook-data-privacy/.
[3] https://go.usa.gov/xmw6h.

Issues