APRIL 5, 2011, 8:06 A.M. ET
By AMIR EFRATI, SCOTT THURM and DIONNE SEARCEY
Federal prosecutors in New Jersey are investigating whether numerous smartphone applications illegally obtained or transmitted information about their users without proper disclosures, according to a person familiar with the matter.
The criminal investigation is examining whether the app makers fully described to users the types of data they collected and why they needed the information—such as a user’s location or a unique identifier for the phone—the person familiar with the matter said. Collecting information about a user without proper notice or authorization could violate a federal computer-fraud law.
Online music service Pandora Media Inc. said Monday it received a subpoena related to a federal grand-jury investigation of information-sharing practices by smartphone applications.
Pandora disclosed the subpoena, issued “in early 2011,” in a Securities and Exchange Commission filing. The Oakland, Calif., company said it had been informed it is “not a specific target of the investigation.” Pandora said it believed similar subpoenas had been issued “on an industry-wide basis to the publishers of numerous other smartphone applications.”
A Pandora spokeswoman declined to comment.
The Wall Street Journal reported in December that popular applications on the iPhone and Android mobile phones, including Pandora, transmit information about the phones, their users and their locations to outsiders, including advertising networks.
Smartphone apps—of which there are thousands—are software programs that allow, say, a user to read an e-book, play a game, get sports scores or search for a restaurant.
The Journal tested 101 apps and found that 56 transmitted the phone’s unique device identifier to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent a user’s age, gender and other personal details to outsiders. At the time they were tested, 45 apps didn’t provide privacy policies on their websites or inside the apps.
In Pandora’s case, both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.
Legal experts said the probe is significant because it involves potentially criminal charges that could be applicable to numerous companies. Federal criminal probes of companies for online privacy violations are rare.
Anthony Campiti, creator of the Pumpkin Maker iPhone app, said he received a subpoena requesting information and documents related to his app. Mr. Campiti said he had turned the request over to his lawyer and didn’t recall who had issued the subpoena.
“They’re just doing information-gathering to get a better understanding” of the industry, Mr. Campiti said. “We’re not doing anything wrong and neither is anyone else doing anything wrong.”
The probe, which likely will continue for months, may not result in any charges.
Rebekah Carmichael, a spokeswoman for Paul J. Fishman, the U.S. attorney in New Jersey, declined to comment.
Apple Inc. and Google Inc., which oversee digital “stores” that offer mobile applications to users of iPhones, iPads and mobile-devices powered by Google’s Android software, have been asked to provide information about the applications and app makers, the person familiar with the matter said.
An Apple spokesman declined to comment. Google didn’t respond to requests for comment.
One app maker mentioned in the Journal’s article, Max Binshtok, creator of the Daily Horoscope Android app, said he had not received a subpoena. Makers of other applications declined to comment or didn’t respond to requests for comment. The Journal also tested its own app, which didn’t send information to outsiders. A Journal spokeswoman declined to comment.
The probe centers on whether app makers violated the Computer Fraud and Abuse Act, said the person familiar with the matter. That law, crafted to help prosecute hackers, covers information stored on computers. It could be used to argue that app makers “hacked” into users’ cellphones.
“This is a big hammer if the government chooses to use it,” said Orin S. Kerr, a law professor at George Washington University.
Legal experts said, in general, companies rarely end up being charged with a crime, and that the current probe could morph into a civil one.
They said companies in the federal government’s cross hairs often reach non-prosecution or deferred-prosecution agreements that allow the targets to avoid being criminally charged. In exchange, the companies may agree to concessions, including monetary payments or promising not to engage in future wrongdoing, among other things.
Earlier this year, federal prosecutors in New Jersey criminally charged two individuals for allegedly attacking servers at AT&T Inc. and obtaining email addresses of more than 100,000 users of Apple’s iPad device, including members of the U.S. government and military. Those individuals are fighting the charges.
Several companies involved in smartphone apps are facing civil lawsuits from consumers alleging their privacy has been violated through the transmission of personal information. A Los Angeles man filed suit in U.S. District Court for the Northern District of California against Apple, Pandora and other defendants in December, seeking class-action status on behalf of iPad and iPhone users. The suit claims that apps downloaded to those devices “have been transmitting their personal, identifying information to advertising networks without obtaining their consent.”
Makers of apps could also face complaints of unfair and deceptive trade practices from the Federal Trade Commission. Such complaints can be aimed at companies that fail to tell customers how they are collecting information or are violating their own terms of service.
“Hopefully this will bring about a big change in the industry and make companies be more responsible in what data is being collected,” said Ginger McCall, an assistant director at privacy advocacy group Electronic Privacy Information Center.
Google recently agreed to strict privacy rules and said it would ask users before sharing data with outsiders as part of a proposed settlement with the FTC, which had claimed it violated user’s privacy on its social network, Google Buzz.