Responding to a request by the Senate Judiciary Committee, a new GAO report analyzes the role of smartphone tracking apps in facilitating stalking, and the potential responses the federal government may take against their developers. Once installed, the 40 apps examined by the GAO display no icon and provide a user of a separate device the ability to retrieve location data, and in some cases communications data.
The report paints the majority of these apps as wolves in sheep’s clothing, with marketing materials billing them as tools for tracking children, consenting employees, or even elderly Alzheimer’s sufferers. Roughly one third of the apps are openly marketed as spying tools, with cheating spouses a leading target. In these cases, the developers sought to protect themselves with a veneer of legal legitimacy by including disclaimers in their terms of service explicitly contradicting the marketing materials.
Despite such attempts to limit liability, the report identifies four areas of federal law which may be applicable to the developers. Of these options, three are untested in the smartphone tracking context. First, deceptive marketing practices, like those detailed in the report, are the target of Section 5 of the FTC Act. The wrinkle in this scenario is that the purchaser is not the one suffering from the deceptive practices, but some experts interviewed by the GAO felt the protection of third parties would suffice. Second, smartphones qualify as computers for the Computer Fraud and Abuse Act. The CFAA provides criminal and civil remedies for accessing computers without, or in excess of, authority. However, this clear violation of CFAA may be hampered where a shared phone plan is involved. Third, the federal stalking statute contains specific prohibitions on using electronic communications services to stalk. The act itself previously required the stalking activity to cross state lines, but the Violence Against Women Reauthorization Act empowered the pursuit of ‘cyberstalking’ under the stalking statute regardless of location.
Finally, should these untested options prove inapplicable, the federal wiretap act has been successfully applied to developers of apps which intercept and monitor communications data. However, the GAO notes that some federal courts have held that location data does not qualify as “the substance or content of a communication” for purposes of the act, and thus developers of tracking apps which solely relay location data may still escape liability.