GREG WALDEN, OREGON FRANK JR, NEW JERSEY CHAIRMAN RANKING MEMBER ONE HUNDRED FIFTEENTH CONGRESS (tongues of the written Quotes 31mm of Representatives COMMITTEE ON ENERGY AND COMMERCE 2125 HOUSE OFFICE Was: DC 20515?6115 Moglnt'v 29?? 1'2023'2?2?5; Il'i?' July 9, 2018 Mr. Tim Cook Chief Executive Of?cer Apple, Inc. 1 In?nite Loop Cupertino, CA 95014 Dear Mr. Cook: The Energy and Commerce Committee is reviewing business practices that may impact the privacy expectations of Americans. We write today to learn more about the capabilities of Apple?s iPhone devices, in particular the collection and use of consumer data and microphone functionality of iPhones. Recent reports have indicated that consumer data gathered through cell phones, including location information and recordings of users, may be used in ways that consumers do not expect. We seek Apple?s assistance in understanding whether these reports could apply to Apple products. According to media reports published in November 2017, Android phones collect information on nearby cellular towers even if location services, WiFi, and Bluetooth capabilities are disabled, no third-patty apps are installed or running, and the phones lack subscriber identi?cation module (SIM) cards' The report explained that this information is held locally on the phone until network capabilities are reestablished, at which point the data is sent to Google.2 Additional information provided to the Committee suggests that this behavior is not limited to cellular tower data but is also gathered for nearby WiFi hotspots and Bluetooth beacons. Other behaviors that could have an impact on consumer protection issues were also raised, such as the fact that reenabling location services for one app on an Android phone reenables location services for all apps on that phone. These reports raised questions about how other mobile operating systems function. 1 Keith Collins, Apple collects Android users locations ever: when location services are disabled, QUARTZ (Nov. 21, 201?), 1315 2 la'. Letter to Mr. Cook Page 2 Consumers have a reasonable expectation of privacy when taking active steps to prevent being tracked by their device. Considering that many consumers likely believe that a phone that lacks a SIM card, or one for which they have af?rmatively disabled location services, WiFi, or Bluetooth such as through turning on ?Airplane Mode? is not actively tracking them, this alleged behavior is troubling. While we understand that the cited reports relate to Android phones, we wish to understand whether similar behavior could occur in Apple products as well. Recent reports have also suggested that smartphone devices can, and in some instances, do, collect ?non-triggered? audio data from users? conversations near a smartphone in order to hear a ?trigger? phrase,3 such as ?hey Siri.?4 It has also been suggested that third party applications have access to and use this ?non-triggered? data without adequate disclosure to users. In the wake of the privacy scandals that surfaced earlier this year, you made several comments to the press around Apple?s beliefs about privacy, including never believed that these detailed pro?les of people that have incredibly deep personal information that is patched together from several sources should exist?5 and felt strongly about privacy when no one However, users have consistently had access to apps through the App Store that you have highlighted as contradictory to Apple?s values, including Google and acebook apps. Only a few weeks ago Apple announced changes to its App Store rules that were characterized as attempting to limit how much data third-party app developers can collect from Apple device users? These statements and actions raise questions about how Apple device users? data is protected and when it is shared and compiled. Therefore, pursuant to Rules and XI of the United States House of Representatives, we ask that you respond to the following questions by no later than July 23, 2018. 1. When an iPhone lacks a SIM card, is that phone programmed to collect and locally store information through a different data-collection capability, if available, regarding: a. Nearby cellular towers; b. Nearby WiFi hotspots; or, c. Nearby Blue-tooth beacons? 3 See Sam Nichols, Your Phone is Listening and ii '3 Not Paranoia, VICE NEWS, June 4, 2018, available at hugs: 'ivw 4 Apple, The Basics, htips; 'afg?gipple.conljos?siri (last accessed June 22, 2018). 5 Tripp Mickle, Apple CEO Tim Cook Caiisfor Privacy Regulation, THE WALL STREET JOURNAL, Mar. 28, 20] 3, available at henna-smut". s'si-cumr'arl lulion- .I 6 Saheli Roy Choudhury, ?Tim Cook: Apple felt strongly about privacy when ?no one care-d,m CNBC, June 25, 2018, available at 2t} 7' Sarah Prior and Mark Gurman, Appie Tries to Stop Deveiopers From Sharing Data on Users' Friends, BLOOMBERG, June 12, 2013, available at hit sjg?vw.blmimbergeom Letter to 'Mr. Cook Page 3 . If the adapters to- any of the pie-ceding questions are ?yes,? are iPhones lacking cards programmed to send this locally-stored inferination to. Apple when one or more networking capabilities are established? . When. the WiFicapabilities on an iPhone are disabled, is that-phone programmed to collect and loCal'ly on througha different data-collection capability, if available, regarding: . a. Nearby cellular- towers; b. Nearby'WiFi hotspots; or, c. Nearby luetooth beacons? . If the ansWersto-anyo'f the preceding questions are ?yes,? are'iPhones with disabled Wi-F-i programmed to send this lobally-sto?red information to Apple when o'n'e?or more networking capabilities are established? . When the .Bluetooth capabilities.- on aniPlione' are disabled, is thatphone programmed to collect and: loCally store- information through. a different Idaiarcolleetion. capability, if available, regarding: Nearby cellular muscle; '13. Nearby WiFi liotspots; or, Nearby Bluetooth beacons? . If the ansWers to any of the pi eceding questions are ?yes, ?i are iPhones with disabled Bluetooth prograi'rnined to Send this locally?[stored 1nf01 mat1on to Appie when one. cr- rnor-e- networking capabilities are. established? . When the location ?services capabilities on an iPhone-are disabled, is that phone- progranimed to collect and locally store information through a different-data- collection Capability, if available, regarding: Nearby cellular towers; b. Nearbyr Wi-Fi hotspots; or, .13. Nearby Bluetoo?i beacons? If a consumer using an iPhone- has disabled location services for multiple apps,- but then reenables' lecation services for one Happ, are iPhones programmed to reenable location services for all apps on that phone? If yea-how. is this reen'abling': of locations services for all apps; discloSed to a user? . Do Apple 5 iPhone devices have the: capability to listen to consumers Without a clear, unambiguous audio trigger? Letter to Mr. Cook- Page 4 10. ll. 12 13. 1-4. 15. a. If yes how this data used by Apple? Please describe any use. or storage of these data. b. If yes what access to'thi'sdata does-Apple giVe to thi'rdparties': ineluding app deVeloperS?? Please describe and include screen shots of disclosures or terms of serVice governing such access or 11'se as appropriate. c. ilf yes,- has Apple, considered using. a Visual or other alert _-to let Consumers know When a deVicc' microphone-1s recording? Please describe why, or why not such an alert 13- or is not. proVid'ed on iPhones. 01 Other smart deVices 11111111ng on an operating system. Do Apple's iPhonerchicos-collect audio recordings. ofusers without consent? a. If no, please include screen shots and links to public disclosures, made to users about this collection. Please proVide copies of all of Apple's policies for data collection Via the microphone; or Via. W111, Bluet'octh or cellular networking capabilities on. Apple' 5 iPhone chices. ..Please proVidc Apple 3 policies as they pertain to third party. acCess and use, including but not limited to app deVelcpc1s and deVeloper guidelines, of any data collected Via the microphone on Apple 5 ithe devices particularly data. not accompanied by a ?trigger? phrase including ?hey Siri.-. Cbuld Apple. control or-limit the data collected by thirdrpa'rty'apps'aVai-la'ble. on the App '_Store? Please proVide a list of all data elements that can be collected by a thud?party app dominated on an iPhone deVice about a user, including but not limited to- contact 11515- stored-1:111 the iPhonc: deVice. and location. information ?generated by the iPhone -What limits does Apple place on tinrd?part-y app deVelopers' ability to collect information about users" or from users deVices? Please describe in detail changes made 111 June 2017 from prior policies How does Apple monitor and eV'aluate Whether third-party apps are following the App. Store rules? a. any companies eVer been Suspended "or'banned. from the App Store" for Violating the App Store rules? b. .In those cases if any exist Were users notified that their data was misused 111 Violation of the App Store rules? c. If yes please proVide any Screen shots of such :11'otii'1cation and a description of the-conditions under which such a noti?cation wduld be sent by Apple. Letter to Mr. Cook Page 5 d. What recourse does Apple provide for users when their data is misused in such a case? 16. Apple recently announced that it is entering into a partnership with a vendor called RapidSOS to provide enhanced location services for 9-1-1 calls to ?public safety answering points? (PSAPs). Public statements from Apple re?ect that this will be active later this year with 12, the upcoming version of Apple?s operating system. Please detail the data elements that will be shared with RapidSOS in this partnership. a. What role will RapidSOS serve in the sharing and retention of this information? b. How will 12 differ from 11 and other previous Apple operating systems with respect to providing improved 9-1-1 call location services? Please also make arrangements to provide Committee staff with a brie?ng on these topics. An attachment to this letter provides additional information about responding to the Committee?s request. If you have any questions, please contact Melissa Froelich, Robin Colwell, or Jen Barblan of the Committee staff at (202) 225-2927. Thank you for your prompt attention to this request. 4,ch Grerden Gregg Cha nnan Chairman Subcommittee on Oversight and Investigations Sincerely, Marsha?adiburn Robert E. Latta Chairman Chairman Subcommittee on Communications Subcommittee on Digital Commerce and Technology and Consumer Protection Attachment