Apple's time in the privacy spotlight.

| 1 Comment | No TrackBacks

There has been a lot of press about Apple's latest update to two key policies.  Apple updated its privacy policy and its iTunes Terms of Service, with some new language about location information. When you agree to the changes, you agree to let Apple collect, store, and share "precise location data, including the real-time geographic location of your Apple computer or device."  The changes must be accepted in order to download anything from the iTunes store.  Note that it is not only Apple who has access to this information but also "partners and licensees."

Apple says that the data is "collected anonymously in a form that does not personally identify you." There does not appear to be any way to opt-out of this data collection without giving up the ability to download apps, which severely limits the iPhone/iPad use.

Below is the text from the Terms of Service / Privacy Policy update.  Emphasis is mine:

"Location-Based Services

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

Some location-based services offered by Apple, such as the MobileMe "Find My iPhone" feature, require your personal information for the feature to work."


As previously discussed on this blog (Geotagging, Geolocation, and your Privacy) the iPhone has been leaking location information for a long time. There are various privacy concerns with all of this despite the "anonymous" data.  Research has demonstrated that large data sets (e.g. the entire iPhone/iPad user base) of supposedly anonymized data can be linked back to specific users. Real world example: AOL Search Data Scandal.

Is this the next brewing privacy snafu?  I don't think so.  There are two issues surrounding this policy update that are getting mashed together and confused: 1) App providers & key iPhone/iPad functionality and 2) Apple itself.

From the Application Development & iOS4 point of view:

We are seeing improved user privacy.  An update in the much anticipated iOS4 is giving users greater control over what applications are allowed to access location-aware services.  A review of iOS4 written up by Rene Ritchie at TiPb.com (search for "General: Location Services" if you don't want to read the whole review) shows the new operating system will give greater control over location-services.  Apple is now giving users much more granular control over what can and can't access the location-service.  I think this is great news for user privacy and would help mitigate the risks discussed in the Geotagging, Geolocation, and your Privacy blog post! 

Apple has simply codified existing business practices into their privacy policy and terms of service to cover the sharing of location information because...users are sharing location information.  There are privacy risks to sharing location information that most people are not fully aware of; however, it is not going to stop them from becoming the Mayor of Wawa #168 if they chose to wear that crown.  If people start telling you that Apple is tracking you, it's true.  However, these changes didn't impact that at all.  Apple knows your device, they know the network it is associated with (AT&T).  There is plenty of linkable information to tie an iPhone/iPad owner to specific accounts and through that specific locations.  No doubt if you do become the Mayor of Wawa #168 you will find Wawa targeted ads popping up through the iAd service. 

From the Apple-collecting-all-of-your-information point of view:
We are seeing a forced participation in Apple product development and an introduction of a new privacy risk.  Users should be given the choice to share that information with Apple.  If Google, notorious for sucking up as much information as possible, can give users a choice I think Apple can as well.  Further, users don't know what exactly is being collected (GPS coords?  Cell Tower?  IP addresses when connected to Wifi?) and they don't know how it is being used.  That is problematic and risky.  It is also an easy fix for Apple, simply make the data sharing opt-in and better describe the specific information that is being collected in its policies. 


Readers: What are your thoughts?  Concerned about Apple sucking up your information?  Do you feel like the more granular controls for applications is a positive step for user privacy?  Is that positive step negated by Apple "tracking" you?  Hit the comments, spark a conversation!

No TrackBacks

TrackBack URL: http://www.privacywonk.net/foia/mt-tb.cgi/29

1 Comment

Problem is privacy is something you're supposed to be proactive on, not reactive.

Once someone or something like Apple or the iPhone gets mass appeal, the public generally trusts that entity to make decisions in their best interest. Outsourcing their responsibility, essentially. Part of faux security is perpetuated by all the "protective" agencies and standards (i.e. PCI-DSS, FTC, etc).

So, the pessimist in me says that privacy will never gain traction unless a *major* privacy breach happens. And I mean, *MAJOR*.

TJX wasn't big enough, because every site you go to still gives you an option to save their credit card information with them.

Other sites don't disable autocomplete in their form fields, so your browser stashes that information in the local cache, and combine that with the fact that certain browsers sync this information around to other computers and servers to make life "easier" for you.

Some financial services sites pass sensitive information in GET parameters rather than doing a POST, because it's easier.

The most egregious for me is Wi-Fi hotspots at hotels and well-known coffee shops that don't have any sort of encryption, so you can grab all user traffic out of the air using a sniffer.

As long as people associate privacy with being complex and/or paranoid, the situation will get worse before it gets better.

Leave a comment