This week, the news media has been abuzz with reports about the tracking by Apple iPhone and iPad users.
The Guardian UK first broke the story Wednesday, where scientists discovered a data file on Apple iPhones that saves location data (e.g., latitude, longitude, and time stamps) of the phone's recorded coordinates in an unencrypted file on the consumer's smart phone. When the smart phone is synced with iTunes, an unencrypted copy of the tracking file is placed on the consumer's computer.
Other news reports confirmed the tracking with Apple iPad devices. The Wall Street Journal reported that both Apple and Android phones both collect location data and regularly transmit location back to Apple/Google. The blog F-Secure reported that the location data is routinely sent already to Apple twice daily.
The New York Times blog reported from the "so what?" angle: that the data collection is no big deal since most mobile device users have already agreed to the data collection. The BGR blog listed several mobile companies' privacy policies as proof of users' consent to the real-time location data collection.
What is a consumer to make of all of this?
The scientists that discovered the file, Pete Warden and Alasdair Allan, did a credible job of exposing the data file, and highlighting the implications of the tracking with some visual examples. Here is one map of a person's historical locations based on the data file in their iPhone:
"... Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services."
The issues I see with this smart phone location tracking:
- Several privacy policies apply for each user. Because mobile devices are the intersection of the hardware, operating system, data communication, and apps. Example: I use an HTC Windows mobile phone, so a minimum of three privacy policies apply: Microsoft (Windows 7), AT&T (data plan), and HTC (phone manufacturer); plus privacy policies for each app downloaded. Have you read all policies that apply to your mobilde device(s)? have you kept up with changes to those policies? I doubt it.
- Few website privacy policies disclose the names of partners and licensess that a company shares location data with. The list of company names should be disclosed and updated as things changes. This lack of transpatency is not new, and it applies to Apple and all of the companies operating in the mobile marketplace.
- Companies have a responsibility to explain how they make anonymous consumers' location data. Why? Trust is at the core of mobile usage, and consumers that are concerned about their privacy need to feel confident that their privacy is maintained. For example, anonymity could easily be broken by comparing a heat map of a single person's location to home/work data listed in a social networking site profile.
- Companies have a resonsibility to more accurate explain in their website policies exactly what location data is collected (e.g., exact GPS coordinates or triangulated position estimates) and how often. Precision matters. Most of the policy language BGR listed included "may collect" and didn't disclose transmission frequency.
- Now that consumers know more about the tracking, many may (or probably) want a choice. I know that I do. I want the option to turn on/off the tracking, and to delete this tracking data file. Current news reports indicate that consumers don't have this choice.
- Companies have a responsibility to adequately protect the sensitive data they collect. In the case of the iPhone, it copies the unencrypted data tracking file to the user's computer when the user syncs their iPhone. Malware can easily access and transmit the data files from either the iPhone or computer/laptop/desktop. Unencrypted files in multiple locations strike me as sloppy or poor data security.
- The data tracking has highlighted the WiFi collection issue again, in that Apple/Google may be using consumers' mobile devices to build databases of WiFi locations and details. You may recall that Google was caught doing WiFi data collection last year with its StreetView cars.
- I'd like to see device manufacturers fund an independent analysis to verify compliance that apps are not accessing this sensitive location data file. This goes to trust. Now that everyone knows the file exists, I imagine some iPhone and Droid apps will attempt to access the data file.
- Besides opt-out, it seems wise to provide considerations for certain mobile device users (e.g., children, stalking victims)
- I am sure that law enforcement would find this location data particularly useful, if they haven't already downloaded it after traffic stops.
Obviously, the issues are far from settled. Sadly, it seems that some consumers have concluded that it is impossible to protect their privacy. As one person commented on the I've Been Mugged Facebook page:
"Someone always know where I am unless I give up electricity, pick up a shovel and head for the hills."
That is an attitude I hope can be eliminated. If this tracking bothers you (and I sincerely hope that it does), contact Apple, Google, and contact your elected officials to demand opt-out and encryption protections.
I am sure that law enforcement would find this real-time location data particularly useful, if they haven't already downloaded it after traffic stops.