Apple Lays Out Location Collection Policies

itwbennett writes "In a 13-page reply (PDF) to questions from Congressmen Ed Markey of Massachusetts and Joe Barton of Texas, Apple said iPhones running OS 3.2 or iOS 4 collect GPS data and encrypt it before sending it back to Apple every 12 hours via Wi-Fi. Attached to the GPS data is a random identification number generated by the phone every 24 hours. The information is not associated with a particular customer and Apple uses the data to analyze traffic patterns and density, it said. Apple collects such data from customers who have approved the use of location-based capabilities on the phone and who actually use an application that requires GPS."

Intelligence test

[Concern]

Wow, a new ID every 24 hours, huh? Am I supposed to be impressed? What do you think, are they deliberately creating "anonymizing" measures they can circumvent, or are they just retarded?

Let's just assume it actually works as they say and there isn't some easy way to link the random ID the real phone. Say, by web server logs. Duh.

If I get 24 hours, I get where you woke up this morning and where you'll go to bed tonight. I almost certainly know where you live, and then I know where you were all day. The lat/long itself during stationary periods especially at night is an identifier.

If you guys are comfortable letting Apple or anyone else have this, it's just because your brain hasn't digested what it means yet. Don't worry, wait for the first few scandals. It will take a few years - maybe long enough for every asshole company to start doing this. But it will get easier to understand.

This response by apple is an intelligence test for Congress and for the American public. Sharpen your pencils, let's see if you pass...

Re:Turn the tables!

[imamac]

Amen, Barton. Obfuscation through walls of text is a scummy way to slip clauses past consumers.

Too bad congress does it every day with Federal legislation.

Re:Intelligence test

[oodaloop]

Um, they already know where I live. That would be the address where my phone bill arrives. It's also the billing address of the credit card I used to sign up with iTunes. But holy shit, now they know the same thing with GPS! It's like 1984 or something! AAAGGHHHH!!!

Re:Turn the tables!

[Neil_Brown]

It a litigious society, how exactly do you propose that Apple (or any company) protects themselves?

Longer documents, or documents using longer words, are not necessarily any more protective or beneficial to a company than shorter documents - I'd rather have a clearer document, which a consumer can understand, than pages of documentation which a customer is unlikely to read. One also needs to be mindful of the difference between notifications to a customer, and contractual terms - confusing the two can make documents unnecessarily complex.

Similarly, "privacy by design" appeals to me - make things obvious from within the interfaces used by the customer, to give the customer control over their data, privacy etc. - if it is obvious from within an application what is happening, with default settings minimising unintended data sharing etc., the need for long privacy policies is reduced.

It depends on context, and on the risk profile which a company is willing to adopt, but, as a lawyer myself (for a company, rather than for a law firm), I am in favour of reducing documentation put before consumers (and suppliers, for that matter) to that which is absolutely necessary in a given situation.

Seems a little dirty to me ...

[pablo_max]

Apple collects such data from customers who have approved the use of location-based capabilities on the phone and who actually use an application that requires GPS."

So basically there is a 13 page document that someone should read when prior to initially powering on the GPS?
Most folks and if I'm honest, myself included would not assume that my using and navigation program would have in any way constituted my intention to let Jobs know where I am and what I am doing.

What's interesting to me is how much this company lies to people and yet so many folks defend them. Take this situation for example, is it true that Apple has buried a "technically" accurate description of that they are doing in their T&C's? Most assuredly. It is also assuredly true that it's written in such a way that the laymen would be oblivious to the fact.
Based on that, there will be many out there who say, Jobs didn't then and fuck you if you ever call him a liar!" To these people I must ask, where do you come from?
I was raised to know that deliberately trying to deceive a person for group of people, whether I use technically accurate information or not, is still lying. I recon these are the same folks who discipline their children with a harsh time-out and no PS3 for 6 hours.
Still, it is indicative of our culture.

Stolen phones?

[stormwarestudios]

So what happens when stolen phone IDs are correlated with their GPS locations? Individually, they might not make much sense, but surely a concentration of stolen phones at a singular location could perhaps help solve issues identifying the thieves?

Re:Intelligence test

[PseudonymousBraveguy]

They know where you live, but now they also know (and STORE) where you work, where you hang out after work, and to which medical institutions you may go to regulary.

Re:Intelligence test

[whisper_jeff]

If you have a problem with it then - and I'll even bold the text so you don't miss it - TURN IT OFF! Their location services can be turned off on an app-by-app basis (and the pop up window that asks if they can gather your location is very clear and concise - nobody will be fooled into it) or can be globally turned off, system wide. If you are concerned about people knowing where you are, don't let them know. It's really not that hard.

Seriously, it's getting rather tedious watching the Apple haters come up with new and creative ways to hate Apple without an logical reason. If you want to hate the company, there are legitimate reasons to do so. This is not one of them.

Re:Intelligence test

[Anonymous Coward]

That's right. But now they ALSO know how much time you spend at home, how you get to work, where you work, where you buy coffee, the stores you frequent,,,, the list goes on. What a lucrative trove of information they now have to parse and analyze.

It sure sounds like a great compliment to iAdd.

You have something to sell? Dog food you say? Well I just happen to know a whole bunch of people who frequently visit pet stores and also happen to take walks in the park three times a day.

Unethical and nefarious applications are not hard to imagine.

And just wait until all that shiny data gets broken into, say because of a badly written api? That will never happen, right?

http://gizmodo.com/5564262/apple-iphone-4-order-security-breach-exposes-private-information

Oh. Nevermind.

Citation needed

[Meneth]

There is no way to verify what they're telling us, because the software is not free.

Re:Intelligence test

[openfrog]

You have missed the point.

Having your address in a client database in one thing, collecting your whereabouts is an entirely different one. Thus the claim by Apple and their studied reply to congressman Markey that they dutifully anonymise such information. The grandparent points out that this claim is entirely invalid, and you have done nothing to disprove him.

The grandparent interestingly posits this as an intelligence test for Congress and the American public. Despite your brashness, you seem to have failed it.

Re:Intelligence test

[duguk]

Sorry, Slashdot somehow thought I wasn't logged in, despite posting fine lower down!

If you have a problem with it then - and I'll even bold the text so you don't miss it - TURN IT OFF!

Sure, you can turn it off on an app-by-app basis, but nowhere in that document (yes, I read it), does it say that they won't still collect data for Apples' own use. Nor does it say that disabling it stops them collecting this data, or selling it on.

Just because you've disabled GPS doesn't mean they can't use AGPS or cell-tower triangulation to collect your location. It simply says that "location services capabilities" can be disabled. Collecting the data isn't a service; it doesn't say anywhere that the data is not collected by them if location services is disabled - plus you've explicitly allowed them to do so in the terms.

If AT&T are collecting it all the time, Apple can easily do it too. Does disabling it mean your privacy is fine? You simply cannot be sure, and this document doesn't clear that up.

I wouldn't let my Government install a tracking device to me, why let Apple do it? They already charge enough! There's no chance of stopping them, at least until someone has the money to take them to court.

I've actually written an email to Apple, suggesting a way we could work together to use this data (slightly humourously, but the theory seems sound - and legal!) you can read it here [monkeyboi.com]. Would be interested to hear any comments or any other uses this could be put to.

Breathe deeply

[Concern]

When did it become so fashionable to become so vehemently confused?

They know where you live, so they can correlate it with your GPS coordinates at night. Then they know every single step everyone takes all day long.

And yes, in case you read the book and were wondering, that actually is worse than anything Orwell imagined Big Brother could have in 1984.

What do you think the phone co does?

[acomj]

Your phone company keeps records of where you are at any time based on which towers your attached to. Law enforcement can get that data.
The phone company also has access to this data, who knows what they are using it for (hopefully to place towers near congestion)?
Apple is not alone in this It appears Tom Tom/ Google are using their mapping app to get peoples speeds to get traffic info to feed back into the system...

Re:Just large enough to bust bandwidth cap?

[Otto]

If the data sent is more than one packet, I'd be shocked.

Remember the flap over iTunes?

[macs4all]

Remember when it was discovered that iTunes was sending anonymized playlist data back to Apple for market-research purposes? Everyone on /. (or nearly so) cried "Big Brother!". But, here we are five years later, and I defy you to find anyone who has had their ACTUAL privacy or identity compromised by that policy.

Apple has a pretty good track record of respecting users' privacy and identities. If no one can demonstrate that a EIN-type identifier or actual phone number can be extracted in less than a lifetime, then STFU.

BTW, the holy Google does a LOT worse things with your data, everytime you use Gmail, Google Docs, or simply do a frickin' SEARCH. I don't see people fleeing away from them.

Fry: "Since when is the internet all about robbing people of their privacy?" Bender: "August 6, 1991".

And please, no jokes about that episode being about the iPhone!

Missing the point

[dachshund]

Um, they already know where I live. That would be the address where my phone bill arrives. It's also the billing address of the credit card I used to sign up with iTunes. But holy shit, now they know the same thing with GPS! It's like 1984 or something! AAAGGHHHH!!!

You seem to be missing the point. Apple specifically indicated to Congress that they anonymize location data by assigning a unique random ID every 24 hours. Presumably the goal is to disassociate your location information from the details that Apple already knows, i.e., your name and home address. That way Apple can claim they're not collecting data that would actively violate a user's privacy. More specifically, the theory is to prevent Apple (or someone malicious who obtains the database) from associating "a phone at some series of locations throughout the day" with "John K. Oodaloop at 4945 Spring Place". If this anonymization actually works, then customers can rest easy that they're not carrying an active tracking device with them all day that's recording their movements into a long-lived and possibly ill-secured database.

Clearly this is what Apple would like Congress to believe, anyway, and that's why they're "anonymizing" the data in the first place.

The grandparent poster is pointing out that Apple's anonymization really stinks, and that with some very minimal data mining you should be able to easily de-anonymize it and link those phone movements with the phone's owner. As you point out, Apple already has your billing address (which is likely to be your home or work), so this de-anonymization should be especially trivial. Therefore one can't really credit Apple with anything significant when they say they anonymize your data.

In my mind the fear is /not/ that Apple will track me and sell ads (hey, non-stupid advertising would be an improvement). It's that this data will never ever go away, and will eventually find its way into the hands of third parties who aren't so interested in my well being. For example, it might wind up someday being sold to third party "marketing" agencies, and then eventually to firms that do credit reporting, private investigation, background checks, etc. Mobile phone companies already seem perfectly content to sell my call logs this way, so this isn't without precedent. Or else it will be written to a hard drive that might someday be carelessly thrown away without being properly wiped (after all, the data is "anonymized", so why worry?). While my movements are generally pretty uninteresting, I don't love the idea that by carrying an iPhone I'll be constantly leaving a trail of potentially long-lived breadcrumbs that may never, ever go away.

And no, this isn't limited to Apple. Once it becomes accepted practice, you can be more or less certain that any device with an Internet connection and GPS (which will be a lot of devices in the future!) will be doing the same thing.

Re:Breathe deeply

[Concern]

Orwell's fictional government never had any tools as powerful for monitoring their citizens movement as what Apple now has. I know reading 1984 is less fashionable than referencing it, so your confusion there is forgivable I guess.

Apple opts everyone into this location sharing system. They don't make a choice, unless you can choose to not "participate in iAds." Most don't even know it's there. Poll any 100 iPhone users and see how many of them can even explain to you what this system is and how this system really works. But they "agreed" to it in a EULA somewhere, sometime - a trick so bad that it's of questionable legal enforceability even in the USA.

It doesn't hurt that Apple is using deceptive practices like "fake anonymizing" that doesn't actually protect anyone's identity, but fools some people into making them think they are.

You're clearly confused, for instance. Your initial post conflated Apple knowing your address to Apple knowing every step you take throughout your day. I notice you're not apologizing for that mistake yet - but we will all accept your retraction and apology any time.

Just curious - are you actually just that bad at understanding these things, or are you one of the PR contractors Apple hires to confuse people on purpose? Cause you could be getting paid for this, if you're not already.

Re:Intelligence test

[Bing Tsher E]

It's so typical to see people like you with your 'Apple vs. the World' and 'Apple vs. whichever close competitor' mindset.

The resurgence of Apple fucktards is just staggering. Let me be the first to inform you that your type has been around since about 1984 when Mr. Jobs announced the 'Hacker Proof' Macintosh in jubilant tones at a press conference.

A sociologist could probably do a study and determine that 'contrary elite' behavior is a common human tendency. We all remember the arrogant fuck on the block who had the Schwinn bike while we all had our Huffy and Sears bikes. It isn't anything new.

The sad thing is how badly it's polluted the Slashdot community in the last several years.