Apple Privacy Concerns Go To Court 73
An anonymous reader writes "From the article: 'Apple is being sued for allegedly letting mobile apps on the iPhone and iPad send personal information to ad networks without the consent of users.' Some of the apps listed are on the Android Market as well, but there is no mention of a similar problem for Google. One wonders if Apple could be persuaded to strip access to the unique phone identifiers from apps."
A followup article with an industry lawyer suggests that this lawsuit could be the first of many as users push back against privacy intrusions by app developers and ad networks.
Re: (Score:1)
Finally (Score:4, Interesting)
It's about time someone got tired of it.
Re: (Score:2)
android asks the user for permissions (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2, Insightful)
> Some people will say yes to anything that pops up.
At some point, you can't stop people from being stupid. All you can do is provide a reasonable chance to avoid problems. If they INSIST on getting themselves in trouble by bypassing basic precautions, it's impossible to stop.
App: "Using this app means you'll be kicked in the nuts."
User: "Ok! That's fine."
App: "Whack!"
User: "OWWW! Bloody hell that hurt! Stop that!"
App: "Dude, 3 seconds ago you said it was OK!"
Seriously: that's plant-level intelli
Re:android asks the user for permissions (Score:5, Insightful)
then why do so many android apps require internet access, and other information, even though they are just a simple game?, note pad, etc.
people are use to clicking on yes to continue because that's what they have to do to get it to work. 90% of the population also clicks through EULA's without reading the first sentence. I know I do. I can't be bothered to read it, it would take far longer to read and understand than the contents of the program are worth.
Re:android asks the user for permissions (Score:5, Insightful)
If you agree to something without reading it then it's your own damn fault if you don't like the outcome.
Re: (Score:2)
Re: (Score:2)
A google could not find it, but there was a story on /. waaay back that told of a financial reward hidden in the eula of a piece of software. Only about ten people read that part of the eula to claim their money.
It was an exercise to see if people actually read the eula.
Re: (Score:2)
I'm not sure if it was the same as what you recalled, but let me highlight the key points I found:
After four months and more than 3,000 downloads, one person finally wrote in. That person, by the way, got a check for $1,000 proving, at least for one person, that it really does pay to read EULAs
(Googled "eula cash reward" without the quotes for a link [scottandscottllp.com] and a more in-depth article about eulas [pcpitstop.com] from that eula reward's maker, PCpitstop.)
Re: (Score:2)
Yep I actually think you found it. I wonder where the /. article went? Maybe it got lost when the database got nuked?
I was around back then, had a low number nick, and then got another one in the 300000 but lost the email address and the password to that one :(
*sigh*
Re: (Score:2)
Wow, thanks! I just looked for "slashdot EULA cash" and found the /. story [slashdot.org]. I google and never bother with /.'s own search system, because it doesn't work.
It's the worst thing when you're stuck with a locked out or defunct job/company e-mail and unable to destroy or update settings. I now register or replace unreachable e-mails under my oldest Yahoo account instead of, job X's domain.
Oh, I too had a 6-digit ID back in '05 that I barely use. It's sobering to see how throughout this decade the 2,3,4,5 and fir
Re: (Score:2)
Have stopped posting OR re-registered, like me and lots of other /. people. Personal friends mention apathy to posting while logged in or registering. Being unable to resurrect old accounts so we can go by those old but well-known handles is another things that would come in handy to some.
Re: (Score:2)
Yeah. I wonder what percentage of the (soon to be) 2million users will be duplicate accounts for whatever reason.
I know of one guy who was able to get his details from the /. guys. Maybe I should try that...
Fun chatting with you, have a great 2011.
(Also thanks for getting the article, good reading.)
Re: (Score:2)
Thanks!
You too.
Re: (Score:2)
Me too, but it is vexing that AFAIK without owning an iPhone or Android, they do not provide a preferences screen that makes these warnings silently fail / succeed. Yahoo Widgets and Google Chrome lack that feature and I'm bothered every time I'm installing Chrome adblock, for example that "it needs to collect net data" and so on.
It's all or nothing: click "no" and there's no way to use the app with your "choices" forced down the app's throat. When did it come to that? What's next, my firewall rules uninsta
Re:android asks the user for permissions (Score:5, Interesting)
> then why do so many android apps require internet access, and other information, even though they are just a simple game?, note pad, etc.
Precisely. But it goes a little deeper than that to me. I have an LG Ally (with Verizon), which is a lower-priced Android phone. I don't know if this can be applied across the board, but my experience so far has been a little troubling.
Just to use the Market app, "background data" (i.e., constant access) has to be enabled. Why? Why can't that app simply "dial in," fetch the info, let me make the purchase, and disconnect? I keep Background Data disabled on principle, and yet: the You Tube app continually updates. I don't need Skype on my phone, but it's always re-enabling itself, and constantly "pings" the Intertubez.
Most troubling of all to me is the Backup Assistant. (Do a Google on "disable backup assistant" and you'll see I'm not the only one who hates that thing.) Some of us don't *like* the concept of "cloud" computing. I realize that Google loves it, and in retrospect, I should have thought of that before trading my Blackberry for an Android-based phone. But I don't want my personal data stored on a computer somewhere in Alta Vista or Atlanta. That's MY personal data, and I don't want anyone else to have access to it.
Which raises the question: WHY is Verizon/Android so anal about that Backup Assistant, and having constant Internet access, even when I've specifically disabled it? Call me suspicious, but it DOES make me wonder if they are farming marketable data from that stuff. (The only way to get rid of Backup Assistant, Skype and the You Tube apps, from what I've seen in the Android forums, is to "root" my phone, which will void the warranty.)
Re:android asks the user for permissions (Score:5, Insightful)
Um, you do know Blackberry's work, right?
Unless the company you work for coughed up a lung to run a RIM server internally, all your personal data gets routed through RIM's "cloud" in Canada [which the US gov't likes, because they don't need any pesky warrants to access the data because Canadian's are so accommodating].
Re: (Score:2)
> you do know Blackberry's work, right? ... "cloud" in Canada ...
No, I DIDN'T know that. Sigh. I shouldn't have been so naive, though.
All I want is a handy-dandy little PDA/phone with some apps that I use in my work. I text, I like to browse the Web and do a few other things. I'm not the least interested in video or even in music (no time to listen to it). Why do the companies make this so hard? :)
Re:android asks the user for permissions (Score:4, Insightful)
You should have noticed that the web browser doesn't work without background data either.
You need a constant connection to browse the web, any idiot should know that. The market is just a fancy front-end for a website (you can actually access it on a PC, but you can only download from a phone).
As for Backup Assistant and Skype, that blows. You should go see your Verizon rep. You know you're paying $2 a month for BA right?
Re: (Score:1)
> You should have noticed that the web browser doesn't work without background data either.
Mine does. Works fine.
Re: (Score:2)
(The only way to get rid of Backup Assistant, Skype and the You Tube apps, from what I've seen in the Android forums, is to "root" my phone, which will void the warranty.)
I've been thinking about a business plan for a startup to sell VPN services to smartphone users. The added value is that the VPN would incorporate a transparent proxy with "deep" packet filtering in order to block or otherwise anonymize all the unnecessary privacy-invasive crap that various popular applications do. That would provide much of, if not more than, the typical privacy benefits of just rooting a phone without the effort of doing so, plus no worries about app-store policies interfering with allo
Re: (Score:1)
Rooting android phones is pretty much a pre-requisite to get all the good stuff, sadly.
Re:android asks the user for permissions (Score:4, Insightful)
Any app that is ad supported requires internet access. Most of the free apps are ad supported. Most of them work just fine if you have mobile data turned off (I'm sure a few are assholes about it - I haven't come across any), but the app is still going to try to use the internet to download advertisements if the internet is accessible - ergo the "this app requires network services" type messages. Any app that auto-updates will require this as well, ads or no.
Some apps require access to the cell services in order to allow the app to handle incoming phone calls, for example. The app itself may have nothing to do with making phone calls, or intercepting phone calls, but the interruption from the phone call might cause the program to hang if handled incorrectly. So, it needs to access the cell API in order to handle the app correctly when you receive a call. Ergo "this app requires access to cell services".
The warning allows you to do a little research if it concerns you and find out if this app is ok or if it is doing some funny business.
Most people don't care.
Even a calculator may want to phone home ... (Score:4, Interesting)
... then why do so many android apps require internet access, and other information, even though they are just a simple game?, note pad, etc ...
Apps may report non-personal info that is used only by the app developer. For example is the device a phone or tablet, what version of the OS is being used, what 3D chip? Things that a developer may find useful in order to guide further development.
Even a calculator might want to "phone" non-personal info home. I have a calculator, Perpenso Calc for iPhone and iPad [perpenso.com]. It offers scientific, statistics, hex and bill/tip functionality. An update will soon add business/finance functionality. I have *thought about* adding code that records the number of operations performed in each of these area and reporting back to a server. This info would be transmitted in annotated plain text so that anyone watching packets can verify for themselves that no personally identifiable information is being sent and that the data is as advertised. On the sever side the data would be anonymously logged, no IP addresses or anything else. The purpose of all this would be to see which calculator functionality (scientific, hex or business) is more heavily used, and to guide further development using the feedback.
Again, I have *not* done this. Its just a thought. However I think this offers an example of a non-malevolent reason for virtually any app to establish a network connection. I am eager to hear community opinions, I encourage folks to post a response. Thanks in advance.
Re: (Score:2)
I think that would be fine, although you should add a huge disclaimer in the description. Many apps that people complain about using 'unneeded' permissions don't clarify WHY they need them.
I am inclined to mention this in the integrated manual and the downloadable pdf manual.
Re: (Score:2)
Suggestions:
That said, this is a slippery slope. You're better off actually trying to talk to your customers and find out what they would like to see. Of course, according to Apple, they aren't your customers, they're Apple's customers. That might make this a little more difficult.
Re: (Score:2)
I'm not sure, the statistics would be pretty meaningless if it were opt-in.
Overall though, I'm not convinced it's a good idea. If I were looking for a calculator on my phone / tablet, I would want to know that it has a heap of capacity which I am not using. You'd probably pick up
the day to day frustrations that using your app has by talking to people more effectively than gathering usage statistics.
For instance, imagine your app has lousy graphing capability (I don't know your app, so treat this as hypoth
Re: (Score:2)
android is favored by the righteous (Score:1)
that is why there is no issue with google.
UDIDs are here to stay (Score:5, Informative)
Apple won't do this any time soon. They are very demanding when it comes to backwards compatibility, and even if they kept the API but gave a dummy identifier, this would break many apps. The most I can see happening is that Apple may put a clause in their guidelines. But they did that already, and got criticised for it. It's possible that they could generate a different permanent dummy identifier on a per-app basis, but this would still break several uses for the UDID.
Referring to the UDID as "personal information" strikes me as being quite inaccurate. It uniquely identifies a device, not a person. You cannot use the UDID to get any actual personal information unless the user gives that information. The only way to get personal information without the user's consent when you only have a UDID is for developers to collude; if a user gives personal information to one app that records it along with their UDID, then the developer of that app shares that information with another developer who only has the UDID, obviously that will work. But the same arguments mostly apply to things like IP addresses as well, and those aren't usually considered to be personal information.
Re:UDIDs are here to stay (Score:5, Insightful)
There's no reason why iOS have to send the genuine UDIDs to the app developer. If the app requests a UDID for the device, iOS should generate a key that is unique for that device AND THAT DEVELOPER.
So a developer can see if a user has (for example) used the previous 'free' version of their paid app, but these keys would be meaningless to other developers.
It may still be possible for developers to find out the UDID through unauthorized means, but then the developer would clearly be breaking Apple rules and is at risk of being kicked out of the appstore.
Jolyon
Re: (Score:3)
Hate to say this, but your new iPhone is going to have a different UDID anyway. As long as your old phone is backed up and your new phone authorized to your itunes account, you shouldn't have any problems either way.
Re: (Score:2)
If the app requests a UDID for the device, iOS should generate a key that is unique for that device AND THAT DEVELOPER.
How in the hell would you implement that? +4 insightful.
Re: (Score:1)
Re: (Score:2)
Maybe a simple mathematical algorithm? Each developer gets the equivalent of a "developer key" that is then combined with the UDID and a special third key that only Apple knows.
Re: (Score:2)
aren't all the app-store apps cryptographically signed? hash the UDID and the app signature together, that should generate a new unique id specific to the (app,device) combination. alternatively, hash with the one of the developer's keys if you want a (developer,device) id.
Re: (Score:2)
Hardly sounds hard - the developer is encoded into the app. Do you really want me to post an algorithm? how about hash(UDID + developer name) as a first shot?
Re: (Score:2)
There's no reason why iOS have to send the genuine UDIDs to the app developer. If the app requests a UDID for the device, iOS should generate a key that is unique for that device AND THAT DEVELOPER.
That's mostly missing the point. If the application talks to a server and tells it that ID (which it shouldn't in the first place) then the server will recognise you under that id, from that application. They don't know which phone, or your name, but they know it is the same person and that is all that counts. What you say would only help if multiple apps on your phone talk to the same server.
But you are just giving the same info (Score:2)
There's no reason why iOS have to send the genuine UDIDs to the app developer. If the app requests a UDID for the device, iOS should generate a key that is unique for that device AND THAT DEVELOPER.
Why? What benefit does that give you? You would get EXACTLY THE SAME DATA you collect today, using the UDID. It would be exactly of the same use to track the user; i.e. virtually none.
Seriously, what can you do with a UDID you couldn't do with the MAC address from the phone. Should we ban those as well? How
Re: (Score:2)
You can't get the mac address of the phone over an HTTP request.
Re: (Score:1)
If you already have an app on the device, with the right permissions, it would be trivial to look up the mac address from the device and send it out over TCP. But then I'm not an iOS developer, so maybe I'm mistaken.
Re: (Score:1)
True. I was more worried about HTML5 apps/web pages. But yeah, true apps can do whatever they want. Heck, I think they cna just pull your contact list and photos and send it if they want.
Other Way (Score:2)
You can't get the mac address of the phone over an HTTP request.
Doesn't matter. You are advocating a way for a system to obsfucate the UDID of the phone, when the developer can write code to get the MAC address of the phone and send that if they like.
But even then it still doesn't matter, because the Developer-unique UDID you are proposing means that multiple applications from that same developer can all send the same UDID to servers the developer runs. Which is exactly the same as the current situation,
Re: (Score:1)
I'm not the one who proposed the system. I'm not advocating it. I just pointed out one small fact.
Ah, sorry... (Score:2)
I didn't look to see that you were not the OP, sorry... but it doesn't change the point that MAC over HTTP is irrelevant.
Re: (Score:1)
Re: (Score:1)
And pray tell, how many people will be using that device ? AFAIK for most of the devices that will be only a single person.
But you could say in the same sense that a persons name does not uniquely identify a person at all. After all, there could be several persons with the same name on this earth. And with a bit of effort you can even change it.
Even if there is only a sing
Re: (Score:2)
You need to explain what you mean by "identify". I'm reasonably sure that if I gave you a random UDID you could not figure out which person the phone belonged to. That's what I normally understand by "identify".
The UDID is of no use unless you have some other information to go with it e.g. an email address, a geolocation etc.
Re: (Score:2)
Double charge (Score:2)
Another article that makes me want to hug my n900 (Score:2, Interesting)
And that is despite nokia ignoring it nearly to the point of deliberately sabotaging it, at the same time dragging their feet and mucking up its successor phone/platform. Its not that I trust them either, I'm sure some of their management is salivating about building up an "app empire" of their own to milk data from.
I can install and run any PROGRAM* I want to do just about anything the hardware is capable of. There are some limits due to closed drivers and such, but the community is still managing to work
Re: (Score:1)
* "app" is a iMarketing crapware buzzword. Though it does match being a bastardized incomplete version of the word application, much like the half-arsed garbage that fills the "huge library of apps" often touted by the two main platforms. Its sad they expect people to pay for some of that absolute trash AND bend over to the spyware as well.
+1
Corrected link (Score:2)
Why the hell is Slashdot linking to some cnet blog instead of the actual article? Is it because "anonymous reader" is a cnet shill?
http://www.businessweek.com/news/2010-12-30/apple-sued-over-applications-giving-information-to-advertisers.html [businessweek.com]