As a tech journalist, I don't get too many news alerts that actually cause me to smile, let alone laugh out loud. But I admit to doing both in turn late last week when I read the first reports about Apple's 3G-based iOS devices—the iPhone and iPad 3G—tracking the devices' whereabouts and then storing that information on the devices, in unencrypted form no less.
So this story has all the makings of a blockbuster: Apple? Check. Privacy violations? Check. Righteous indignation? Naturally.
I knew this was a big story on Sunday morning when I headed over to the local farmers market and the bread seller noticed me looking at my Windows Phone and asked if it was an iPhone. When I said no, he said, "Good thing. They're following you wherever you go. What's next? Why don't they just put a chip in our heads?"
Thinking over the pros and cons of that little operation, I grabbed the stuff I needed (via the list my wife had made; the real reason I was looking at the phone) and headed home. But I wondered. If the iPhone—and, as it turned out, Android Phones—really were tracking user movements, was that really such a bad thing? And was this issue just seriously overblown?
As I write this, the issue isn't completely settled. But here's what we know so far.
It all started when two researchers, one a former Apple employee, determined that Apple's iOS-based devices started tracking device movement, and storing that information on-device beginning with the release of iOS 4 last summer. The devices record up to 100 location data points per day and the file that contains this data is unencrypted and copied to the syncing PC each time the device is connected to the PC.
So that sounds bad, and of course the graphical maps detailing what such a data collection can look like were pretty damning too. But the immediate question I had was, so what? I mean, is this actually dangerous?
Privacy advocates, of course, will argue that it is. It always is. And yes, it's theoretically possible that some forward-leaning law enforcement agency could use the information on a confiscated phone to figure out whether your movements match whatever story you've told them. To which I'd ask: Why are you in this position exactly?
According to noted Mac and iPhone vulnerability researcher Charlie Miller, who was quoted in Computerworld, the tracking file isn't really that serious. "The file is in the root's directory, so apps, including Safari, won't have access," he said. In order to hack into an iOS device to get at the file, the hacker would need to hack both iOS and iOS's version of Safari to get at this file. It seems more likely that physical security—i.e., someone just taking an unlocked phone—is a bigger risk than that. And let's face it, now that this issue has been popularized, Apple is going to change this. Of course they are.
While we wait for Apple to announce what it's going to do, we can bask in the warm glow of all the related news. Minnesota Senator Al Franken said over the weekend that he expects Apple, and its CEO Steve Jobs, to answer the privacy concerns raised by this issue. Two customers have already sued Apple for privacy invasion. And now South Korea is starting its own probe. Unleash the hounds!
The thing is, based on what I'm seeing here, it's pretty clear Apple isn't up to anything nefarious. In fact, some early evidence suggests that the existence of the file is perhaps even a mistake, something that is created but inadvertently not cleaned up over time.
The same isn't true for Google. As is natural, once iOS was established to be tracking device movements, researchers turned their attention to other devices types. And guess what? Android does it too. There's just one big difference. Unlike Apple, Google simply owned up to it. And as is typical for this company—which, despite its baloney "do no evil" mantra is all about pushing limits as far as they'll go—Google couldn't care less what anyone thinks about it.
"We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices," a Google spokesperson said this week. "Any location data that is sent back to Google location servers is anonymized and is not tied or traceable to a specific user."
Google claims the location stuff is opt-in, which it sort of is, but anyone who uses any modern smartphone knows that setting up such a device is a process that involves multiple screens where various apps and services describe how they want to use your location. Few users, I suspect, give it much thought. More problematic on Android is that the location data usage is on by default. So it's more of an opt-out, really.
So what about Windows Phone? Microsoft told PC Magazine that Windows Phone 7 does not store location history, though the company has yet to issue a clearer public statement on its blog for some reason. Maybe they'll get around to that next week, but Windows Phone has to be doing some form of location collection. After all, it has a free Find My Phone feature too.
Regardless of your take on this issue, at least be mollified by the fact that all this publicity will no doubt make these companies do the right thing. (Which in Google's case probably just means making the opt-in stuff "more opt-in," if you will.) And allow me the occasional chuckle as I watch the mainstream press get all agitated over this. I don't get that enough.
