locationdata
Latest
Verizon begins collecting user data for targeted ads, is kind enough to offer 'opt-out' escape route
Verizon still wants to collect your personal information, but it'll understand if you decide to opt out. Really, it's cool. No hard feelings. The provider said as much yesterday, in an e-mail titled "Important notice about how Verizon Wireless uses information." The missive, sent to all VZW customers, essentially lays out the company's revamped privacy policy, originally unveiled last month. Under the new framework, Verizon will be able to monitor your browsing history, location, app usage, and demographic data, all in the name of targeted advertising and vaguely-titled "business and marketing reports." The good news is that you can always opt out of the scheme, either by phone or online. The bad news is that you'll probably have to explain the whole thing to your grandma.
Sprint issues OTA fix for HTC Android handset vulnerability
Earlier this month, we found out that after a software update HTC's Android handsets had a serious security flaw -- any app could gain access to user data, including recent GPS locations, SMS data, phone numbers, and system logs. To its credit, HTC responded quickly to the security issue, and now an OTA update with the fix is going out to those on the Now Network. Sprint users with an EVO 4G, 3D, Shift 4G, Design 4G or View 4G can get the download, as can Wildfire S owners. The patch available now for a manual download, and more info on the fix can be found at the source below. [Thanks, Korey]
HTC confirms security hole, says patch is incoming
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
Mango kills Microsoft's always-on location tracking, makes good on letter to House of Representatives
Remember all that iPhone tracking hubbub back in April? Sure you do -- you probably also recall Apple's denial, the subsequent Senate hearing, and the rest of the fiasco's dramatic fallout. Amid the ballyhoo, Microsoft stepped out to admit that its Windows Phone also collected location data, but quickly promised to knock it off following the next scheduled update. According to ChevronWP7 collaborator Rafael Rivera, Windows Phone 7.5 cinches it: Mango "no longer sends location data prior to being granted permission to do so." Redmond previously told the US House of Representatives that it only collected location data if a user expressly allowed an application to send it along -- a claim which Rivera debunked last week, noting that simply launching the camera application captured and transmitted "pin-point accurate positioning information." The big M maintains that the collected location data was anonymous, and that it shouldn't have been sent at all unless the user allowed it. Either way, Microsoft's chapter in the big location tracking blunder of 2011 seems to be at a close, squaring the firm with Congress, its developers, and hopefully its customers.
HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video)
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET. HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
New York judge denies government warrant for Verizon location data
Beating the man at his own game on Monday, a federal judge from the Eastern District of New York denied the US government's application asking Verizon Wireless to hand over 113 days of customer location data. Washington has long debated whether or not the Constitution protects modern day communications that include a third party (like cell phone conversations supported by a carrier company), and non-conversational meta data (like cellular GPS location data). Some say that buying a cell phone and using a carrier's services waives one's privacy rights in that data, while others claim we have a reasonable expectation of privacy in such info under the Fourth Amendment. In making his decision, Judge Nicholas Garaufis held that "the fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected." As communications tech continues to change, these questions will likely be revisited. That's why Judge Garaufis went on to say that "in light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." Get the full opinion by clicking the source below.
Don't tell us where you're going, Nissan Leaf driver, we already know (video)
That cute little bugger above certainly looks innocent enough, but it might have been spreading some pretty detailed gossip behind your back. Leaf-driver Casey Halverson was playing around with the RSS reader in his Carwings system when he discovered that it wasn't just collecting feeds from RSS servers, it was also telling those servers his car's current location, speed, heading and even the destination he'd set in the sat nav. Strangely, Halverson's undercover tattletale appears to have halted its indiscretions after he posted the discovery on his blog, but we're surmising there's still hundreds of server logs up and down the country that prove it really happened, not to mention his video after the break. Cue Rockwell, fade to black.
iPhone location data to be closely regulated in Europe
The fuss over the storage of location data by iOS has crossed international waters. The EU data protection advisory panel, a watchdog group that advises the European Commission, has said that location data is personal data. This ruling may lead to further restrictions limiting how this data may be used by Apple, advertisers and third-party applications. The panel further recommended that companies need to get permission from smartphone owners before collecting location data and should be clear about how this data is being used. The group also suggests location services should be switched off by default. These proposals may become the early framework for a new law regulating location data in the EU. Eventually, these and other similar proposals could be included in Europe's broader revised Data Protection Directive later this year.
Apple sued again over location data
Apple is facing another lawsuit over its handling of location data, according to a report from The Loop. The latest complaint was filed by Lymaris M. Rivera Diaz in the United States District Court for the District of Puerto Rico. Rivera is asking for monetary damages stemming from Apple's alleged practice of capturing both the device ID and location of a handset and sending it to third-party advertisers. Besides Apple, Diaz also cites The Weather Channel and Pandora in the suit. The suit also names 10 'John Doe' defendants. This tactic is used in lawsuits when the plaintiff believes there are more targets to sue, but can't name them specifically until after the suit is filed or after the discovery process. This means there could easily be additional companies targeted by the same suit later on. Apple is also facing an earlier lawsuit and a congressional investigation into its usage of location data stored on the iPhone. Apple confirmed in an FAQ and testified before Congress that location data is necessary for services such as local search and is not being used to track individuals.
The difference between Apple and Google at the Senate hearings
Earlier today, the US Senate judiciary subcommittee held a hearing on privacy, technology and the law. You can view a video of the opening statement by Senator Al Franken from today's hearings here. The purpose of this hearing was to aid lawmakers in understanding if current privacy laws around tech (which are quite old) are still valid or need updating. But what did Bud Tribble, an MD, PhD engineer and Apple's Vice President of Software Technology have to say versus Google's representative, Alan Davidson, who happens to be a lobbyist? Let's look at Apple's statements and answers to key questions, then cross-check with Google's answers. Apple First, the big question is whether or not Apple is "tracking you." In opening statements, Tribble pointed out (also in his written testimony) that Apple is "deeply committed" to protecting consumers' privacy, and Apple does not share personally identifying information with third-party vendors without explicit consumer agreement. As stated in a release on April 27, 2011, the company does not track you and never has had any plans to track your whereabouts. Instead, the location database is designed to provide a crowdsourced database of local Wi-Fi hotspots and cellular towers in order to provide a quicker method for locating an iPhone on a map faster than GPS would alone. This information is not used by Apple itself, but can be accessed by applications that happen to use Location Services. These services can be turned off, and last week, Apple fixed a bug which stored these on the computer you use to sync in an unencrypted way and which contained all locations. Tribble also mentioned that in the "next major version of iOS this data will be encrypted."
Verizon says it will put location warning labels on all phones sold
See that rather ominous warning label above? That's a new sticker that will soon be placed directly on the screen of every new device Verizon Wireless sells. Contrary to what you might suspect, however, that's not being done in response to the most recent iPhone 4 tracking fiasco. The label was revealed in a letter to Representatives Ed Markey and Joe Barton, who themselves sent a letter to Verizon (and the three other major carriers) on March 29th inquiring about a New York Times story that raised concerns about how carriers collect and store personal location data. As for the other carriers' responses, they apparently aren't going as far as Verizon has with its warning label, but they do mostly echo Verizon's response in other respects. They all say, for instance, that personal data is secured by a variety of means and stored only as long as needed (which can apparently vary by carrier, though), that they don't rent or sell personal information, and that they request customer consent before accessing location data. Despite those assurances, however, Rep. Markey says he's still left with a "feeling of uneasiness and uncertainty," and he's pointing a finger at third-party developers in particular, who he says must be held "accountable."
Untrackerd wipes stored location data on your jailbroken iPhone
The iPhone and iPad seem to be storing location data about your travels using cell tower information. Whether you believe that Apple is secretly spying on you or just storing the locations of cell towers for some purpose, such as speedier connections to said towers, if you don't like it, you now have an option. Ryan Petrich, a renowned jailbreak app developer, has released a free little utility called "untrackerd" that runs in the background and continuously cleans stored location history data. You will, of course, have to have a jailbroken iPhone or iPad to install the app from Cydia, but if you're not happy about the possibility of your iPhone or iPad's location history being accessible, then head to Cydia now and install the 37 KB app from the BigBoss repository for peace of mind. [via 9to5Mac]
Hacker claims third-party iPhone apps can freely transmit UDID, pose serious threat to privacy
When Apple addressed a congressional inquiry on privacy in July, the company claimed that it couldn't actually track a particular iPhone in real time, as its transactions were anonymous and thoroughly randomized. Bucknell University network admin Eric Smith, however, theorizes that third-party application developers and advertisers may not have the same qualms, and could be linking your device to your name (and even your location) whenever they transmit data. Smith, a two-time DefCon wardriving champ, studied 57 top applications in the iTunes App Store to see what they sent out, and discovered that some fired off the iPhone's UDID and personal details in plaintext (where they can ostensibly be intercepted), including those for Amazon, Chase Bank, Target and Sam's Club, though a few were secured with SSL. Though UDIDs are routinely used by apps to store personal data and combat piracy, what Smith fears is that a database could be set up linking these UDIDs to GPS coordinates or GeoIP, giving nefarious individuals or organizations knowledge of where you are. It's a scary idea, but before you direct hate Apple's way, it's important to note that Cupertino's not necessarily the one to blame. iOS is arguably the best at requiring users to opt-in to apps that perform GPS tracking; transmitting the UDID and account information together publicly is strictly against the rules; and we'd like to think that if users provide their personal information to an application developer in the first place, they'd understand what they're doing. Of course, not all users monitor those things closely, and plaintext transmission of personal details is obviously a big no-no. Smith's piece opens and closes on the idea that Apple's UDID is like the unique identifier of Intel's Pentium III processor, which generated privacy concerns around the turn of the century, and we wonder if ths story might play out the same way -- following government inquiries, Intel offered a software utility that let individuals manually disable their chip's unique ID, and removed it from future CPUs.
Study: select Android apps sharing data without user notification
Come one, come all -- let's gather and act shocked, shall we? It's no secret that Google's Android Market is far easier to penetrate than Apple's App Store, which is most definitely a double-edged sword. On one hand, you aren't stuck waiting a lifetime for Apple to approve a perfectly sound app; on the other, you may end up accidentally downloading some Nazi themes that scar you for life. A curious team of scientists from Intel Labs, Penn State and Duke University recently utilized a so-called TaintDroid extension in order to log and monitor the actions of 30 Android apps -- 30 that were picked from the 358 most popular. Their findings? That half of their sample (15, if you're rusty in the math department) shared location information and / or other unique identifiers (IMEI numbers, phone numbers, SIM numbers, etc.) with advertisers. Making matters worse, those 15 didn't actually inform end-users that data was being shared, and some of 'em beamed out information while applications were dormant. Unfortunately for us all, the researchers didn't bother to rat out the 15 evil apps mentioned here, so good luck resting easy knowing that your library of popular apps could be spying on you right now. Update: A Google spokesperson pinged up with an official response to the study, and you can peek it after the break. Update 2: Looks as if the full study (PDF) has been outed, with the 30 total apps named. Here they are: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC - Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote. Thanks, Jordan! Update 3: Flixter, the company that makes Movies, has chimed in with this: "At Flixster, we do not and never have sold any personal or identifiable confidential information with anyone. We do use non-identifiable location information (e.g. metro-area) to show more relevant ads, as does almost every mobile app that relies on advertising. Users have to opt-in to sharing their location when they install the app, and how we use information is explained in detail (for those that care) in our privacy policy." Update 4: And here comes The Weather Channel's comment: "Regarding our Android app – Our customers and their privacy are very important to us. In our Android application, TWC does not share any of your personally identifiable information with advertisers or third parties. TWC does track location – which users consent to at install – for the purpose of providing you the most relevant and accurate weather conditions based on your location." Update 5: And there's more, this time from Barcode Scanner: "Barcode Scanner has never collected or sent personal information. There is no "third party" server to receive such info any way. Barcode Scanner has never requested location information, or phone or user ID ("phone state" permission in the TaintDroid paper). It didn't help that the paper originally reported that the app had these permissions -- it has been fixed since. The app can't send information it can't collect in the first place. The application has always been open source; anyone can inspect exactly what it does (http://code.google.com/p/zxing). We have a complete statement on app permissions (http://code.google.com/p/zxing/wiki/FrequentlyAskedQuestions). Finally, the authors of the paper have in fact confirmed Barcode Scanner was not one of the "guilty" apps: http://appanalysis.org/letter_oct-01-10.html" Update 6: The hits just keep on coming. Today, the developers of Astrid have both addressed privacy concerns and added a detailed EULA to the newest build. They've also added the ability for users to opt-out of analytics through the settings menu
Apple responds to congressional inquiry, details location data collection in 13-page letter
When Apple's latest privacy policy revealed the company could track any iPhone's location in real time, it threw some for a loop... including a pair of gentlemen from the US House of Representatives, who asked what Cupertino was up to. In a thirteen page letter dated July 12, Apple's legal counsel explains the whole matter away, while giving us a fascinating look into how the company collects -- and justifies collecting -- all that GPS data. Legally the defense is simple, as Apple claims users grant express permission via pop-up messages for every single location-based service and app, and if you don't care to be tracked, you can simply shut down location services globally or (in iOS 4) on a per-app basis in the phone's settings panel. Where it gets more interesting is when Apple explains what it actually collects, and who they share it with -- namely, Google and Skyhook, who provided location services to earlier versions of the operating system. In iOS 3.2 and beyond, only Apple has the keys to the database, and what's inside are locations of cell towers, WiFi access points, and anonymous GPS coordinates. None of these are personally identifying, as the company doesn't collect SSIDs or any data, and in the case of device coordinates they're reportedly collected and sent in encrypted batches only once every 12 hours, using a random ID generated by the phone every 24 hours that apparently can't be linked back to the device. In the case of iAd, Apple says coordinates don't even make it to a database, as they're immediately converted (by remote server) to a advertising-friendly five-digit zip code. Concerning location data collection for services other than iAd, there's still the little question of why, but we'll just leave you with Apple legal's quote on that subject after the break, and let you hit up the full document yourself at Scribd if you want the deep dive.
