nCircle Sync Blog: Privacy Archives

In the last few days of having unfettered access to a new ipad2, I have learned something very important. Privacy is gone. Privacy is gone because the user has chosen to let it go and Apple makes it very compelling to give it up.

My experience with the ipad started like this:

* Please register the device giving Apple all your home info.
* Now please give Apple access to the GPS data just in case you happen to lose your ipad.

Since you've purchased the device, Apple already has some really good information about you: Name, Address, Phone Number, email, credit card and GPS location of where you are.

Whats next on tap? Now install some cool apps. What, wait! Your app wants my location data and wants to push me content? What exactly does that mean? I'm not clear on how you are gathering this data, how you are using it. Just what the heck is push notifications anyway?

You see, I'm just an end user wanting to use my new cool gadget. Of course I'm just going hit the darn button. I want the app to work, I want my iPad to work. I need instant satisfaction.

Think about it. Apple and all these applications have your location data. And think further, if an application wants to push you information, they need to know something about you. That something is probably at least your name, email and Apple ID. But do you know what else they know? Neither do I and honestly finding out isn't easy.

Most consumers wouldn't even think twice about these simple pop up questions they receive. Oh, sure go ahead and use my location data and send me push notifications. Most consumers have no clue what any of that means.

In light of the recent WSJ article regarding mobile app developers possibly facing criminal investigation for privacy violations, Veracode performed their own analysis of Pandora, a very popular mobile app.

What they found probably won't surprise you, but should concern you. Information like your ID, gender and location were confirmed to have been shared with the application vendor and probably their many advertising partners.

With more than 15 million iPads sold and another 50 million iPhones, that's a big chunk of the consumer market sharing data with Apple. That's a big chunk of users who have already given Apple rights to you and what you do.

If this is the face of now and the future, then our privacy is doomed. Apple I thought you were all about breaking the 1984 barrier, but instead you seem to have brought it back alive and well.

In all fairness, Apple isn't entirely to blame they are after all not the only mobile device platform available. However, Apple certainly is the leader and should be the one taking charge to lead us from these privacy violations that is now the new norm.

No doubt you read about the huge email security breach Epsilon announced
earlier this month. You may have received letters from companies that use
Epsilon services about the possible loss of your email information.

A lot of people are justifiably concerned that spear phishing and other
nefarious attacks will be launched against millions of people as a result of
that breach.

As bad as that Epsilon breach was, I think most people have far more serious
privacy concerns on their smartphones. In fact, many consumers are actually
paying to have their privacy assaulted.

The Wall Street Journal recently tested 101 popular mobile applications on
iPhone and Droid devices to understand what kind of data each app collects
and shares. The study found a huge number of applications that gather and
share information that looks unrelated to application functionality.

I like Angry Birds. It's simple and addicting. I had no idea that it was
accessing my iPad's Address Book and, according to the WSJ, sharing my
contacts with third parties.

According to Rovio, Angry Birds is the top selling iPhone application in 67
countries. In August 2010, VentureBeat reported that Rovio sold 6.5 million
copies of Angry Birds. Assuming the phenomenal growth trajectories of iOS
devices and Angry Birds sales, Rovio has built a huge cache of contact data
that's growing exponentially.

What does this mean to you? Well, for one thing Rovio is gathering your
location data and all the information in your address book and saving it.
They might be selling or trading it with third parties. Sorting through all
the other things that can be done with this information without your
permission is mind boggling.

Imagine getting an email from your friend Matt:
---

Hey Paul-

I'm sending you this email from my iPad while I'm here at Starbucks on
Washington St. They have a great new promotion that lets me send a friend a
free cup of coffee while I'm here using their free Wi-Fi. All you have to
do is click on the link below to print out a personalized coupon.

<<"nefarious spear phishing URL here">>

---

Wouldn't that email be convincing? Free coffee from your friend just
because he was using the free WiFi at Starbucks down the street sounds
great, right?

Of course you don't know that as soon as you click on the link you are taken
to a malicious website that tries to use every malware trick in the book.

There's more bad news. Angry Birds isn't the only application that reaches
into all corners of your private information without letting you know.

For your own safety, take a few minutes and read WSJ study.
This is particularly important if you are using an iOS device in an
enterprise environment where the contacts on your phone could be considered
confidential company property.

Smart consumers are only part of the solution to this problem. Apple needs
to step up their consumer privacy policies as well.

Apple wants to have it both ways. On one hand, Apple claims that the iTunes
closed system and review process, along with the ability to remove apps from
phone remotely, keeps consumers safe. One the other hand, they aren't taking responsibility for what happens to consumer data after they
download an app.

At the minimum, Apple needs to require app publishers to tell consumers in
plain language what kind of data every application accesses and what happens
to that data. This information should be available to consumers before they
purchase an application.

If Apple continues to let app publishers do whatever they want with consumer data they could find themselves on the receiving end of some very difficult questions about privacy.

Lately there's much a lot of hand wringing in the press about Carrier IQ, a software monitoring and tool for wireless carriers. Carrier IQ is reportedly facing a federal probe over allegations that its monitoring software collected smartphone data and transmitted it to carriers without consumers' knowledge.

Carrier IQ has been playing defense. They released a detailed report that shows exactly which types of data its software collects, and pointed out that all data points are selected by carriers, and that any data collected data is shared only with the relevant carrier.
In spite of this, Apple and Sprint just announced that they have disabled Carrier IQ software on their handsets.

The bad news in this situation is that we still don't know for sure what kind of data Carrier IQ is capable of collecting or what carriers are doing with it. And just because some carriers have recently disabled it doesn't mean they won't turn it back on at some point in the future. Carrier IQ may not be the only option available for carriers that want to monitor handsets either, they may just be this week’s privacy scapegoat.

The good news, if you can call it that, is that if IQ can gather detailed, private data from users, then we're all in the same boat because, until very recently, it's been on nearly every device.

If you have a handset that is likely to include Carrier IQ software remember that panic at this point is pointless and probably premature.

Everyone in the Carrier IQ value chain is going to have to answer some very detailed questions from the FTC and/or the FCC in the near future and until then all consumers can do is wait.

Meanwhile, though, Carrier IQ's website claims to have their software installed on over 141 million handsets (and still counting).