Apple Google #locationgate: breaches EU Data Protection Directive

The story over the last week has been the royal wedding Apple and Google collecting location information including GPS and closest cell phone towers on their iOs and Android devices and transmitting these back to big brother. In the case of Apple the file containing this information was stored un-encrypted on the device, backed-up also in the clear to any machine the device was synchronised with and  contained far more historic location information that was required. At least Apple annonimized and sent this information every 12 hours (reducing real time tracking ability) and technically did ask for "permission" because everyone reads through those privacy and terms and conditions policies. Google asked for permission in a little bit less opaque way but transmits location information back in near real time. Microsoft has also joined the party admitting they collect location data but do not store it on the device. Symbian or WebOS anyone for a complete set?

I really don't understand why companies still feel it is a better long term move to do these types of activities covertly. The first principle in the EU Data Protection Directive is Notice. "Ensure the end user is clearly informed when data is being collected". I have so many arguments with the marketing people on projects about this exact point. To me it is really simple, if you are performing a legitimate activity and it provides benefit to the user there should be no problem for clearly and explicitly asking for permission not burying it in a 100 page document no one is every going to read.

On both iOS and Android devices collecting this information on the device provides significant performance benefits. Just try using location in just GPS only mode on Android. Welcome back its been about 10 minutes! I'm not sure if this the direct cause but there was a massive improvement in the accuracy and speed of GPS when the iPhone 4 and the corresponding iOS version was released. I'm sure most users would be to happy provide their location information to Apple for better location services if they were open about it and asked upfront. I mean look at how many millions use check-in services providing this information for free just to be major and how many geo tag photos, tweets etc.

Figure 1
The second principle in the Data Protection Directive is Choice. This is not either use location services or don't. It is a choice of whether this information is stored and transmitted Apple. To make matters worse Apple on the other hand continues to collect location information even when the Location services is turned off. Google as least allowed users the choice of option of participating in this collection as a option on the device (refer figure 1), however the language could again be a lot more clear that they will also be transmitting this information in near real time back to Google. In addition for Android versions older than 2.3 the location files do not seem to be deleted which is great with the fragmentation in the Android market. Also the option to not transmit data to Google is hidden away under Location and security - Use wireless networks option. The opt-out option comes up when you tick this option. Selecting disagree means you are back to GPS with its performance delays. There is no simple option to get the benefits without transmitting the data to Google.

The third principle is Onward Transfer. One would hope that Google or Apple would only turn over this information with a warrant  and never directly to advertisers. Hopefully it is also truly annonimized as they say be of no use as a historical location tracking of individuals; I am a bit suspicious of device ID's and unique random identifiers

Then there is the principle of  Security. Why is this information being stored in an un-encrypted format? Is there any good reason for this? Apple especially should know better - in the 13-page letter sent by Apple’s general counsel Bruce Sewell in July 2010, he states the information is transmitted over secure wireless. If they recognise the information is sensitive enough to require encryption in transit then why not storage?
If there is a reason like they need to access the database when the phone is locked, surely something like a one way hash of the information that needs to be read would be a lot better design.

Purpose is another principle to be considered. The data should only be collected, stored and used for the specified approved purpose. Apple's general council states in the same letter "these databases must be updated continuously to account for, among other things, the ever-changing physical landscape". This basically implies that there is little value holding a large amount of historical data and it should not be stored locally on a device nor by Apple. Steve Jobs in his usual verbose style stated "We don't track anyone". I think the point he is missing is that this data, especially the historical data, allows the possibility of tracking any iOS user. Clearly if that is not the purpose this data should not have been kept. A positive for Google is at least they do not store this large cache of historical location data.

Finally there is the principle of access. From the kings of design and user experience, how hard would it be to add a button to wipe the information on an iOS device, opt-in or out of it being collected and select how far back it goes?

The collection, storage and transmission of personal location information by Apple and Google violates some basic privacy principles set out in the EU Data Protection Directive being:
  • Notice and consent - users should have been clearly informed and their permission explicitly obtained, like they are informed an APP contains over 18 content. Google does this better than Apple but it could still be improved
  • Security - the data should have been encrypted or one way hashed on the device
  • Purpose - if historical information was not required it should not have been kept
  • Access - users should have a simple option to delete the information collected
I hope that Apple and Google take measures to address these in a patch to iOS and Android shortly.

27/04/2011 - Adding Microsoft to this also now. Apparently no data stored locally but it is collected and transmitted.

27/04/2011 - Apple provides official press release response. Firstly this is written in really clear language and very little marketing speak +1 for Apple. It is good they acknowledge that while the data is transmitted in an encrypted form it is not encrypted on the phone and will only be encrypted in backup if you enable backup encryption (we all do right? right?). Major point: "The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data". Good that they acknowledge they are collecting far more data that is required for the purpose and plan on fixing it. This is also very good and validates what I hoped regarding the onward transfer principle: "location is not shared with any third party or ad unless the user explicitly approves".

The patch I was asking for:
"Sometime in the next few weeks Apple will release a free iOS software update that:
  • reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
  • ceases backing up this cache, and
  • deletes this cache entirely when Location Services is turned off."
Overall excellent response, they may still get sued and EU may look into Data Protection Directive breech but the patch is a good outcome.

Related posts:
Photo credit caseorganic Flikr. Google Android image from Stuart Ward.

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

No comments:

Post a Comment


Written by