An interesting article that covers a lot of the issues about the latest iPhone (and now probably all smartphones) data protection controversy. The current debate raises several different issues:
– is this legal under EU data protection rules? It looks as though several national DPOs are going to be looking at this;
– do users who have agreed to the terms of service really know what it is they are agreeing to? Or is this a case of users accepting the default settings without really understanding – or perhaps caring?
– possibly also the importance of network effects. It’s not clear so far if this location data is being kept by the operating system companies – Apple, Google, RIM etc – to improve their services, or is being passed on to network operators to help improve their networks. If the former, then we have another network effect – the more users a company has that uses your location services, then the more location feedback a company will receive, and the more it can improve the location services. Not a competition law problem, but potentially relevant to looking at questions of market power and barriers to entry.
Apple and Google are using smartphones running their software to build gigantic databases for location-based services, according to new research following the Guardian’s revelations that iPhones and devices running Android collect location data about owners’ movements.
iPhones and Android smartphones swap data – which does not contain information directly identifying the user or the phone – back and forth with their respective companies if the user agrees to use “location services”.
The news has led some European governments to announce investigations into whether Apple is breaking privacy laws.
Samy Kamkar, a hacker and researcher, has shown that Android phones, which run on software written by Google, collect the location data every few seconds and store it in a local file, but also transmit it to Google several times an hour.
This functionality is almost certainly used in any phone that provides mapping services, meaning that similar files will exist in some form on all smartphones, including those from Nokia and BlackBerry-maker RIM. It is not known whether these models synchronise data from the phone to the companies’ servers as well as storing it locally on the handset.
Sources familiar with Google’s systems said the location data was used to help the phones orient themselves by identifying nearby mobile phone masts and wi-fi sources and comparing them with Google’s own database, with which they are synchronised continually. The file is also updated so that if the mobile signal is interrupted – for example when the user is on a train and goes into a tunnel – it will be able to re-establish contact more quickly by knowing which towers are in the vicinity.
Apple and Google are collecting the data, which amounts to an international map of the locations and unique identities of cell towers and wi-fi networks, to improve targeting of their adverts based around mobile phones.
In a letter to the US congress last July, Apple confirmed it collected the data and said that, in order to be useful, “the databases [of tower and network locations] must be updated continuously”.
The value of location-based services, which feature advertising, is reckoned to be .9bn (£1.75bn) already and forecast by the research group Gartner to grow to .3bn by 2014.
In 2009, Google itself pointed to the value for users of having Android phones upload real-time location data to its servers, suggesting it could give “a pretty good picture of live traffic conditions”. It said: “We continuously combine this data and send it back to you for free in the Google Maps traffic layers. It takes almost zero effort on your part – just turn on Google Maps for mobile before starting your car.”
A Google spokesman said Android phones explicitly asked to collect anonymous location data when users turned them on.
Apple iPhones and iPads also ask whether users want to have “location services” turned on, and the iPhone licence has a passage that says Apple “and its partners and licensees” may transmit, collect, maintain, process and use location data, including the real-time geographic location of the iPhone, though it points out that this is anonymised and can be disabled by turning off the “location services” feature.
However, even if users disable location services, the iPhone and Android phones are believed to continue storing locations of cell towers and wi-fi networks in what is known as a “neighbour list”.
Google’s list is limited to the most recent 50 cell masts and 200 wi-fi networks, while Apple’s list is retained for up to a year. Sources close to Apple have suggested the long-term retention may be an error which it will correct in a future software update.
Privacy advocates fear that although the data is anonymised, the Apple data is not encrypted and could be misused by law enforcement or others who wanted to capture information about someone’s movements.
One security researcher, Alex Levinson of Katana Forensics, said on Thursday that US law enforcement had already made use of the location data recorded by the iPhone in investigations.
Some police forces, such as those in Michigan, already carry readers that can copy all the files from a smartphone even if it is protected with a password, and that it has been used on motorists stopped for minor traffic violations. The American Civil Liberties Union says such examination amounts to an “unreasonable search”, which would be illegal in the US.
In Germany, the Bavarian Agency for the Supervision of Data Protection said it would examine whether and why Apple’s devices were capturing the information, and that it had asked Apple for more information.
“If it is true that this information is being collected… without the approval and knowledge of the users, then it is definitely a violation of German privacy law,” Thomas Kranig, the agency’s director, told the New York Times.
Italy and France are expected to do the same. France’s data protection authority suggested that a major source of concern would be over whether Apple transferred any of the data to any commercial partners. “If the information is marketed without the knowledge of the consumer, it is much more serious,” Yann Padova of France’s CNIL said.
• This article was amended on 22 April 2011. The previous version stated that some European governments had announced investigations into whether both companies are breaking privacy laws
guardian.co.uk © Guardian News & Media Limited 2010