[Editorial Notes: Recently, we shared a report on LBS industry and Mobile User Privacy, which raised an important concern regarding how mobile OS companies store location data and the privacy threat associated with it. Arjun Ram, founder of Taazza, a LBS app startup shares his take on this issue.]
We felt the need to write this post after the well advertised fiasco for iPhone and the mis-information that is being spread about LBS. Our app is a LBS app and we take privacy very seriously. Some of the questions that are lingering in the end users mind today:
So did Apple screw up? Should users be worried about LBS?
The answer lies some where in between a YES and NO. Bear with us for a second. Before we explain what happened with Apple we need to get into how location can be detected on a device – be it a phone or a computer. There are 3 ways in which this can be done:
- Using GPS – as in satellites. Most smart phones these days are shipped with these chips. Device has to get a lock on the satellite(s) for it to get the exact location. This usually takes time sometimes upto a minute. Depends on the quality of the device & where you are. In some of the lower end Android phones the quality of the chips isn’t great and hence takes even more time. GPS is freely available thanks to the US satellite system. GPS -> HIGHER ACCURACY (Few feet to meters), LONGER TIME
- Using Cell Towers – Many companies maintain a database of cell towers (ids) and their GPS co-ordinates. This information is mostly available to the mobile operators & few other companies. When your cell phone connects to the cell phone towers, it knows the IDs. Using these IDs and the GPS co-ordinates of the cell towers it is possible to triangulate your approximate location. This is generally faster if you have the cell IDs & co-ordinates of the cell towers. Cell tower information: Mobile service providers & others like Skyhook. Cell Towers -> MEDIUM ACCURACY, MEDIUM TIME
- Using Wifi Access Points / IP address – Based on your IP address from which the request originates, the location can be coarsely figured out. Google database is by far the most comprehensive as far as we know – tracking you down to the locality. Wifi / IP Address: LOWER ACCURACY, MEDIUM TIME
For any location based service to work – the service provider will need the location from the user. The accuracy will depend on the services being provided. As the provider of the operating system on these mobile devices, it is important for companies like Apple, Google & Microsoft to have good databases. Google even tried to buy Skyhook. The most common technique is to crowd source this data – aka cell phone towers ids & IP addresses. Moreover to optimize the response time when using GPS the operating system returns the last location that it had cached.
Google & Apple have different ways of communicating this to the user. In the case of Google, they ask you for your explicit permission when you choose the option use Wifi to locate. They also store your location data as in lat/longs for a limited period and is encrypted.
However Apple didn’t explicitly ask for such permission to save this data. Although Apple only stores approximate cell tower lat/longs – it also stores this data in an unencrypted format for a longer period. This has been confirmed to be a bug. In both cases of Google & Apple – neither of them have used this data to profile or provide this data to unauthorized folks including advertisers. (TOM TOM did so in breach of user trust but that’s a separate matter)
In Apple’s case given that the user is paying for data transfer for crowd sourcing, they should have sought explicit permission. No user wants to be paying for crowd sourcing a vendor’s data without explicit permissions.
Lets also look at the unencrypted file issue. Till this bug was discovered there was no way for anyone without the computer on which iPhone was synced to access the file. The program that was released reads the file from the backup. To say that this file was available to anyone who has access to the phone is BALONY!
Apple’s only mistake was not getting explicit permission from the end user for crowd sourcing cell id data on the end users dime.
Now lets look at this issue from an application perspective:
When you download any app from the app store/marketplace – you as a user are explicitly asked to authorize the list of permissions you are giving the app. Mostly users say yes without reading the details.
This is where Apple & Google are different.
On Android as long as the application provider asks for permission & the end users agree – the application has the authority to do anything with that data. Application provider can genuinely make a mistake (one line of code). We made a similar mistake before an end user notified us (This has been addressed a while back). But there are other applications that use your data without reason (more later).
Apple has taken the right approach on location permissions. The application provider has to explicitly state why location is needed by the application and has stated clearly that applications cannot use location for the sole purpose of advertising! Moreover at any time, the user can go into the settings window and look at applications that currently have permission to read location data and which apps are utilizing it.
In the Indian marketplace on Android, applications explicitly use the location data for the sole purpose of advertising and get away with it. We aren’t taking names at this point but are happy to do so if you ask in private.
What’s your opinion?
[Reproduced from Taazaa’s blog]