Apple has been named in a class-action lawsuit alleging that the company allows iOS applications to provide advertisers with sensitive – and supposedly private – user information, according to Bloomberg Businessweek, which broke the story on Tuesday. "Apple claims to review each application before offering it to users, purports …
Standard app's EULA indicates user's consent to some use of data
Although it's true that the developer agreement says that the developer must not collect personal data without permission, the default EULA which applies to most apps does grant permission to record "technical data and related information". Specifically, here is the bit from the developer agreement:
"3.3.9 You and Your Applications may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising ..."
and here is the bit from the standard EULA: (http://www.apple.com/legal/itunes/appstore/dev/stdeula/)
"b. Consent to Use of Data: You agree that Application Provider may collect and use technical data and related information, including but not limited to technical information about Your device, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to You (if any) related to the Licensed Application. Application Provider may use this information, as long as it is in a form that does not personally identify You, to improve its products or to provide services or technologies to You."
Does "to provide services" include "to target advertising"? Say an app whose theme gives away some personal info about the user (e.g. "gay bars near here") sends its unique device ID ("technical data") to a server, and you use that to target "gay" adverts; is that OK or not?
Paper Toss? Already knew that one.
This application has access to the following:
[Full Internet access]
[Coarse (network-based) location]
[Read phone state and identity]
And all that to throw paper into a basket? Yeah.. I think not.
Chances of this class action suit changing anything whatsoever? Unlikely. There's just too much money involved in profiling every single person on the planet.
Mine's the one with a copy of TrackMeNot in the pocket.
Always wondered if this would bite Apple
In reality, it's not Apple's fault if App writers play naughty (it hurt to say that!). BUT, everyone here will recall a ruling that if you moderate comments on a site, you can be held liable for any that slip through.
Always wondered whether this would one day bite Apple. They 'moderate' submissions to the App store, so someone was sure to claim they hold partial liability at some point (deep pockets and all). May not be comments, but it'd only take a thin stretch of the imagination for a court to equate the two!
Not really Apple's fault
This is why they tend to be tough on approval of apps. Apple gets seen as the publisher when in fact the makers of the application at fault.
"it's not Apple's fault if App writers play naughty"
AFAIK it should be trivial for APPLE to know whether a program is playing dirty -in the way described here- or not, without even having to read its code. They can make a tweaked version of their OS that informs of any transmission of private data, with an app that simulates calls, geographic displacement, websurfing, etcetera. They could streamline the testing process and catch all rogue apps with only a few man-minutes per app.
Why on Earth aren't they doing this already?
Answer: See the icon above ;-)
not what you think
The program is monitored closely, and they do catch apps collecting data they shoudl not be sharing (even if the access to that data is legitimately needed). It can only access what it is allowed to through approved APIs, and that is fairly limited as it is, and even that access is subject to "why do you need to" questions before final approval. the issue is what the app dev does with legitimately collected data AFTER collecting it. Apple has no control what so ever in that. The only recourse they have is to suspend an app or developer they know is in violation of that agreement.
though the Pandora app itself provides no such notice of intended use, the pandora website you create your account on, and their own service use EULA does clearly state this, so apple is covered.
ALL of this data is legally collectible data with or without user notice under US law anyway, so the whole suit is BS, especially since it;s own personally identifiable if the collected data is used to LATER data mine sources containing additional data about users. the data alone can only identify the phone and not the person's name or address.
You get what you pay for...
if you ever had any expectation of Privacy then you are in need of serious help. Use of the internet is a gamble. If you feel lucky then gamble what you can afford to lose.
When money is at stake do not believe what you think the EULA says - it will be interpreted just the way the supplier wants.
Even given the forgoing I hope Apple and the application creators get toasted - but it probably wont happen.
An iOS version of "Little Snitch" which I have on my desktop Macs? I have no iOS devices, so can't talk from experience, but I keep "Little Snitch" on my Macs because I'm probably paranoid (which doesn't mean I'm not correct).
Could this change anything?
My desired outcome would be an app or app suite that allows you to choose what is being sent to whom. Surprisingly, Android doesn't, to my knowledge, offer a decent firewall app. Jailbroken iphones can use firewallip which will at least tell you where an app is trying to connect to and on what ports. Plus it gives the ability to global block certain domains regardless of what app is trying to contact them. flurry.com comes to mind... But if Pandora.com is required to run pandora and they are collecting my sexual preference, then there isn't much I can do to stop that other than jettison pandora and hope last.fm is not doing the same.
When I first got an iPad, I considered Pandora. A quick look through reviews showed that it required a lot of personal info which was totally unnecessary in functional terms. If users knew about this issue six months back, I'd be surprised if Apple did not.
apple did know
but Pandora GOT permission, through the license agreement you have to accept to get an account on Pandora. The app can get the data, but it can;t transmit it unless you have an account, within which you gave them consent to this use of your data, and this is consistent both with Apple's policy and the law. in fact, per the law, Pandora doesn't even have to notify you of what they are collecting because none of that data is actually legally defined PII in the first place.
Would you have all that info on your phone in the first place? My phone has no name, age, gender or other info about me. It has an email address that is used only to access the market.
So, apps could send location info back to ad servers, but, as I use an ad blocker, any targeted ads will fall by the wayside. Mind you, if the app sends back the same info as the phone uses to geo-tag my photos, the ads would be a little off-target... I'm not really in Alxa, Inner Mongolia!
not in the phone
the phone does not share that data, people ENTER that data into the app itself when it requests it, thereby clearly gaining user consent. The only addition is the UDID, which all apps not only have access to, but is the required device ID to be used (MAC address use is forbidden). General concent is already acquired for any app to use the UDID.
Also, the "uniquely identifiable" information collected from the device, consistent with user consent and apple limits on type of data, can alone identify nothing but the DEVICE, and not the person using it. Only with access to additional data sources that don;t come from the phone and data mining applications can additional narrowing come up with a name, and the use of this data to do that is already illegal under federal law. Apple in no way provides access to restricted PII, nor do they enable companies to data mine other sources, companies who might do that would both be guilty of lying to apple about the use of the data and be in violation of federal law at the same time.
in which case...
people who give that information to an app, in order to throw paper balls into a bin or listen to the radio, are idiots.
Apple has made a BIG deal about how it vets, monitors, and otherwise has complete control of the applications that it allows to be used on its hardware.
I would think, therefore, that they would also be liable for any infringements by those applications, given their level of control.
Really hope they get taken to the cleaners on this one. Might serve notice to others (and to them) that playing fast and loose with private information should be a losers game. Right now, it's not.
Perhaps it suits Apple for the case to go forward?
Apple tries to tighten up security and user ID stuff (remember pre-iPad account that Cupertino was using devices that data trackers in apps were able to identify as not quite iPhones?)
Consequence: lots of rage, claims about one thing and another, potential for PR harm and hurt.
The Apple with app makers end up in court. Court says: You M-U-S-T do this n that.
Wraps knuckles and instructs all data collated improperly or ambiguously M-U-S-T be destroyed along with any backups or archives of such data and it has to be completed by a week tomorrow with cease & desist instruction under law.
Consequence: The Apple wins with no irrecoverable PR harm?
how to bypass the application store check
make sure that some functionally doesn't kick in until 1 month after the submission date.
any way, I honestly believe that we have reached a point where we can no longer afford to allow companies to _hide_ options and functionality from the user in the EULA. If the application is going to do something, then that _thing_ should be part of it _functionality_ list, it shouldn't be hidden in the EULA that no one reads.
Are user warned?
Do these apps show the standard screens requesting for net access, GPS access, size of private parts, etc?
If they do, I believe Apple is quite safe... I doubt it can be claimed that Apple should check whether each request is reasonable with relation to the functionality of the app... And if crooked app makers sell user data, this is not exactly something that Apple can stop.
"In addition, the complaint alleges that "Some apps are also selling additional information to ad networks, including users' location, age, gender, income, ethnicity, sexual orientation and political views.""
Erm. How can anyone remotely determine your age, gender, income, ethnicity, sexual orientation or political views unless you've already entered them into their naughty application?
...and if it's the applications that are being naughty then it's not really Apple's fault is it? To blame Apple is a bit daft. OK they could probably dis-assemble every application sent to them and check it but that would require a LOT of work. It's a bit like saying "someone stole my internet data when I was using IE so it must be Microsoft's fault for not checking every web page I might conceivably visit"...
Apple controls what is collected and why. They do NOT allow apps to collect data that is illegal to collect, and they further as "why do you need to collect that" if they feel the data is unnecessary for the app to work.
However, once scrutiny is applied, and they determine the data can be collected, what that company chooses to do, in violation of Apple's policies, and in some cases against the law, has no bearing on Apple itself.
ANYONE can buy a baseball bat. If I buy one, and kill someone with it, can I someone sue the manufacturer? no, only if they knew this would be the case before purchase ever occurred. Prove Apple knew that this legally collected, and legally request able, not-PII data was in fact being used against policy and Apple allowed it to continue, and you might have a case wo force apple to enforce their OWN policies, but no laws actually apply to the collection and dissemination of this data. It is not in fact PII at all. It is only "possibly" PII when used to data mine against OTHER sources of data they should not have legal access to.
There is little reason apps need the same UUID
The UUID is just a random large number, usually expressed as a string of hex. I think for privacy's sake all smart phones assigns apps a random number as an id which stays with the app until it's uninstalled. It could also prevent different apps from sharing their cookies or other files which can be used to associate ids together. Nothing would be perfect of course - single sign on could still tie ids together, but it should at least by default it stops apps robbing useful info.
It due to a bigger problem..
..which is that EULA's are never read as they are dense legalese document.
Other T & Cs can be shoved on a webpage somewhere as so long as it is linked from app store it ticks the box for apple.
Until we all take personal data more seriously and have a more personal focused approach to personal data, i.e. starting with the default human right that information about me is my property, then things like this will keep happening and people will still be surprised that the picture they posted on some website once comes back to haunt them.... at which point they will squeal about needed in new laws and think of the children.
Review process sucks donkey balls.
So I bought an office app, only wanted it for two things, a spreadsheet for income / outgoings and a doc for filling in as invoice. The spreadsheet works, just, it can't lock rows or cell, even tho' if you go on the developers website it's one of the most requested features for nearly a year, but the word processor can barely be called that, it can't handle graphics at all - my invoice has a nice graphic header with company info written on top. It'll import the text, but not the image. I've got 59p notes apps with more functionality. How this app got passed as a full featured office product (with lying graphics showing things it can't do no less) is beyond me.
Oh, and don't bother looking for a refund button, there isn't one. Click on the report a problem button and nearly a month later I've had no response. First and last Apple product (tho' I do like the virtual keypad).
Did they claim it could handle images? did they say it could lock cells? A word processor is just that, WORDS. Did they advertise it was a desktop LAYOUT application? no. Could WordStar handle images? It could not even handle FONTS!
If the maker was clear about it's capabilities, and advertised what it could do, your failure as a consumer to learn in advance of purchase what it could not (which it appears there was a YEAR of data providing just that), then it is in no violation of Apple's policy for it to be sold as such.
If you expected a $5 (or free, there's more than 1 free WP app in the app store) app to be comparable to a $250 desktop suite, hahahahahaha. Even the $10 pages app has significant limits. only if they said it could do this and could not does Apple have any culpability.
So you admit it...
"The spreadsheet works, just, it can't lock rows or cell, even tho' if you go on the developers website it's one of the most requested features for nearly a year"...
So you admit - you really didn't do any product research at all prior to purchasing the apps did you? Not even visit their website? I spend time on the product websites before I even download and trial FREE apps and modules...not to mention reading the other reviews.
And good luck getting a refund on ANY opened and used software...from any retail outlet.
But yeah, somehow this is Apple's fault...
That's pretty damn funny!!
"So I bought an office app, only wanted it for two things, a spreadsheet for income / outgoings and a doc for filling in as invoice. The spreadsheet works, just, it can't lock rows or cell, even tho' if you go on the developers website it's one of the most requested features for nearly a year."
So you wanted something, you bought it, THEN you checked why it didn't do what you wanted it for and THEN found out it NEVER was capable of doing what you wanted in the first place?
I don't think it's a refund you need, it's beating with the common-sense stick!
I suppose your iWhatever has a golf ball teletype by way of user interface rather than a touchscreen?
Pandora, not Apple
What Apple's approval process tries to prevent is leaking/theft of private data from the phone's system software via Apps. If you go through Pandora's own account creation process and give them all your details, then you are yourself bypassing any protection Apple might have been able to give.
Maybe it's finally time...
To post alternatives to nefarious iPhone apps?
I'll start with accuweather instead of TWC, or Weatherbug.
If papertoss is your idea of a fun game on an iPhone, then you have my pity, and just maybe your personal stuff should be owned, it'd give you some excitement in your life.
I forget the third app mentioned. Maybe it isn't a mission-critical one either.
If you jailbreak your iOS device you can install a UDID Faker which will let you assign random UDID numbers on a per app basis. All my apps think they are running on a different device and I've had no problems at all.
The problem is Apple likes to be BB
Therefore, Apple is liable. Apple claims they screen each app, then shit happens, they are also liable.
I know it is really the developers' fault, but if Apple play with fire, it cannot expect to not get burnt. Particularly in the land of everyone sues anyone for any reason.
The Walled Garden: A trap of Jobs own making?
Google's Android is open, too open for some, since Apps aren't pre-approved and some were withdrawn only after they were made available. But Google never promised a 'rose' garden - what you see is what you get.
However, Jobs, by claiming to 'vet' all his Apps, even keeping some locked in approval for months, is different - he has actively, and persistently, blocked all attempts to open up The Garden so obviously any Apps that have been released has been done with Apple's blessing. The conditions imposed by Apple on developers should obviously be tested as part of the approvals process and therefore it is not unreasonable to hold both Apple and the developer culpable.
In fact, Apple's liability is greater, IMO, since it has the ultimate capability of making all data unavailable to any App or, alternatively providing a user controlled function to allow, or deny, App access to ant data. Some Apps remove data that has absolutely no utility in the use of the App.
Most, if not all, Apps do not need a smartphones unique identifier, many do not need to know it's physical location, either.
This is not to say Google is much better; for they, too, collect all sorts of data and not many people know either how much or who else gets to share it.
There is a way to control all this: deny all access by Apps and have it supplied through Apple or Google so they become the gatekeeper to this data. The problem is that neither Apple or Google can be trusted much, if at all, but at least they can be trusted more than App developers.
Does, I wonder, the action seek compensation for the theft of transmission time used by all these back channels?
User data held in trust
That might be a more realistically workable idea since it would make the big guys accountable as well as cutting all these hidden communication charges.
I should have known that...
In addition, the complaint alleges that "Some apps are also selling additional information to ad networks, including users' location, age, gender, income, ethnicity, sexual orientation and political views. ---
So apparently you are asked about your sexual orientation when setting up an IPhone