Pandora's mobile app transmits 'mass quantities' of user data A free smartphone app provided by internet radio service Pandora supplies advertisers with enough user information for them to compile detailed snapshots of those who use it, researchers who analyzed the software have said. Tuesday's report, titled Mobile Apps Invading Your Privacy and issued by software analysis firm Veracode …
You might not be able to do anything about the GPS info (although if I saw the GPS icon flashing unexpectedly on the status bar of my phone I'd be inclined to delete the application) but the rest of the information depends on you providing it in the first place.
It's a nice attempt at data mining, but still nothing compared to the amount of information which can be extracted from the UK national census far before the 100 years rule we all think governs it... You did read all the small print the previous govt introduced under the guise of fighting terrorism didn't you?
"It's a nice attempt at data mining, but still nothing compared to the amount of information which can be extracted from the UK national census far before the 100 years rule we all think governs it... You did read all the small print the previous govt introduced under the guise of fighting terrorism didn't you?"
The information provided to the government's census is static.
You'd actually tie that in to the information being collected by these smart phone apps.
What I find ironic is that you're actually defending this practice while condemning your government's census information.
Its as if you trust the greedy bastards more than you trust your government.
"Veracode's report made no reference to that app, presumably because of the closed nature of Apple's iOS. ®"
Or maybe, just maybe, because it's against Apple's rules for apps. Apps:
"cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used."
>[iOS Apps] cannot transmit data about a user without obtaining the user's prior permission
Indeed but this permission can be implicit and requires you to read the Privacy T&C.....pretty much all Apps using ads or 3rd party data mining deals report your position under iOS, its how they make money:
eg. Angry Birds: http://www.rovio.com/index.php?page=privacy-policy
.....even the above then requires you do a little more research into what the third parties are doing with your data - assuming you're able to work out who they are using Fiddler, your proxy logs or wireshark etc.
So it turns out "because of the closed nature of Apple's iOS" is rather more accurate than you suggest.
@Random Handle: "...this permission can be implicit and requires you to read the Privacy T&C"
No - that's precisely what Apple forbids in the rules quoted by 'EC!'. Any app doing otherwise will be rejected. The App Store is often labelled a 'walled garden' for this kind of control, but I'm all in favour of keeping the marketing people on a tight leash. I won't use any apps displaying advertising anyway - it's better to know that I'm the customer (and not an advertiser).
>No - that's precisely what Apple forbids in the rules quoted
There are get out clauses with respect to analytics/advertising and in any case Apple do not proactively enforce terms after initial approval - it would be rather difficult to do so and its easy to hide by encrypting data as many such services do.
I'm not picking on Angry Birds, I just think its a commonly installed App. By installing it you agree to the terms of the Privacy Policy I quoted above. You're also agreeing to a number of third party privacy policies as well, including services which aggregate your personal data across multiple Apps.
Most notable in Angry Birds, though it uses several 3rd party services actually, is Flurry:
http://www.flurry.com/about-us/legal/privacy.html
Which contains the classic line:
"This Privacy Policy in no way limits or restricts our collection, use or disclosure of aggregate information. "
I'm not making this up - read the privacy policies of the Apps you use and view the output yourself via a proxy if you don't believe me.
Kinda obvious really, how else are you going to monetiSe a free music stream? Kinda nice to be told though, granted.
apples version may not collect so much user data (they know it already) but I'd hazard an additional guess that with itunes & a loaded credit card only a click away, there are far higher sales of music via Pandora for iphone.
If I was apple I would request the app didnt play any song/album that wasnt available via itunes too.
Android users aren't so locked in to a purchasing system so maybe its needed needed to keep the servers pumping & people getting paid on the Android side of the office?
To marketing people it may be obvious that the money must be coming from somewhere. To technical people it is obvious that this is all possible. But to the vast majority of the population it is no more obvious that an advert in a free app is spying on them than it is that time dilates near heavy bodies.
There are plenty of people who do not expect that their mobile phone is being used to spy on them and you can infer they are naive if you like but to me your second comment it more relevant. They should be explicitly telling us they are spying and not by including it in sub paragraph 20 on page 90 of the T&C's.
Now granted, when you install an Andoid app it does ask for permissions but it is often unclear why they want those permissions. For example Pandora might well say they they want to know your location. A user might assume they want to know so they can offer locally relevant music and not so that they can track your every move and tell advertisers.
Isn't gathering as much data about the customer "The Google way"? My partner got a Samsung Galaxy which was eating up her mobile data limits, it turned out that the vast majority of the data that was being used was sending info back to Google. GPS by default sends data back to Google, including all the SSIDs it can see...
I wouldn't mind as much if they dropped their "don't be evil". I like my evil multinationals to be up front about it.
The authorisation is in all likelyhood buried in a click-trough "contract" designed not to be read let alone understood, probably containing a provision for the company involved to add anything they might have forgot at the time of writing by simply adding that later without needing to ask or even tell the punter. The latter, of course, cannot even refer to the "contract" as it was, but must take the other party's word as to what it contained should there be a dispute.
It's privacy-by-design nature? All those prompts about allowing some app to do this or that? Operators are being pushed by marketers to sell Android because it's an advertiser's dream, the ecosystem is not the fart apps, but the user data?
(I don't buy the 'hard to program' for argument *that* much after seeing some Objective-C horrorshow - but there definitely were failings Symbian-side).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
