Smartphone Spying Reality Check
It sounds like a B-grade movie plot: Millions of smartphone owners are being tracked by their phones. Their mobile apps are eavesdropping on them, too. And information about their whereabouts is being sold to third parties.
But it isn't science fiction. If you own a smartphone and download popular apps, the odds are good that your smartphone knows more about your day-to-day travels than your spouse does. Apple, Google, and Microsoft are in the hot seat now, having to explain how iPhone, Android, and Windows Phone 7 handsets really work, and what they know about where you go and what you do. Predictably, the lawsuits are flying.
Two Michigan women are suing Google over the location-tracking technology included in the company's Android mobile operating system. In a Florida court, two men are suing Apple and demanding that the company either stop collecting tracking information or better safeguard the data it does collect. Both Google and Apple also face an inquiry by a U.S. Senate committee on May 10 intended to discover to what extent they snoop on their customers via smartphones.
With so much alleged spying going on, it's hard to focus on the most important question: Should you care?
Here's a breakdown of what smartphone manufacturers, Microsoft, and some app developers are doing with your phone's location data.
Apple Location Tracking
A database stored in Apple's iPhone and 3G iPads kicked off the latest round of privacy concerns over mobile-device location tracking. The brouhaha started after a file called consolidated.db was discovered on iOS devices and in iOS backup files on PCs; the file appeared to be logging the iOS device's location based on the positions of cell towers and Wi-Fi access points. Apple later disputed that allegation, saying that it simply maintains a database of regional cell towers and Wi-Fi access points to improve its phones' location services.
Apple does take some location data from your iOS devices--and, under certain circumstances, from your Mac when it's running OS X Snow Leopard or using Safari 5. Apple says that about every 12 hours iOS devices send encrypted and anonymous cell-tower and Wi-Fi access-point location data back to Apple. The company then uses this information to update a master database of worldwide cell-tower and Wi-Fi access-point locations. This data later updates on your phone to help your device find its location faster, as opposed to depending solely on GPS satellite signals.
The company says that it will take this data from your iOS device only if you are using the device's location services. And according to Apple, a future update will ensure that consolidated.db does not log any cell-tower or Wi-Fi access-point information if you have location services turned off. For details, read more about Apple's location-data practices.
If you opted in to use Google's location services when you first set up your Android phone, Google is taking location data from your device in a way similar to that of iOS devices. Google's smartphone OS will send GPS information and Wi-Fi access-point locations, as well as your unique device identifier, back to the search giant, according to the Wall Street Journal.
Just like Apple, Google uses this data to maintain a location database. Reportedly the company also uses the data to better serve you ads and other content relevant to your location. Google has also said that all data sent back to it is anonymized, despite researchers' findings that each user's unique device ID is included.
Google used to obtain Wi-Fi access-point location information by way of its Google Maps Street View cars, but ceased that practice after Google's cars were found to be saving fragments of users' Wi-Fi data transmissions along with access-point IDs.
Microsoft Windows Phone 7
Seeing its competitors getting hit with heavy criticism, Microsoft recently posted a Q&A on its Windows Phone 7 blog explaining its location-data collection practices. Similar to other mobile device makers, Microsoft says that it "assembles and maintains" a database of cell-tower and Wi-Fi access-point locations. Microsoft achieves this by collecting data from a fleet of cars, as well as by collecting Wi-Fi access-point information from mobile devices. The company says that it will collect Wi-Fi location information from your phone only if you turn on location services, you are using a location-based application that requests location information, and your Wi-Fi radio is turned on. "If any of these conditions are not met," Microsoft says, "the mobile device will not survey Wi-Fi access points."
However, Microsoft also states that if a phone's GPS is turned on, it will collect the device's "observed longitude and latitude" as well as the direction and speed the device is traveling. Presumably, Microsoft uses that data for a traffic information database, but the company does not explain the practice further.
Apps That Eavesdrop
If you think the location-data practices of smartphone makers are bad, you'll love what some app makers are doing. Some popular iOS and Android apps, such as Color and ShopKick, turn on your phone's microphone to listen to background noise and report back to their creators what they hear.
It turns out that these apps aren't fishing for juicy tidbits about your life; rather, they are listening for sound patterns. Color and IntoNow, for example, both perk up your smartphone's ears to help create on-the-fly social networks, their makers say. By comparing the sound patterns across many phones, the creators claim, the apps can better determine if people are in the same room, or watching the same TV program.
As for the makers of ShopKick, they say that their app is listening for a special tone (inaudible to our ears) so that it knows when you are in a certain store that offers a ShopKick discount.
To be clear, your words aren't being recorded and aren't being sent anywhere, the companies claim.
Your Location for Sale
Who has time to read end-user license agreements? You might want to peek at the EULA the next time you go on a mobile-app downloading binge. Most people acknowledge that they do grant an app maker access to some personal smartphone data. What most phone owners would be surprised to learn, though, is exactly what that data is and who has access to it.
The Wall Street Journal discovered that most of the 101 apps it tested for an article shared a phone's unique ID number with third parties. It found that popular apps such as those for Dictionary.com and Fox News collect location data. Publisher Rovio Mobile, the maker of Angry Birds, collects your latitude and longitude, your contacts, and your phone's ID (not your phone number). Other apps, including Pandora, collect your age, gender, location, and phone ID, according to the Wall Street Journal. Some apps, such as Foursquare, TextPlus 4, and WhatsApp Messenger, collect your smartphone's phone number. Bejeweled 2 also collects your mobile phone number, and, according to the Journal, shares it with third parties.
An interesting side note: The Journal's project found that iOS apps were sharing much more information than the Android apps were.
Time to Freak Out?
With all of the headlines about location tracking and online privacy violations, it's easy to live in fear--namely, fear that app makers and big companies like Apple and Google know too much about you and are somehow going to reveal your deepest, darkest secrets to the world. But in reality your location is not being transmitted to a giant map in a secret room, where all of your movements can be followed via some sort of flashing beacon.
Even so, privacy safeguards are needed in the nascent location-based services market, to protect consumers. Verizon is looking to head off mobile-device tracking concerns by placing a peel-off sticker on devices it sells warning users that their location may be tracked by the device. The U.S. Senate Judiciary Committee has scheduled a hearing on mobile device tracking for May 10. Is that enough? No.
Most of the privacy hoopla, experts say, is overblown for now. More concerning to mobile-privacy experts are future services that might be vulnerable to rogue developers, or user-location databases that have the potential to be hacked. For the time being, exercise caution and good judgment when installing apps. In addition, you can avoid the majority of mobile-privacy pitfalls by using a combination of common sense and digital tools such as the highly rated Lookout Mobile Security app for Android, BlackBerry, and Windows Phone 7 devices.
(Liane Cassavoy contributed to this report.)