So why are Apple and Google (and Microsoft) tracking us?

So what are Google and Apple doing with this location data that’s been all over the news for the past 10 or so days? And Microsoft, now that it’s clear they’re gathering it too (but they claim they aren’t storing it anywhere on the phone).

They aren’t saying a lot, but they’ve said enough to take a pretty good guess. And no, I don’t think the intent is to be evil.
Last year, when faced with another privacy dust-up, Apple said, “To provide the high quality products and services that its customers demand, Apple must have access to the comprehensive location-based information.” They haven’t commented, to my knowledge, on this year’s dust up, but the same reason they gave then would appear to apply toay.

So what on earth does that mean?

I talked to Rich Perkins, CISSP, about it. I knew Rich wouldn’t have a middle-of-the-road opinion on something like this, but honestly didn’t know which side of the fence he’d be on.

“I’m not here,” he told me.

“Ah, but does your phone know where you are?”

“Yes it does.”

“And does that bother you?”

He said not really. He said the phone needed to know, in order to provide better functionality, and he suggested I do a little research on A-GPS, because he thought that was the main thing the phones are doing. So I did.

GPS devices–including phones–triangulate against various things in order to tell you where you are. A pure GPS just triangulates against satellites. Cell phones triangulate against cell phone towers and/or GPS devices. If you can triangulate against wifi access points too, it makes it that much easier and faster to accurately determine where you are. More data points.

That’s one reason why, when Google photographs a street, they also record the SSIDs of every wi-fi network they find. Between these vans and the growing number of Android-toting consumers, Google is able to build a rather large, comprehensive database so that if you want to ask your phone where you are, it will know. Using more than GPS is called A-GPS, or Assisted GPS.

Apple doesn’t have those vans running around. Rich said he thinks Apple is gathering information solely from devices. Namely, iPhones, iPads, Macintoshes running Snow Leopard or newer, and Windows PCs running Safari 5.

He said when he uses Google Maps on his Android phone, he can see its accuracy increase and decrease based on what he has turned on. When he’s walking around with wi-fi enabled, it may not know which side of the street he’s on, but it can narrow him down to within about 50 feet.

And he thinks that’s the motive for Apple, Google, and Microsoft. If we travel the same path over and over again, that tells them that area is important to us, so our phones need to know about that area. And, thinking larger, if large numbers of people are traveling a particular area, that tells the companies that’s an important area and they need to focus on learning what they can about that area, as opposed to an area a few blocks away where nobody goes.

Having talked to some people with much more familiarity with the iPhone than me, accidental copying of the file in question seems unlikely. It’s not automatic; you do have to pair the iPhone with the computer for it to sync. The question is who else can see your phone and the backup on your computer, and whether you trust those people with that data. One iPhone owner I talked to just shrugged his shoulders. He lives alone, so nobody else is going to see the data. He has iTunes set to encrypt his backups, so he doesn’t worry about it.

My concern is that backups should be encrypted by default. I run into people far too often who don’t know what encryption is and how it protects them, so why confuse people by creating the option. When I go buy something off Amazon, it doesn’t ask me if I want to encrypt my username and password and credit card data. It just does it.

Frankly, I think the file on the phone should be encrypted too.

Google’s approach (and Microsoft’s) bothers me less. Google keeps less data, the file stays on the phone and by default isn’t readable by anything but the phone’s operating system, and you can turn it off. Microsoft doesn’t write anything at all to the phone, from what it says.

The companies’ responses tell you something too. Apple has been silent since Wednesday. Google responded over the weekend, and while I can’t tell from the WSJ article whether the Google representative told how to disable it, there was enough information there to tell how to disable it. Microsoft, with arguably the best approach of the three, is gloating a little. Something it doesn’t get to do very often.

So I don’t think there’s anything particularly nefarious going on. Rich pointed out that when Apple introduced multitasking to iOS, they said outright that they would have to do location tracking in a file in order for applications to figure out where they are. So even Apple has come clean. But memories are short.

I think all of them need to release a statement, from a PR standpoint. Otherwise, they’re making it look like they have something to hide. And it’s not like they’re hiding any competitive advantage. If Rich can figure out what they’re doing, surely the engineers who do nothing but develop phones full-time know what their counterparts at the other companies are doing.

And I do think files containing that kind of information should be difficult to access, and ideally they should be encrypted. Microsoft has the best approach, by not writing the file at all. Google’s approach of making the file only accessible to the operating system by default and only storing a few days’ worth of information is better, though it still falls a little short of the ideal. Apple stores too much information and makes it too easy to get at. But, in retrospect, they warned us. Like I said, memories are short.

siliconunderground

About SiliconUnderground

Dave, aka siliconunderground, is a computer professional and an obscure computer book author who achieved his greatest popularity in Canada and Trinidad. He has been blogging since 1999. You can visit his blog at http://dfarq.homeip.net.
This entry was posted in Security. Bookmark the permalink.

Comments are closed.