If you have an iPhone, Apple and Google are watching

  • Article

The title of this post is tongue-in-cheek, exaggerated and meant to evoke a reaction from the reader.  But it’s not all that far off from reality.

TechFlash has an article up this past week that highlights a blog post by Kim Cameron.  Cameron is Microsoft’s Chief Security Architect and one of its distinguished engineers, working in its Identity and Security Division (the same as me).  Cameron is an iPhone user (like half of Microsoft it seems… except me) and this past weekend he went to download an application and was informed of Apple’s new Terms and Conditions.  Unlike the rest of us who get through 3 pages and throw in the towel by clicking OK (and assuming someone else is double-checking these Terms and Conditions), Cameron actually read through the whole thing.  From his post:

And there - on page 37 - you come to ”the news”.  Apple’s new “privacy” policy reveals that if you use Apple products Apple can disclose your device fingerprints and location to whomever it chooses and for whatever purpose:

Collection and Use of Non-Personal Information

We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

  • We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

No “direct association with any specific individual…”

Maintaining that a personal device fingerprint has “no direct association with any specific individual” is unbelievably specious in 2010 - and even more ludicrous than it used to be now that Google and others have collected the information to build giant centralized databases linking phone MAC addresses to house addresses.  And - big surprise - my iPhone, at least, came bundled with Google’s location service.

The irony here is a bit fantastic.  I was, after all, using an “iPhone”.  I assume Apple’s lawyers are aware there is an ”I” in the word “iPhone”.  We’re not talking here about a piece of shared communal property that might be picked up by anyone in the village.  An iPhone is carried around by its owner.  If a link is established between the owner’s natural identity and the device (as Google’s databases have done), its “unique device identifier” becomes a digital fingerprint for the person using it.

In essence, Cameron’s point is that Apple collects unique device identifiers and its location.  Each iPhone has a unique identifier to it which binds the phone to its owner.  They can use this to pinpoint the location of the owner, via the identifier, by cross referencing against Google Maps’s service and GPS placement.  In effect, you could map a digital identifier to particular house.  If the user has to register his phone with Apple, you could build a database of user and home address, not to mention wherever that owner goes when is out and about traveling.

Of course, it’s probably not that malicious.  If you go back to the TechFlash article, Google says that it hasn't gone as far Cameron is suggesting. The company says it has collected only the MAC addresses of WiFi routers, not of laptops or phones.  Google's FAQ, for the record, says its location-based services (such as Google Maps for Mobile) figure out the location of a device when that device "sends a request to the Google location server with a list of MAC addresses which are currently visible to the device" -- not distinguishing between MAC addresses from phones or computers and those from wireless routers.  This might certainly be a documentation issue.  You’ll certainly want to read the full TechFlash articles for the full story.

In any event, Apple collecting information, Google doing it, Microsoft doing it… eventually this will all lead to government regulations about full disclosure about what companies do and don’t collect, and what they do and don’t do with that data.