I’m not sure if the whole iPhone automatic tracking problem is a big deal or not. On the one hand there is nothing here that could cause me a problem (happy to post my movements below), but then again I don’t really like that I never knew it was happening.
I have nothing to hide and actually like the idea that I can see all of my movements at a later date, just for the pure geekiness of it all. Apple haters will jump on this and call it a huge invasion of privacy, just as people who love Apple would do the same if it was happening on Android. Hypocrisy reigns supreme in relation to this issue- depending on which side of the fence you sit will determine your thoughts.
And this is the crux of the matter. It isn’t that big a deal that there is a clear cut opinion from anyone. 95% of people couldn’t care less about this, but that’s not saying that Apple didn’t mess up here.
I think it is important to know why its being stored, who has access to it and how the data is being used. I don’t like the idea that data is stored for the sake of being stored. I akin this to DNA sampling of every single individual. Ask those same question. It could be used for something good but it could also be used for some other nefarious reason.
I think that this is a substantial invasion of privacy, irrespective of whether the data have been communicated to any third party (including Apple), since I believe that a user should be fully aware of, and agree to, what is happening which data such as location data are collected. Simply including a right within lengthy terms to collect these data are insufficient, in my opinion – it should be much clearer what is going on.
If these data have been communicated with Apple, then I have a greater problem, since I have not seen a clear, accessible statement by Apple as to why these data were collected (what is the purpose of the collection; how will they be used?), how and for how long Apple will store them, and under what circumstances and how Apple would share these data with which third parties.
That being said, now that I know where consolidated.db is, and have a mechanism for extracting data from it and tinkering with that data, I’m enjoying doing so – it’s an interesting resource. I’ve no fundamental problem with it being collected, as long as I have approved, in a meaningful way, its collection prior to it taking place. I tinkered with the visualisation tool, to remove the abstraction, to make the placement of the data on the map more accurate, as well as to enable more precise identification from a time point of view (i.e. to visualise based on hourly increments, rather than weekly aggregation), and it’s really rather cool, although plenty more tinkering is needed! I’ve shared what I’ve done, and the output visualisations on Facebook, so sharing those data is not necessarily a problem for me, but I expect its release to be under my control.
Guys, I hate to say this, there’s nothing hidden here. In the Apple iPhone Software Agreement, paragraph 4(b) reads:
(b) Location Data. Apple and its partners and licensees may provide certain services through your iPhone that rely upon location information. To provide and improve these services, where available, Apple and its partners and licensees may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iPhone, and location search queries. The location data and queries collected by Apple are collected in a form that does not personally identify you and may be used by Apple and its partners and licensees to provide and improve location-based products and services. By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees’ transmission, collection, maintenance, processing and use of your location data and queries to provide and improve such products and services. You may withdraw this consent at any time by going to the Location Services setting on your iPhone and either turning off the global Location Services setting or turning off the individual location settings of each location-aware application on your iPhone. Not using these location features will not impact the non location-based functionality of your iPhone. When using third party applications or services on the iPhone that use or provide location data, you are subject to and should review such third party’s terms and privacy policy on use of location data by such third party applications or services.
They also gather anonymous diagnostic and usage data as per paragraph 4(a).
Why is this a big deal all of a sudden. What am I missing? Is it the encryption bit?
Bob
My understanding is that switching off Location Services has no impact on this.
However, my issue is that simply authorising oneself to do something by sticking wording in lengthy terms is not an appropriate mechanism, to my mind – it needs to be an awful lot clearer exactly what is being done. How many people does Apply think actually read those? Sure, one can make an argument that they should, but, if, as I suspect, relatively few do, sticking wording into terms is simply a legalistic checkbox exercise, rather than a genuine attempt to inform users, and ensure that they know what’s going on. This moves from compliance into a more informative territory, but that’s where things need to go, in my opinion.
Similarly, I have an issue with “click-wrap” licensing in general – how can I give a genuine consent to this (which, despite the wording about “Location Services”, cannot be switched off, as far as I understand – happy to be shown I’m wrong, of course) to something when I’m only told about after I have paid for the product? If it is not made very clear to me at the point of purchase, I can’t find a rationale which convinces me that it is acceptable – all the analysis I’ve read in various jurisdictions might indicate that it is legally binding (and some which argue that it is not), but those which argue that it is binding have yet to convince me. If consent should be clear, unambiguous and informed, I’m struggling to find that consent here.
Just my views, of course – as above, I’m actually greatly enjoying tinkering with these data.
Neil, I agree with you that all this legalese is a royal pain. And I also agree with you that very few vendors make an effort to make it easy to know what you’re agreeing to.
However, they do have to protect themselves, especially in this age of suing at the drop of a hat. So they need to do two things. First make it easy to understand what they’re saying and second to make the terms easy to find.
I’ve seen a few attempts at the first. Usually done with some humour. I want to know where they find their lawyers.
As for the second, the only obvious places would be beside the product on the shelf or have a popup before you buy on the web. I can’t remember if I had to agree to anything BEFORE I bought my iPad from Apple. However, if you look at the bottom of the page on apple.com, you’ll see a Terms of Use link that leads you to all of the Apple agreements including the iPhone 4′s. Apple could argue that if it was important to you, you could read the terms and conditions before purchasing.
But again, how many people will really do that.
Bob
Because so many of the apps on my iPhone – built-in and third party – use location based data, I’ve always assumed that my movements were being logged somewhere.
However, they do have to protect themselves
Absolutely – but, the best way to protect themselves, to my mind, would be to exactly what you say:
“First make it easy to understand what they’re saying and second to make the terms easy to find.”
I’d add a third, and say that everything should be available before the user parts with money, or runs the application (or at least accesses the main functionality of the application) for the first time.
I want to know where they find their lawyers.
I’m undoubtedly biased, since I’d like to consider myself the kind of lawyer who produces this kind of thing (or, at least, proposes it…) and that we’re a pretty rare breed – if only because few lawyers (still) seem to understand not only the technology side of things, but the more societal side of things, understanding user experience and user behaviours. I think part of the problem is lawyers too focussed on the law, rather than on the end product, but that’s just my view on things!
Apple could argue that if it was important to you, you could read the terms and conditions before purchasing.
They could indeed – but, as you say, “… how many people will really do that.” Very few, I’d have thought – it’s the balancing act between a great user experience with the minimum of legalese and clutter, and getting the necessary information across to the user, even if just to tick the box of legal compliance.
There is, perhaps, a counterpoint (and a desirable one at that) to my argument above that information should be given upfront – and the reason for this counterpoint is that requiring information upfront leads one down the path of detailing everything in a lengthy document which a user has to read and agree, which is the very problem I’m trying to solve. I’d much rather, in some respects, that the need for information, notices and the like was eliminated by designing software in such a way as to remove the elements which require notice.
Functionality which requires notice should, as far as possible, be easily and clearly controllable by the user, such that the user is empowered to switch things on or off as they wish – there is obviously an issue where this impairs core functionality, but, here, explaining to the user *why* certain things happen, so that they make decisions in full knowledge and understanding of the facts, should improve the overall user experience, even if it means initial setup of a piece of software takes a little longer.
Where a user needs to make a purchasing decision based on certain information, there must be a better way of achieving this – a link to a website might be one thing, especially for online shopping, but this does not solve physical world sales, although perhaps there are ways of achieving this too. However, where some form of text up front is important, there must be a better way of deploying it – I like the way Creative Commons licences use a multi-layered approach to licensing, and, when I find some time, might be tempted to try to pull together the same for general licensing, although it would likely be far more complicated. Perhaps a table, with common fields, into which the various “answers” can be put… Something for me to think about, for sure!
In short, I honestly don’t think that relying on a “EULA” is the way forward!
@Neil, I don’t know if you ever mentioned you were a lawyer, but I had my suspicions. In which country do you practice?
I am not a lawyer (nor do I play one on TV), in spite of my postings on legal issues. I have, however, been heavily involved in putting together and reviewing Ts&Cs and other documents for the products I manage.
In looking over the iPhone software agreement, there’s considerably more text devoted to 3rd party components than to Apple’s Ts&Cs. So I suppose we’re also agreeing to anything that’s in there as well.
I know the dialog pages of many click-through licenses say that if you don’t agree, you can return the software if purchased.
As for terms, can’t most of the legalese be summarized like
“By using this software, you agree to abide by our patent, trademark, and copyrights and any laws pertaining to them.
You agree not to attempt to hack (or some such term) this software.
…
We may collect anonymous location information. You can disable this collection by turning off Location Services, however applications that depend on those Location Services may not perform as intended.
For complete details and legal descriptions, please go to . The complete details and legal descriptions can also be found in ”
I guess the problem is that the summary doesn’t cut it in legal terms.
Bob
In which country do you practice?
England. Probably “England and Wales” technically, but, since most of my advice relates to trans-European (or wider) matters, revolving around the Internet and communications, it seems to make little difference that I am actually qualified in one place!
I know the dialog pages of many click-through licenses say that if you don’t agree, you can return the software if purchased.
Sure – hence why there have been some interesting-ish discussions about buying a computer with Windows installed, and then seeking to return just the OS (rather than OS + hardware) since you don’t agree to the terms.
However, if I buy something, I tend to do so based on claims of the manufacturer (i.e. advertising, blurb, specification etc.), as well as my own, and third party, opinions – some things which crop up in terms really should be put in specification, to my mind, so I can make an informed decision before buying, even if I then need to click “Accept” when I run the software for the first time, to purportedly evidence that I agree to the terms. It’s difficult – a retailer does not want to have to give a user pages of paperwork to read before buying a copy of Microsoft Office, yet neither should the user have to go through the hassle of returning it to the store if the post-sale licence terms are not suitable.
Similarly, we have this interesting legal fiction whereby the licensing terms are separated from the contract for sale – my contract for the purchase of iWork is concluded when I give Apple the money, and it accepts (roughly speaking
). However, if I then have to agree to further terms when I first run the product, where’s my consideration for that – what is it which makes it a binding agreement? (Licences are rather different to contracts, at least in England, though – one need not accept a licence, or agree to it in any way; it’s merely something which subsists.)
What a tangled web we weave…!
By using this software, you agree to abide by our patent, trademark, and copyrights and any laws pertaining to them.
I tend to delete this clause, unless having an additional contract right of action is required; if you infringe my copyright, I’m likely to have a claim of copyright infringement, for example. Sometimes a contractual right of action might be desirable, but, until one does a risk analysis on a particular product/service, there’s a risk of just including these “because everyone else does”, thus contributing to unnecessarily long agreements.
You agree not to attempt to hack (or some such term) this software.
As above – although, in Europe, one cannot prohibit reverse engineering for the purposes of interoperability anyway.
We may collect anonymous location information. You can disable this collection by turning off Location Services, however applications that depend on those Location Services may not perform as intended.
A trickier one – is it better to start with location disabled, such that the user, in setting up the application, switches it on himself, thereby understanding that it’s being used, or to give a better experience by having it all ready by default? However, it does recognise that, at least in Europe, consent is not the only mechanism by which the processing of personal data can be fair and lawful, which is a step forward!
Until we have more lawyers recognising that there is a world outside the black letter of the law, and focus more of user experience and the like, we’re still likely to get awful terms!
I wonder how much of the apparent need for all these terms is driven by the U.S. where it seems people sue as a sport. So everything has to be spelled out. Look at the list of warnings on some things. Don’t operate your toaster in the bathtub. Actually I’d leave off the warnings. It would cull the gene pool.
Unfortunately, it all spills over into Canada.
Bob
some scenarios
A family member is suffering abuse/neglect and goes somewhere regularly to get counselling – another family member could be tracking them without knowledge.
A phone issued by employer is tracking that employee, this could actually be completely illegal as it is likely to be happening without the consent of employee, even if the employer didn’t know. If the employer does know and does access the itunes data created on employees computer it could significantly infringe the privacy and rights of employee, especially if that data is not protected and is available to other employees.
Students sharing a computer suddenly realise they may have access to each others’ location history.
When you actually think about it, there are situations where someone could be put in danger if they are being tracked/stalked without them knowing it. It’s more than just “I feel uneasy because my iDevice is recording history which might possibly be used for advertising”.
When you actually think about it, there are situations where someone could be put in danger if they are being tracked/stalked without them knowing it. It’s more than just “I feel uneasy because my iDevice is recording history which might possibly be used for advertising”.
I’m not of the view thought that, just because something could be possibly used in a manner which could put someone in danger, it should be prohibited? Yes, location data could be misused, and it should have been *much* clearer what was going on, but I’m not sure I could go as far as to say that the recording of these data was dangerous?
this could actually be completely illegal as it is likely to be happening without the consent of employee, even if the employer didn’t know.
I’d be interested to hear more about this, since I’m struggling (at least under English, and various European, laws) to understand how an employer could be committing a criminal act in this respect?
Who cares whether you are being tracked or not until and unless you are a criminal and feared being tracked down.There are so many third part application these days that you cannot prevent yourself being tracked.
@Neil
the point is that the owner of the device and associated accounts should be easily able to control the tracking and be alerted to it when first configuring the device.
Here’s some information about tracking employees
http://www.uktelematicsonline.co.uk/html/employee_rights_and_vehicle_tr.html
@Jo – Reverse Phone Search
Maybe you’d feel differently if you ever had someone stalk you, who for a short while was a friend who’d had access to your phone and thus acquired a log of your habits?
Google email me routinely to ask me if I want to continue to use their Latitude tracking service.
the point is that the owner of the device and associated accounts should be easily able to control the tracking and be alerted to it when first configuring the device.
Absolutely – this is one of the major points I make above. However, I don’t see how, in this circumstance, the Data Protection Act (since the employer is not a processor of personal data in this situation) or the Human Rights Act would make an employer guilty of a criminal offence.
p.s. my wife started using facebook recently, having caved in due to many friends using it. I asked her if she’d reviewed the privacy settings and she said she was intending to. I explained what the defaults meant, and she immediately changed to more reasonable defaults (i.e. mostly to FOFs) as she hadn’t realised that the defaults were so open.
@Neil
scenario: employer iphone for employee use (this is the case where I work), and staff member syncs their phone to their computer at work. These computers are backed up to a file server, or use that fileserver for roaming profiles. Therefore the server has personal data of employees on it in the form of location tracks etc.
Whether employer knows of it or not, they then have a duty of care to protect that data.
Who cares whether you are being tracked or not until and unless you are a criminal
I do – because I don’t equate privacy with “hiding” in the negative sense conveyed by the “if you’ve nothing to hide…” argument; I don’t necessarily agree with the wide-reaching developments in the concept of privacy, but, since privacy and individual automony (the “right to be let alone” argument) and interwoven, I’m greatly in favour of some rights to privacy. (“Privacy” is not just one thing, to my mind – it’s a catch-all term for a number of different ills, some of which I think require protection, others which I do not – see Daniel Solove’s “Taxonomy of Privacy”.)
Whether employer knows of it or not, they then have a duty of care to protect that data.
I’d see the situation being less clear cut than this, really, when one digs into the definitions in the Data Protection Act. The duty to take appropriate technical and organisation measures only applies to a data controller, in respect of the processing of personal data.
A data controller is someone who determines the purposes for which and the manner in which any personal data are, or are to be, processed – the fundamental distinction between a controller and a processor is the deterministic function of the controller. As such, since the definition requires a “determination”, I’d have thought it at least arguable (and I’m not aware of any case law on the issue) that the person must know what it is that they are processing – if the person does not know that they are backing up personal data, can they be said to have determined the purpose and manner of the processing of those personal data?
I think it was Bruce Schneier who said it’s important to separate the idea of privacy and secrecy.
It’s no secret that everyone uses the toilet, but it’s something we do mostly in private.
It’s no secret that most people have a bank account, but the details of how to access the account are secret, and most people choose to keep the details of their account private and secret.
It’s no secret that people occasionally change job, but they keep it private and secret from existing employer to protect their position.