Find articles from my Blog Archive:

Thursday, 4 November 2010

Recently I was in twitter conversation with @rashikparmar and @yorxbrox about privacy concerns associated with goe-location services on smartPhones. The concern is about the ‘big brother’ possibilities here – in particular, where apps may disclose location details furtively to the internet.

The conversation got me thinking (or maybe worrying), so I thought it worth actually digging into how my phone of choice (iPhone) handles this issue, so here goes. Apple’s approach is based on three complementary solutions:

  1. Transparancy – making it clear to the user when geolocation data is being accessed, so that they are empowered to identify undesired behavior
  2. Permission – ensuring it is impossible to access goelocation data without user permission, and that users have sufficient ability to refuse that permission
  3. Review – the app store review process and guidelines make it clear that Apple applies a ‘reasonableness’ check and that apps must explain the use of private data to users

The way these approaches are implemented are as follows:

  • The first time an app requests geolocation data, iOS pops up a dialogue box asking the user’s permission to access their location “App xx would like to use your current location“ and presents the options “Don’t Allow” or “OK”. The user has the option to refuse permission, in which case it is not possible for the app to use geolocation data. I have tested this, and the objective C statement [locationManager startUpdatingLocation] causes iOS to request user authorization – this is the statement that turns geolocation services on. As the request for authorization is tied to the actual collection of geolocation data, arguably this is more transparent than the install-timer permissions systems some other environments use. i.e. I am more likely to wonder why I am being asked permission if the function in the app I am using does not obviously need geolocation data, whereas at install-time I’m more likely to assume its all ok and just authorize without thinking.
  • Whilst goelocation services are turned on, iOS places an icon in the top of the screen warning the user that their location is being accessed. [locationManager startUpdatingLocation] turns this on and [locationManager stopUpdatingLocation] turns it off. This is a function of iOS and its impossible to access geolocation data without the icon being present. Similarly, an app is not able to override or remove the icon – so goelocation data collection is always transparent to a user.
  • The iOS Settings App allows a user to globally turn geolocation services off. Once off, no app can access geolocation data
  • The iOS Settings App maintains per-app switches that allow a user to turn geolocation data off for each individual app. If you turn geolocation off for a specific app in Settings, from that point on the App can not access geolocation data.
  • Apple’s App Store uses a curated model. Apple review all Apps and their code for compliance before an app is published. The App store review guidelines, against which apps and their code are checked by Apple, include the following:

o Apps that do not notify and obtain user consent before collecting, transmitting, or using location data will be rejected

o Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

  • It is s trivial matter for apple to check for the use of location services and then validate that its use is ‘reasonable’ and that sufficient explanation is given to users. We know that Apple does this, as there has been a certain amount of publicity and complaint about this within developer circles. It is unusual, and somewhat controversial, for developers to have their code subject to review by the platform vendor. Apple are known to regularly reject apps for non-compliance with these rules.
  • Apple also review all releases of an app in the same way and against the same criteria as the original app submission. Yes, this is an overhead and yes this can delay the release of bug fixes, but Apple are trying to protect their users and guard against bad things.

You can make up your own mind about the privacy risks here - personally, I feel comfortable that I am in control and the risks are minimal. I don’t have an Android device with which to do a similar investigation, but would be interested to hear from anyone who does.

No comments :

Post a Comment