Last week it was revealed that iOS devices cache a large amount of location data in a file that is backed up to users' computers. The file is hidden from normal access on iPhones and iPads, but is unencrypted, and unless users also opt to encrypt iOS backups in iTunes, the file is also unencrypted. While someone would need physical access to either device to get the information, concerns were raised that the information could be used to track individuals, thereby compromising their privacy.
Apple later explained that the data was a cache of nearby cell tower and WiFi access point locations downloaded from Apple, which iOS devices can use to more quickly narrow down a users location when GPS signals are weak or nonexistent. The company admitted that the cache was designed to collect more data than was necessary, and said that an upcoming iOS update would restrict the size, encrypt it on the device, and keep the data from being backed up to users' computers when syncing with iTunes.
Furthermore, Apple explained iOS devices do in fact collect GPS coordinates for cell tower locations and WiFi basestations to expand and refine Apple's database if users elect to send anonymous diagnostic data to Apple when setting up a new device. That data is periodically sent to Apple—about every 12 hours, according to a letter sent to Congress last year. The data is encrypted and does not include any device IDs, making it impossible for Apple to track any particular user with this information.
Last week developers also revealed that Android devices keep a similar cache of cell tower and WiFi data, though Android limits the amount of data to 50 recently accessed cell towers and 200 recently accessed WiFi networks. Like iOS devices, a person would need to "root" (similar to "jailbreaking") an Android device to get the data, but in contrast to iPhones this data isn't synced to a computer.
More disconcerting, however, is the fact that Android devices collect "its location every few seconds and transmitted the data to Google at least several times an hour," according to research by security expert Samy Kamkar. Google said it uses this data for a variety of uses, but unlike Apple, Android attaches a unique ID number to the data. While that ID number is effectively random and can't be directly linked to a particular device or user, it is possible to analyze such data and correlate it to particular individuals using increasingly advanced "deanonymization" techniques.
Detroit area residents Julie Brown and Kayla Molaski filed a class action lawsuit against Google over concerns that the location data that Android devices send to Google "several times per hour" is tied to a unique (though random) device ID. The lawsuit further alleges that this data is sent to Google unencrypted. "The accessibility of the unencrypted information collected by Google places users at serious risk of privacy invasions, including stalking," according to the complaint.
Google has maintained that the collection of the location data is entirely opt-in. "We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices," Google spokesperson Randall Safara told Ars last week. However, the class action lawsuit claims that Google very well knew that "ordinary consumers acting reasonably would not understand the Google privacy policy to include the extensive location tracking at issue in this case."
The plaintiffs believe that Google's actions violate the federal Computer Fraud and Abuse Act, various state consumer protection laws, as well as "common law rights" to privacy.
"It is unconscionable to allow Google to continue unlawfully and without proper consent to extensive tracking of Plaintiffs and proposed Class members," according to the complaint. "If Google wanted to track the whereabouts of each of its products' users, it should have obtained specific, particularized informed consent such that Google consumers across America would not have been shocked and alarmed to learn of Google's practices in recent days."
The lawsuits asks the court to require Google to either give up tracking Android users or to clearly inform users of "its true intentions about tracking," including whether that information is released to third partis are used for marketing. It further seeks monetary damages "in excess of $50,000,000.00" as well as punitive damages on top of that amount.
Both Apple and Google plan to attend a hearing before the Senate Judiciary Subcommittee on Privacy, Technology, and the Law on May 10 to discuss the very issues called into question in the lawsuit. Representatives from the US Department of Justice, Federal Trade Commission, Center for Democracy and Technology, and others will talk about what the latest mobile technology means for privacy and the law. Justin Brookman, who will be testifying at the hearing for the CDT, believes the law needs to be updated to account for the reality of modern mobile technology.
The best way to address these cross-platform, cross-industry questions is through public policy," Brookman recently wrote in an editorial on CNN.com. "We need legislation that establishes fair information practices for commercial collection, disclosure and use of all consumer data—but especially for sensitive data, like geolocation information—and we need the courts and Congress to update the rules for governmental access, to require a judicial warrant for tracking the location of cell phones and other mobile communications devices."
