Lightly regulated apps under no obligation to protect user data
SAN JOSE, Calif. — The disclosure of a hidden file on iPhones late last month drew an outcry because it seemed to record users' every move. But that isn't the only way mobile phone users' movements are being tracked.
In addition to the location data collected by Apple, as well as Google and other companies, wireless carriers have detailed records of their customers' movements based on the cell towers their phones connect to. But privacy advocates most worry about the vast amounts of data collected by the fast-growing and largely unregulated industry of application providers and mobile marketers, who increasingly ask for and gain access to consumers' locations — yet typically offer little information about how they use that data.
"You have lots and lots of companies with no controls around them using sensitive information about you," said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology, an advocacy group. "They don't have to tell you how long they're keeping (your location information), what they're using it for or who they're sharing it with."
Privacy advocates such as Brookman worry that the data could be used for many things other than the intended purpose. Insurance companies, for example, might use it to deny coverage or charge higher auto rates to those who frequent crime-ridden areas. Retailers could use it to charge higher prices to consumers who hang out at upscale malls. Or government agencies could use the data to spy on citizens.
That's a far cry from the uses most of those with a smartphone would be comfortable with.
Phone location data is kept by cell phone providers for emergency situations. But the providers use the data to offer services that allow subscribers to find kids or spouses on their family plans.
Location data is kept by companies such as Apple and Google for "crowd-sourced" databases that can be used to help phones find their locations and to offer information on things such as traffic conditions. Both companies say they keep the data anonymous.
More murky is the use of the data collected by mobile applications and their marketing partners. Many smartphone apps are offered free, supported by advertisements. And the marketers who provide those ads are ever eager to more closely tailor their advertising messages.
"Being able to target down to a user's location is one of several holy grails of advertising and marketing," said Noah Elkin, principal analyst at eMarketer, a research company that focuses on the digital marketing industry. "It gives a marketer more opportunity to target a message that's relevant to not only where a consumer is, but what he or she is doing at a given time."
Location-based advertising via apps is still a young business. Less than 15 percent of apps currently ask for location data for use by advertisers, estimated Krishna Subramanian, co-founder of Mobclix, which pairs mobile applications with advertisers. Currently, most advertising campaigns target particular applications based on who they think is using them rather than on the user's location, he said.
But spending on marketing to mobile users based on their location is expected to jump from $200 million last year to $760 million this year and a whopping $6 billion by 2015, according to marketing research firm Borrell Associates.
Federal law strictly limits how wireless carriers can use location and other data they collect from subscribers; basically, they can't share that data with anyone without users' consent. But those laws don't cover mobile operating system providers such as Apple and Google. Nor do they apply to app developers or mobile marketers.
Apple and Google, which run the two biggest smartphone application stores, require that apps offered in their stores that collect location data request permission from users. And users of devices running Apple's iOS can turn on and off access to location services in those devices' settings menu.
But with apps, users typically have just two choices: They can allow an app to know their location or not. They don't get a choice in how that location data will be used — and typically aren't even told how it's used.
"For the average user, making informed decisions about apps based on what data is collected and how it is used is simply a hopeless task," said Arvind Narayanan, a computer science researcher at Stanford University who studies privacy issues.
Users may be comfortable with an application knowing their location in order to show them nearby restaurants, privacy advocates say. But they may not be comfortable with that application holding on to that data for years or selling it to a third party, which often occurs.
A study by researchers at Intel Labs, Penn State and Duke University last year revealed that 15 of 30 popular Android apps send location data to advertisers — often without notifying users.
"People don't understand what's going on with their data," said John Simpson, director of consumer privacy at Consumer Watchdog. "It's sort of being sucked up without their real knowledge."
Show commenting policy