Friday, April 22, 2011 - 13:29

Apple vs. Google: Spy vs. Spy

Recently Apple's extensive - not to say obsessive - and secretive way to collect location data from GPS or WIFI enabled iOS devices hit the big stage. Apple seems to be rather secretive about it...naturally if you get caught red-handed in the cookie jar. They probably need to figure out a good excuse for that abuse.However an equally big privacy intrusion is happening on the other side of the pond. Equally known in smaller circles and it surely will hit the big stage again anytime soon. Probably when Apple starts to point fingers in that particular direction. When you enable your Android device you may or may not allow Google to collect anonymous data about various sensors your device is equipped with. GPS, WIFI, 3G etc. This data isn't really anonymous as in anonymous. It more anonymous in the way that your name or account isn't linked with it. Your phone however is. And what's more important. Google is probing data that you don't really have a final say about.

To give you two examples:

One of the purposes of this data collection is swarm based traffic analysis. Google's using the data to analyze how your car moves and those cars around you - if the drivers are also using android based navigation. If you're on a highway and your car is moving suspiciously slow together with a couple of other cars around you this is a pretty sure clue that you are in the middle of a jam. And that pretty much got rather effective lately. A useful service I'm happily providing data for.

Now the problem is that you can't specifically allow one usage and not the other. It's an all or nothing thing. Another usage for example is wardriving. Wardriving means that you collect data about WIFI access points. The more the better. Now when you move around with your Android based phone and happen to have WIFI enabled Google is doing exactly that. Mapping each and every WIFI access point it can get a hold on. Now one could argue that this data isn't particularly a secret since the owners are obviously spreading that information. But it is also not a decision that you should make or could at all. In the end you are not particularly well informed about what "anonymous data collection" actually means. Samy Kamkar has a pretty decent form over here to demonstrate it. I'm really at the arse end of nowhere here and my WIFI is mapped down to what I'd estimate a couple of meters.

Now it's not a big secret that I run a WIFI access point. It doesn't leak that information to the outside other than locally over the air. It's not that a connection to the net over that access point could - in combination with such a database - id me or anyone who's using it. But it's a pretty good demonstration for what is possible. Because quite frankly. If that thing would have a fixed IP, which in times of IPv6 will be more than likely, and that IP is documented together with the HW address, then indeed every connection that is initiated over that access point will be identifiable and traceable to a location within ~60m around my house. And that would be quite far from acceptable.

Is that legal? Mostly yes it is. It's your problem if you're transmitting such information to a public space. Over here in Germany Google did the very same with their StreetView cars until they got some flack from public authorities. I however doubt this would have been enough to make a legal case if Google wouldn't have agreed to stop it. And naturally there was nothing to lose as every phone is doing the same. Just not as effective and structured. But in the end Google's getting the same data. And this is known for quite a bit longer than StreetView cars on the road. I'm pretty sure Google implemented it in the cars to speed up the collection from phones.

Now what's the deal about this excessive collection of - on first sight - information of limited use. It's location based advertisement. Most likely for both of the culprits. Google is just lightyears ahead of what Apple is...well trying there. But Google's the #1 in the advertisement business after all and that has a reason. Right now the best bang you can get for the buck is to know what a guy is interested in. What he's buying. Maybe what friends are buying. Generally information on how likely he might or might not be interested in your product. It's rather pointless to try to sell rheumatism related products to a 14yo girl who's apparently into running a lot. It's better to present her some shiney new hello kitty running shoes.

If you roughly know where someone is you can do a lot more. You don't get an ad for those shiney new hello kitty running shoes. You get an ad where you can BUY them around the corner. Next corner, 200m right side. Jack's running shoes LLC. Hello Kitty running shoes. 4 colors, all sizes. Today 20% off.

THAT'S effective target advertisement and Google's in the proccess of getting ahead of the train. As long as you call the rest actually ON the train.

It's very edgy. On first sight there's not much wrong with that at all. In the end I don't give a fuck about either. The real problem in my opinion is the stuff that's going to happen around this issue. Such data is invaluable and has a very high potential to be recycled in a way that it was never meant to be used for. And if you own this data there will be a lot guys who are particularly interested in getting a hold of it. Data can be merged. Two rather useless informations can be combined to a pretty neat detail. The more data is available relevant or not the more data can be merged. And we already got a lot to merge. Sometimes you can really shock people - and surprise yourself - how much you can actually find out about someone that's not really deliberately spilling that information. It's a piece here, another there and soon after you know that John Doe is a 30yo, married with two kids, closet homosexual banker in upper Manhatten with a suprisingly high interest in women clothes, while his wife Jane apparently has the same training times as his best friend Dave.

Are laws required to counter the impact of this problem? I think so. There's no way the average user will have any control over his data. We're no longer in a time where it was your problem if you gave it away. We are in a time where your data will go away. Sometimes even without you doing anything.

I.e. all your friends synching their address books with facebook. You don't have to be a member. You don't even need to know that guy particularly well. They have a google mail account. You don't need to know about that. They could pull it in from other accounts.

I'm not saying these services are evil or bad in general. It's just that combining some services places us all in a position we never signed up for. Sometimes with our help. Sometimes without. It's not that the alternative could be a very friendly but final FUCK OFF on everything.

The government is doing the same in various areas. And it's not that a FUCK YOU would be a rather elegant way to get rid of the tax office.

Merging data without consent of the owner must be prohibited and it must be enforced with something that hurts. Merging data as a government must be limited to what's necessary for the task. Not what's possible and maybe useful some time later.