Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

US Congressmen puzzled by Apple's iOS privacy policy

Just days after a sensationalist report by the LA Times suggested that Apple was spying on users' location based on an incorrect understanding of the company's revised privacy policy, two Congressmen, one a chair of the House Privacy Caucus, have demanded that the company answer a series of basic privacy questions.

The original report by David Sarno of the LA Times set off a firestorm of privacy panic three days ago after it suggested Apple was tracking iPhone users' locations in some radical new way that other devices weren't, and assumed that users were powerless to do anything about it.

Under the headline "Apple collecting, sharing iPhone users' precise locations," the article stated that the company had updated its iTunes privacy policy, adding "a paragraph noting that once users agree, Apple and unspecified 'partners and licensees' may collect and store user location data. When users attempt to download apps or media from the iTunes store, they are prompted to agree to the new terms and conditions. Until they agree, they cannot download anything through the store."

Just as the company's supplier responsibility report was turned around by a UK newspaper to make it sound like Apple had been caught violating the law and had been forced to admit that it was "using child labour" in China, the company's revised privacy policy, which transparently explains what information it collects, why, and how users can opt out of the data collection, was spun as a new attempt to spy on users in a way that forced consumers to acquiesce.

Apple may have revealed the location of a girl in 1990!

The report has since been amended twice, once to note that users can turn off Location Services entirely or on a per-app basis, while also stating "there's nothing to indicate that these settings prevent Apple itself from gathering and storing location data from Apple devices," and again two days later to acknowledge that the privacy policy change is not really new at all, but rather simply a restatement of the privacy policy contained in the company's product EULAs, which contained precise language instructing how users can withdraw their consent for system wide and per-app data collection.

What the LA Times failed to report is why the change in presenting the privacy policy was made, and how users can opt out of geographic location data used by Apple's iAd program. Formerly, Apple and third parties used Location Services solely to power features such as locating the device in Maps, Find My Phone, GPS driving directions, and similar applications. With the company's purchase of Quattro Wireless, it's now in the business of display advertising, and can potentially allow third parties to collect geographic and other user information to enable ads to provide more relevant and targeted results.

Other ad networks already do this, both on mobile ad networks like Google's AdMob, and in web advertising banners on the desktop, such as those presented by Google's DoubleClick business. Many users appear to be unaware that Google and other advertisers collect and store information about them to refine ad relevance, without ever asking for permission to use this data. Apple's approach is more cautious about the use of private user information, and more transparently presented to the user for approval, with simple controls to turn Location Services features off and opt out of location-based ads.

New Location Services features in iOS 4

in iOS 4, Apple is enabling iAd and other independent ad networks to collect private information, but limits this data collection exclusively for use in improving ad relevance. Apple's SDK rules specifically forbid developers from including code in their apps that would forward private user information to third parties for any other reason, something Jobs characterized as granting users "freedom from programs that steal your private data."

The rules also forbid developers from sending private user information from their App Store titles to Apple's competitors, presumably including Google and Microsoft, which could be used to help those companies to gain deep insight into how Apple's App Store works as a sort of industrial espionage.

Because Apple's iAd is implemented system-wide and can be used across a variety of apps, Apple now includes the privacy policy text in the user agreement for the iTunes Store in general, and forces users to acknowledge and accept the policy before downloading any new apps that may include iAds. Accepting the privacy policy wording does not mean that users have to accept that their location data will be actually used however. Users can, at any time:

  • Turn off Location Services off system wide (which means GPS-enabled apps won't work at all. This has always been possible)
  • Turn off Location Services within a specific app (preventing that app from determining the user's location; users have to first explicitly opt-in to Location Services on a per-app basis before the app can look up their location, so turning an app off is only necessary if the user has allowed the app to access location data. This is new in iOS 4)
  • Opt out of iAd's use of Location Services by going to Apple's "Opt Out" URL from the device: http://oo.apple.com (which will prevent iAds from using location data to customize the ads it presents in apps that use the ad network. This is also new in iOS 4, which premieres the iAd program.)

In iOS 4, Apple also highlights the active use of Location Services (whenever the device's geographic data is being accessed by an app or the system, whether using GPS or Skyhook Wireless' WiFi triangulation data for determining location) with an arrow icon in the top bar of the iPhone's screen. This extra transparency was added in part because apps can now ask the user (via the operating system) to obtain Background Location updates even when they are not running.

If the user approves, the system will track the device's location, then wake the app at regular intervals to provide it with an update it can use to trigger local actions (in the case of an app like Tasker that tracks tasks related to the user's location) or send an update to a cloud service, such as a social networking service like Loopt or Google's Latitude, which track the position of users and their friends.

In comparison, Android phones don't have a standardize system of location lookup. Google offers its own alternative to Skyhook's WiFi location, one that does not work very accurately. Android hardware vendors, however, can implement their own location services, as Motorola has in partnering with Skyhook (like Apple did back in 2007) rather than using's Google's own, flawed location system. There is, therefore, no single entity that controls how locations services work on Android, and subsequently nobody that can enforce privacy policy on behalf of users as Apple does on its iOS platform.

Are you now or have you ever been a member of the Location Services Party?

Despite Apple's clear and unambiguous disclosure of its privacy policy, which seeks to safeguard users' privacy on a level that other smartphone platforms do not, the Washington Post reports that Congressmen Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), the co-chairman of the "House Bi-Partisan Privacy Caucus," have "sent a letter to Apple CEO Steve Jobs asking about recent press reports that the company has updated its privacy policies to alert users that it is collecting and using information about users' precise geographic location."

The letter asks the company to "please explain in detail why Apple decided to begin collecting location data at this time, and how it intends to use the data," apparently completely ignorant of the fact that mobile and desktop ad networks have been using user data, including location data, for years without disclosing this to the user in an accessible, transparent manner.

The letter also asks if Apple is "sharing consumer location information collected through iPhones and iPads with AT&T or other telecommunications carriers," as if mobile operators didn't already know the location of their subscribers based on the fact that mobile devices have to identify their location to cell towers to receive service.

Apple's answers to the questions are demanded by the middle of July, at which time they are likely to be publicly published.