

Pandora, Angry Birds, other apps selling private info to advertisers - dshankar
http://lifehacker.com/5715188/these-apps-are-rampantly-stealing-your-info-without-permission

======
maukdaddy
_sigh_

Source link without the lifehacker bullshit:
[http://online.wsj.com/article/SB1000142405274870469400457602...](http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html?mod=WSJ_Tech_LEADTop)

edit: Direct link to awesome visualization tool : <http://blogs.wsj.com/wtk-
mobile/>

~~~
dshankar
What's the HN etiquette on link sources? I read it first on lifehacker, then
on WSJ. I thought it was appropriate to give credit to the source I read.

~~~
larrik
The official policy is to go to the original source of the story, not the
original source YOU read.

~~~
fakelvis
I completely agree with you and everyone else who takes this stance.

However in this case I'm willing to let it slide as in the past two days this
story has been submitted three times* with a total of 30 upvotes and one
comment between them.

In cases like this I usually upvote the first submission and file under
'Things that I think are interesting, but other people seem not to'.

* <http://news.ycombinator.com/item?id=2018906> <http://news.ycombinator.com/item?id=2019508> <http://news.ycombinator.com/item?id=2018902>

~~~
larrik
Fair enough, but the official guideline is as follows:

"Please submit the original source. If a blog post reports on something they
found on another site, submit the latter."

I think PG sacrifices a lot of clarity for some cleverness here, so here's my
rewrite, that I believe is identical in spirit, and hopefully at least
slightly clearer:

"Please submit the original source. If a blog post reports on something they
found on another site, submit the site the blogger found it on."

Personally, I'm not a rules nut, but he DID ask for the official stance.

~~~
nitrogen
In some instances it is more appropriate to link to a blog:

 _Don't abuse the text field in the submission form to add commentary to
links. The text field is for starting discussions. If you're submitting a
link, put it in the url field. If you want to add initial commentary on the
link, write a blog post about it and submit that instead._

Personally, I think a comment explaining the motivation for linking to a blog
rather than the original source, as dshankar provided, is sufficient to
justify a blog link.

~~~
larrik
Definitely true, but you need to determine if the blog post is adding value to
the discussion, or just sensationalizing it. The world is full of people who
can borrow a few lines and blow them out of proportion, but we should (and do)
expect HNers' to do better than that.

A lot of blog posts wind up being just extremely wordy retweets.

I'd also submit that a blog post is the way to go if the source material is
either too technical or too difficult to follow, and a blog post simply makes
more sense to the HN readership. Or, even if the article is just way too long.
Linking straight to a Nature article may be too much for the casual reader.

------
fredoliveira
I am _very_ concerned about this particular comment:

 _"I am a consultant for a software company that does iOS apps. It is scary
how much information Apple gives us about the customer. We know everything the
customer has (ever) done on their device. This includes their browsing
history."_

Can anyone verify this? If so, this is crazy.

~~~
naz
False. Unless the device is jailbroken. Each app has a separate cookie store
and web cache.

However, you can access the address book without prompting.

~~~
uxp
How does jailbreaking enable normal iOS store apps to access other apps
sandboxed datastore? Or do you mean that only Cydia apps can access other apps
datastores?

------
Terretta
Most of these are not "selling", they're providing normal 'connected'
functionality. For example, any app that uses a name and password to access a
server, they say is transmitting a password. Any app that you invoke "invite
my friends", they say is transmitting your contacts.

Yes, for example, Angry Birds is doing these things. But it's by your request.
The graphic doesn't show the data being "sold" or sent to marketers.

~~~
brown9-2
Any idea why Angry Birds would be collecting your Location and giving it to
Google and Flurry Analytics, according to this infographic?

Does WSJ mean location as in your approximate locale (useful to understand
where your users are coming from), or actual GPS coordinates?

Their lack of specificity is a bit confusing.

~~~
gyardley
People collect location for a lot of reasons - localizing content, planning
local advertising purchases, selling in-app advertising to agencies who want
to buy access to a particular audience, etc. Sometimes developers just want to
understand where their users are coming from out of curiosity.

Usually country and state fulfills the above purposes just fine. I've seen GPS
coordinates sent off the device and then converted to country / state before
the coordinates were discarded - that's how Pinch Media used to do it. Flurry
typically just works with IP address, but when GPS is used, it does the
rounding off on the device first so the only thing we're sent is already
inaccurate.

------
jlgosse
First off, when you install an application on Android it tells you every
permission that an app asks for, i.e.:

Location Data Contacts Etc

As a developer of mobile apps and a user of both flurry and AdMob, I send them
a both user's "data" in order to find out the general location of the user, as
well as the OS they are running and the device they own. This isn't "selling"
their data, it's giving it to these analytics platforms so we can view our
audience and therefore allow us to better serve our users/customers.

The same hoopla can be brought up about Google Analytics and AdWords. This
isn't a new phenomenon, and it isn't a big deal.

~~~
jonknee
GPS location and device UUID is a lot different than IP geo-location and
cookie that Google Analytics uses. It's also not possible to block--I block
Google Analytics and sometimes use proxies, but can't tell Angry Birds to not
send out my info.

~~~
Que
You are correct, it is different.

IP Geo-Location is a hack for when GPS Location and uniqueID aren't available,
so the prudent choice to gain accurate analytic info would be to use the most
accurate. Especially if you are a developer / publisher trying to tailor your
functionality to your particular audience.

Android does inform you, in advance of installation of exactly what
information the application would like access to so you can be absolutely
aware of what information you are freely giving up when installing an
application. Your only means to block access however after installation is if
you have root access and modify host entries.

------
JoelPM
Angry Birds Privacy policy: [http://www.rovio.com/index.php?page=angry-birds
---frequently...](http://www.rovio.com/index.php?page=angry-birds---
frequently-asked-questions-faq#privacy)

I was pissed until I read the FAQ and discovered when they're using data and
what they're using it for. Basically: If you've registered with Crystal
Something-or-Other they send your data to them. The WSJ article, at least in
the Angry Birds case, seems to have sensationalized things.

------
jamesaguilar
I don't think anyone should be surprised that indeed, phone apps, like all
other apps, send data to analytics providers.

~~~
tdfx
Well... you don't sell many papers when you put it THAT way.

------
brisance
In the submitted subject title, the claim is that private info is being sold.
However, in the original WSJ article:

    
    
      Free and paid versions of Angry Birds were tested on an iPhone.
      The apps sent the phone's UDID and location to the Chillingo unit of Electronic
      Arts Inc., which markets the games. Chillingo says it doesn't use the
      information for advertising and doesn't share it with outsiders.
    

Chillingo does not deny collecting the info, but they _do_ deny using the
information for advertising or sharing it with outsiders.

------
nowarninglabel
I guess Lifehacker (gawker) is content to give user's personal info away for
free.

------
bad_user
Oh, the stuff you can do on the iPhone.

Just the other day I implemented a hidden webview in an iPhone app. The
webview subscribes users to third-party affiliation programs (e.g. Groupon)
automatically ... basically the thirdparty service is chosen based on how much
money it gives to affiliates / if it's available at the user's location
(that's why it needs to be automatic).

Behind the scenes a Javascript is loaded in the webview that does plain
requests to these services. Because many do not provide an API, I have to fake
it ... XmlHttpRequest is not enough because of all the restrictions. So I
implemented my own XmlHttpRequest-type functionality by using webview-
delegates, but without the restrictions.

The logic behind using a WebView is that you can load / update the
subscription logic on the server-side, without updating the application in the
iTunes Store. Best thing of all, this works even with Apple's earlier
restrictions related to dynamic languages.

Also, the logic behind doing this client-side is that many services complain
when requests come from the same IP. You cannot be caught when moving this
client-side.

Just to be clear: users are properly informed they are going to get subscribed
for spams from their city.

------
ja27
Am I the only one wondering how can I hook up with the advertisers paying for
this data?

------
Groxx
Apparently, the youtube app sends your username and password to... * gasp *
_Google!_

Oh, the horror. Though I'm quite thankful for the breakdown, as a lot of this
is probably almost _completely_ unknown to people, some of the inclusions seem
rather suspect. I wonder if they included legitimate data transmissions to pad
the icon gallery / table.

------
anto1ne
jailbroken users can install a opt-out pref : <http://blog.iphone-
dev.org/post/164789333/a-pinch-too-much>

~~~
aerique
Also don't forget Firewall iP off Cydia. You get notifications and can set
permissions _per_ app.

Ah, I would never use a jailed iPhone. So much less usable.

------
Aaronontheweb
Honestly, I'm not surprised - the most valuable thing most of these
applications do is produce lucrative information that big budget marketers
would love to sink their meathooks into.

There is nothing wrong with this business model per say, but doing it without
the express consent with your users is wrong and making it personally
identifiable is wrong.

------
RK
Anyone who provides data to mylife.com (Pandora on Android) is evil in my
book.

------
jdp23
With the Commerce Department and FTC reports both calling for better consumer
protection, articles like this highlight how badly the current self-regulatory
approach _isn't_ working.

------
dpcan
It isn't "stealing" if the user agrees to the app's User Agreement that
probably mentions what's happening with the data that is collected.

------
jrockway
I have root on my Android phone. How can I give certain apps fake UUID and
phone number information?

------
GrandMasterBirt
So they need to create paid versions and you pay for this stuff. A game of the
same caliber of angry birds would sell for 20 bucks or so as a computer game.
There you go, shell out the money. Oh wait since everyone wants it for free
you better be willing to pay something. That something is something people see
little value in giving away, but is of high value to advertisers.

