Commentary

Study Confirms Apple Apps Track Users' Info

Last year, a professor at Bucknell University caused a stir with research showing that a majority of the most popular applications available for iPhones use the devices' serial numbers to track users.

Now a much larger study out of the Technical University of Vienna has reached the same conclusion. For that study, researchers examined more than 1,400 iPhone apps and found that more than half of them collected users' device IDs -- 40-digit unique numbers that identify individual phones, according to MIT's Technnology Review. What's more, 36 of the apps accessed the phone's location while five gleaned information about the users' contacts.

Unlike the case with cookie-based online ad targeting -- where users can set their browsers to reject cookies (or click on opt-out links when they're provided) -- people don't appear to have any good way of downloading apps but blocking them from transmitting iPhones' unique serial numbers.

The research could put additional pressure on Apple to either change the design of the iPhone or its approval process for app developers. The company is already facing two potential class-action lawsuits by iPhone and iPad users who allege that the transmission of their devices' unique identifiers violates federal wiretap and computer fraud laws.

4 comments about "Study Confirms Apple Apps Track Users' Info".
Check to receive email when comments are posted.
  1. Edward Hunter from Loop Analytics, January 27, 2011 at 8:50 a.m.

    It's pretty much nonsense. The UDID (the number they are talking about) is no more personally identifying than a network cards MAC address (also unique). Unique identifiers are practically a requirement in digital technology, everything from registering a software product to it's 'owner' from fraud prevention...relies on it.

    Do apps transmit this data? Yep. Does it identify the individual in any way? Nope. This is just another hyped up witch hunt - trying to frighten people into thinking that somehow big brother is watching. Don't believe the hype.

  2. Privacy Privacy from Privee, January 27, 2011 at 3:45 p.m.

    Edward. It's not that clear cut is it. A UDID may well lead to the identification of an individual (app providers sometimes ask for email addresses, names and other personal data for example), apps also access and link SNS data .... and let's not forget that just because you cannot identify someone does not mean that the collection of a UDID and profiling does not have privacy implications for individuals.

    Yes, a UDID is necessary to all sorts of legitimate business needs ... but when it comes to secondary uses that may impact on the privacy of individuals surely the individual should be made aware of this and be given and opportunity express their choice/preference?

  3. J Stein from XXXX, January 27, 2011 at 8:05 p.m.

    You can barely browse websites without having cookies enabled.

    Many apps ask for your current location, big deal. I see it as a function of the app itself.

    I really don't care if Apple, or a 3rd party, can look at say: how many users, with their specific unique IDs, are using this app in this location, that location, etc.

  4. Edward Hunter from Loop Analytics, January 28, 2011 at 10:06 a.m.

    @Privacy Privacy It actually is completely as clear cut as that. as you said, without additional data which the consumer must knowingly provide, the UDID does absolutely nothing. Now, if the consumer provides additional information or specifically opts in (and they must specifically do so) for PUSH or location there are a myriad of ways that an app can persist the link between the persons device and other data. I could cause my app to serialize internally based on the UDID and not even transmit it, but then transmit my unique serial to the server - same thing.

    Remember that we're talking about a carrier mediated space, information about consumers is transmitted at the device level with far more revealing granularity than these apps.

    And just for arguments sake, what implications does non-personally identifying data such as the UDID have when not accompanied by voluntarily offered additional data? I hear a lot of privacy advocates crying foul, but few actually describing clear and present dangers associated with it.

Next story loading loading..