Wednesday, January 16, 2008

Update: iPhone Location Data EULA

My previous post got me wondering what Apple's EULA says about location data collected by and on the iPhone. Like most people I breezed past the 1.1.3 EULA agreement without studying it, and then found I had to dig around online to find the iPhone License Agreement, which I finally did on Apple's site.

Section 4(b) is the relevant piece:

4. Consent to Use of Non-Personal Data.
(a) You agree that Apple and its subsidiaries may collect and use technical and related information, including but not limited to technical information about your iPhone, computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any)
related to the iPhone Software, and to verify compliance with the terms of this License. Apple may use this information, as long as it is in a form that does not personally identify you, to improve our products or to provide services or technologies to you.

(b) Apple may provide certain services through your iPhone that rely upon location information. To provide these services, Apple and its partners may collect, maintain, process and use your location data, including the real-time geographic location of your iPhone. By using or activating any location-based services on your iPhone, you agree and consent to Apple's and its partners' collection, maintenance, processing and use of your location data to provide you with such services. The location data is collected in a form that does not personally identify you. You may withdraw this consent at any time by turning off the location-based feature on your iPhone or by not using the location-based features. Turning off or not using these features will not impact the functionality of your iPhone.

A couple of basic points here. First, Apple asserts that they may collect and share with its partners location data from the phone. They secondly assert that the location data is collected in a way so as not to "personally identify you." I am not sure I agree with that statement based on my previous post, but let's give them the benefit of the doubt for now.

Second, they go on to say that the user can "withdraw their consent at any time" by "turning off the location-based feature." How? Where is that button in the preferences?

Third, they make the statement that "turning off or not using these features will not impact the functionality of your iPhone." Uh, yeah it will (assuming it were possible). I won't have location-based services or maps, which is a real reduction in the functionality of the phone.

Let's take a look at the newly published iPod Touch January '08 Software Upgrade License Agreement, which we would expect should address the newly-added location features specifically.

Once again, the same section 4(b) contains the same text as the iPhone Software License Agreement. So, they consider the location services in the iPhone and iPod Touch to be legally equivalent, which is interesting to note.

Seems to me Apple's in an interesting place with this location data business. The location data that is collected is packaged in HTTPS, so we can't inspect it. It is theoretically possible that it contains nothing that can identify a given user "personally," but what does that mean?

Does it contain an iPhone serial number, or an IMEI number, or a phone number? How is this data stored? While that data, by itself, may not personally identify you, could it be correlated with data that does? Is that possibility covered by the SLA as written?

I will assume that Apple and its lawyers have thought this through. However, there are some interesting issues raised here. Now that the iPhone/iPod Touch has location support, we should expect Apple, and possibly third party developers, to leverage that location data in interesting ways.

The most interesting ways involve tying identity to location, so if anything is going to happen down this path, then the SLA, as written, is not going to suffice.

In the meantime, you can bet that somebody is going to consider whipping up a class action suit because there is no clearly marked way to turn off the location-based services, and because "turning off LBS" does affect functionality -- your phone doesn't know where you're at!

And keep an eye on that SLA for future versions -- you can bet that the wording on the location data is going to evolve.

No comments: