So, Palm was recently caught spying on its users. Major kudos, by the way, to Joey Hess, who initially broke this story. For those who haven’t kept up, various other news outlets and blogs have also been reporting on it.
Palm’s response to this problem is a single paragraph of corporate PR-speak:
Palm takes privacy very seriously, and offers users ways to turn data collecting services on and off. Our privacy policy is like many policies in the industry and includes very detailed language about potential scenarios in which we might use a customer’s information, all toward a goal of offering a great user experience. For instance, when location based services are used, we collect their information to give them relevant local results in Google Maps. We appreciate the trust that users give us with their information, and have no intention to violate that trust.
The problems with this statement are:
- There is no indication of how to turn off this particular piece of data collection. Not on Palm’s web site, not in the user manual that came with the Prē, and not in the Prē’s user interface.
- For all the “detailed language” in Palm’s privacy policy, there is no slightest indication — anywhere — that they collect information about what applications the user runs.
It’s particularly interesting to look at the “On-Device Services” part of the privacy policy: It mentions types of data that will be collected “If you use services we provide” (emphasis added). For example, they say, “When you use a remote diagnostics or software update service, we will collect information related to your device (including serial number, diagnostic information, crash logs, or application configurations)”. This is the only mention of collection data about a user’s applications, and it clearly starts with “when you use a diagnostic service”.
It doesn’t say “once per day, no matter what”.
Other items under “On-Device Services” start with “When you use a back-up and restore service…” and “When you use location based services”.
All of this suggests that users have some sort of control over what gets sent and when. The Palm Prē’s “Location Services” preferences item has a control labeled “Background Data Collection”, with the caption: “Allows Google to automatically collect anonymous location data to improve the quality of location services.” (This is after other controls labeled “Auto Locate”, “Use GPS”, as shown at right. If you turn on Auto Locate, you also get a control labeled “Geotag Photos”.)
It doesn’t say that Google (or anyone else) will collect data on what apps a user is running. And it strongly implies that this data will only be collected when I actually run an app that uses location services — for example, Google Maps, or OpenTable (which wants to know where I am so it can try to find nearby restaurants).
And it blatantly claims that if I turn off that switch, it won’t send my data off to big corporations any more.
So far, I’ve verified a few things:
- The application data log includes installs, uninstalls, and launch and close times for all apps, not just Palm’s official ones. Homebrew and third-party apps are included.
- Flipping the Background Data Collection switch does not turn off the
contextupload
process that’s responsible for sending the information to Palm’s servers. - Nor does it stop logging application launch and close times. I’ll repeat that: My Prē is still logging application launch and close times into
/var/context/contextfile
, even though I have Background Data Collection turned off.
We in the technology business have a technical term for what Palm is doing when it claims that it “offers users ways to turn data collecting services on and off” in the context of this particular data. That term is: lying. Palm is lying to us, pure and simple.
4 Trackbacks
On Twitter, Kagan MacTane said: New blog post: Palm Is Lying, Not Just Spying http://bit.ly/QFvWs
Trackback powered by Topsy
On Twitter, Tech news said: Reddit/p: Palm Is Lying, Not Just Spying – Analysis of Palm’s Truth-Challenged Response to Pre Privacy Invasions http://bit.ly/3oAaMC
Trackback powered by Topsy
Reddit/p: Palm Is Lying, Not Just Spying – Analysis of Palm’s Truth-Challenged Response to Pre Privacy Invasions http://bit.ly/3oAaMC
Reddit/p: Palm Is Lying, Not Just Spying – Analysis of Palm’s Truth-Challenged Response to Pre Privacy Invasions http://bit.ly/3oAaMC