Yeah, they would. In a big way. This is something that most of us would probably expect from Apple, but Palm? Palm is supposed to be the anti-Apple (though I’m not sure what an apple’s polar opposite would be). They’re the ones saving us loads of money with Sprint, offering a physical keyboard, bringing multitasking to the masses. They’re also the ones recording your GPS location once a day along with some other personal data.
The privacy breach was first discovered by Joey Hess, a Debian developer who had started to tinker with WebOS a while back. When he noticed his Pre sending data to Palm on a daily basis he wondered, as most of us probably would, just what the phone was sending. Without digging too deep, it turned out to be the following:
{ “errorCode”: 0, “timestamp”: 1249855555954.000000, “latitude”: 36.594108, “longitude”: -82.183260, “horizAccuracy”: 2523, “heading”: 0, “velocity”: 0, “altitude”: 0, “vertAccuracy”: 0 }
Yes, that is his global position at an accuracy similar to Google Maps. The phone was also sending a list of every application Hess had used, along with usage duration for each app. There were also the expected crashlogs and then a file containing every app Hess used, regardless of whether they were Palm approved or not.
Obviously this has some pretty serious implications. No one likes to know that this data is being collected, and while it’s usually safer to assume that someone is gathering this stuff, the fact that Palm is doing it, after all their horn-blowing about the iPhone, is a tough pill to swallow.
Any company willing to do this sort of thing has to know it will be found out and cover its ass accordingly, right? Right. Palm looks drum-tight in their privacy policy, which states this:
Location Based Services. When you use location based services, we will collect, transmit, maintain, process, and use your location and usage data (including both real time geographic information and information that can be used to approximate location) in order to provide location based and related services, and to enhance your device experience.
On first read you might think, “Gee, that once a day collection seems to fall well outside reasonable collection for Location Based Services.” You’d be right, but it’s the second half of the clause where they’ve got you. That part about enhancing your device experience pretty much has you nailed, unless of course you’re able to prove that this collection is doing nothing of the sort. I’m pretty sure you won’t be able to pull that off.
Regardless of clever language, though, it does fall to Palm to alert the user that they are collecting this type of data. That’s why location based applications on smartphones typically ask the user’s permission to access the phone’s location. Not doing so turns your data gathering into one thing: spying. For Palm, it’s spying on a massive scale.
Since the story broke a couple hours ago, Palm has issued the following statement:
Palm takes privacy very seriously, and offers users ways to turn data collecting services on and off. Our privacy policy is like many policies in the industry and includes very detailed language about potential scenarios in which we might use a customer’s information, all toward a goal of offering a great user experience. For instance, when location based services are used, we collect their information to give them relevant local results in Google Maps. We appreciate the trust that users give us with their information, and have no intention to violate that trust.
Odd. I thought collecting that sort of data without letting your customers know was, by definition, a violation of trust. It also seems incredibly convenient to neglect to mention just where your customers can turn off those data collection services.
For a full list of the data Palm is getting from your phone, head to Hess’s website.
