Apple and Google Defend Their Handling of Data

Apple and Google Defend Their Handling of Data

Congressional testimony centers around what “location” really means, and who’s responsible for how apps behave.


Apple and Google are scrambling to regain trust after revelations about the way smart phones and tablets handle users’ location data. In a U.S. Senate subcommittee hearing held today, representatives from Apple and Google stressed that their companies had streamlined and clarified their handling of location-based data. But a key unanswered question is how they’ll let third-party app providers share that information.

The problem is that users enjoy location-based services, but most don’t understand what happens to the data they share in exchange for using those services. Senators wondered if location data was being stored securely enough to protect users. They pointed to the lack of privacy policies for many mobile apps, and noted that even when users are aware of what happens to their data, they may find it difficult to control.

For example, until Apple’s update to iOS last week, someone who opted out of location services wasn’t actually turning off all of his device’s location-based sharing. Apple said the problem was due to a bug that has since been corrected.

Guy “Bud” Tribble, vice president of software technology for Apple, testified that “Apple does not track customers’ locations. Apple has never done so and has no plans to do so.”

Tribble said that the location information found on phones represented a portion of a crowd-sourced database that Apple maintains in order to process location information more rapidly than is possible through GPS alone. The company stores the locations of cell towers and Wi-Fi hot spots collected from millions of devices. User devices note which towers and hot spots they can connect to, and use that to quickly deduce location. He said that the information stored on iPhones was never a user’s location.

But Ashkan Soltani, an independent researcher and consultant who also testified at the hearing, suggested that Tribble’s explanation was disingenuous. For users who live in urban areas, Soltani said, the data on phones pinpointed hot spots as close as 20 feet away—which, he argued, is effectively the user’s location. “We need a clear definition of what ‘location’ means,” he said, and also called for more clarity about what constituted an “opt-in” policy.

The picture gets even muddier when third-party apps are considered. “Users don’t have a very good idea about what a lot of the applications on their phones are doing,” says Stuart Anderson, cofounder of Whisper Systems, a company that makes security and privacy software for Android phones. “Applications ask for very broad permissions.” Anderson notes that these permissions include the functions users expect, but might also cover unexpected actions from third-party code, such as monitoring used by advertisers.

To make matters worse, users don’t have fine-grained control—Anderson notes that they don’t have the ability to adjust a phone’s behavior or give selective permissions (his company recently released a product designed to do just that).

Apple, which observes a strict review policy for entrants to the App Store, seems to hope that its design standards will keep third-party apps on their best behavior. “What we need to do is put things in the user interface that make it clear what the app is planning to do,” Tribble said. He pointed out that Apple currently has an icon that shows whether an app has used location data within the past 24 hours. He said that Apple doesn’t believe that providing a technical means of limiting the information that apps can access would work. Instead, he said, the combination of the review process and design decisions would provide sufficient quality control.

Alan Davidson, Google’s director of public policy for the Americas, pointed to Google’s contrasting vision of an open app market. Instead of Google reviewing apps, Android devices are designed to recognize what an app is asking for, and alert the user, he said. Google has worked hard to make the resulting notifications understandable and useful, he said.

Both companies argued that they weren’t responsible for what apps do on their platforms. Such a stance, however, is unlikely to appease regulators or customers, which means that Apple and Google may soon have to take more responsibility for how third parties behave on their platforms


Seven Ways to Get Yourself Hacked


been the victim of hackers who’ve taken over their Gmail accounts and sent out e-mails to everyone in the address book.

The e-mails, which appear legitimate, claim that the person has been robbed while traveling and begs that money be wired so that the person can get home. What makes the scam even more effective is that it tends to happen to people who are actually traveling abroad—making it more likely that friends and families will be duped.

Although it’s widely believed that a strong password is one of the best defenses against online fraud, hackers increasingly employ highly effective ways for compromising accounts that do not require guessing passwords.

This means that it is more important than ever to practice “defensive computing”—and to have a plan in place for what to do if your account is compromised.

Malware. Sometimes called the “advanced persistent threat,” a broad range of software that was programmed with evil intent is running on tens of millions of computers throughout the world.

These programs can capture usernames and passwords as you type them, send the data to remote websites, and even open up a “proxy” so that attackers can type commands into a Web browser running on your very computer. This makes today’s state-of-the-art security measures—like strong passwords and key fobs—more or less useless, since the bad guys type their commands on your computer after you’ve authenticated.

Today, the primary defense against malware is antivirus software, but increasingly, the best malware doesn’t get caught for days, weeks, or even months after it’s been released into the wild. Because antivirus software is failing, many organizations now recommend antediluvian security precautions, such as not clicking on links and not opening files you receive by e-mail unless you know that the mail is legitimate. Unfortunately, there is no tool for assessing legitimacy.

Windows XP. According to the website w3schools, roughly 33 percent of the computers browsing the Internet are running Windows XP. That’s a problem, because unlike Windows 7, XP is uniquely susceptible to many of today’s most pernicious malware threats. Windows 7, and especially Windows 7 running on 64-bit computers, has security features built in to the operating system such as address space randomization and a non-executable data area. These protections will never be added to Windows XP. Thus, as a general rule, you should not use Windows XP on a computer that’s connected to the Internet. Tell that to the 33 percent.

Kiosk computers. You should avoid using public computers at hotels, airports, libraries, and “business centers” to access webmail accounts, because there is simply no way to tell if these computers are infected with malware or not. And many of them are running Windows XP. So avoid them.

Open Wi-Fi. Wireless access points that don’t require an encryption key to access don’t protect your data as it transits through the air. This means that your username and password can be “sniffed” by anyone else using the access point as well. I haven’t been able to find any reports of malware-infected laptops running sniffers at coffee shops, but it’s really just a matter of time. The only way to protect yourself is to be sure that the websites and e-mail servers you use employ SSL (“https:”) for everything, not just logging in.

Man-in-the-middle attacks. Those same open Wi-Fi access points can sniff your password using a variety of so-called man-in-the-middle attacks, in which your computer sends information to the wrong website, which, in turn, passes it to the correct one—so that the communication channel seems fine.

Man-in-the-middle attacks are especially easy over Wi-Fi, but they can take place anywhere on the Internet. Man-in-the-middle attacks can also be implemented through malware. Here even SSL is not enough—you need to be sure that the certificate of the SSL-enabled website is legitimate (a forged certificate will tell your browser that it’s connecting to the right site using SSL). Most people also ignore certificate mismatch errors.

Phishing scams. Surprisingly, a fair number of users still fall for phishing scams, in which they voluntarily hand over their username and password to a malicious website. Typically users end up at these sites when clicking on a link they receive by e-mail.

Different website, same password. Finally, many websites (including major newspapers and magazines) require that you set up an account with an e-mail address and a password in order to access their content. Don’t use the same password that you use to access your e-mail—otherwise the website owners (and anyone who hacks that website) will be able to take over your other accounts, including your e-mail.

What happens if you follow all of these precautions and your e-mail account still gets compromised?

Here are some ideas:

Be an authentication pioneer. Google, E*Trade, and other firms have deployed systems that allow you to augment passwords with your cell phone or a handheld security token. Although these systems can be defeated with malware, they are still more secure than passwords alone. Currently you need to opt in to these systems. If you care about your security, you should be a pioneer and give them a try.

Be prepared. Google, Facebook, Apple, Amazon, and others allow you to take proactive security measures to protect your account in the event that the password is compromised. This includes registering alternative e-mail addresses, registering cell phone numbers for backup authentication, and providing answers to “secret questions.” Unfortunately, you have to do this before your account gets hacked, not after.

Be alert. Facebook allows you to provide a cell phone number that gets an SMS message whenever someone logs in using a different browser. This is a simple, effective way to monitor when someone other than you accesses your account. If your account is accessed, you’ll be in a race to change your password before the attackers do.

Maintain multiple accounts. Don’t put all of your eggs in one basket! Have accounts at multiple e-mail providers—and accounts at multiple financial institutions for your money, as well. That way, when you get hacked, at least you’ll have a backup.

Keep offline copies. Finally, don’t keep the sole copy of your precious data at some cloud provider—download your data to your home computer, then burn it to disc or copy it to a disconnected hard drive. That way, even if you lose your online access, at least you’ll have a copy.



Apple Ignored Warning on Address Book Access



Apple was warned as long ago as 2010 that the popular Gowalla location-sharing iPhone app was uploading users’ address books without alerting them, Technology Reviewhas learned.

This raises questions about why Apple didn’t do then what it announced it would do yesterday. In a statement, the company said software upgrades for iPhones would be issued to protect users from the practice, which is forbidden.

Apple’s statements follow a series of revelations over the past week concerning apps that access users’ address books. The revelations began when an independent developer discovered that the two-million-user-strong social network Path collects users’ address books, assembling vast collections of names, e-mails, and phone numbers without consent. Others found that some other popular apps, including the location-sharing services Foursquare and Gowalla, do the same. Transmitting and storing users’ address books exposes them to an increased risk of their personal data being leaked, perhaps through an attack like the one that extracted credit-card details from Sony last year.

The criticism that followed these discoveries—compounded by evidence that Apple ignored a warning about such behavior from academic researchers in 2010—has led to calls for the company to alter iOS and reform its famously opaque application approval process.

In the longer term, all smart-phone operating systems may need more effective privacy controls to better explain what personal data they collect, and to let users opt out. Google’s Android mobile operating system already requires apps to receive explicit permission to access contact books or other private data, but app makers do not need to explain how that information will be stored or used, and many users seem not to fully understand what they are handing over.

In 2010, graduate student Manuel Egele and colleagues at the University of California, Santa Barbara, used a tool called PiOS to scan 1,400 iPhone applications for signs that they leaked sensitive user data. PiOS flagged Gowalla’s app because it stealthily uploaded a user’s entire address book to the company’s servers when a user viewed his or her list of phone contacts through the app.

That was a clear breach of user privacy, and of Apple’s own rules for inclusion in the App Store, says Egele, now a postdoctoral researcher at UCSB. But when Apple was contacted about it, a series of representatives showed little interest, he says. “We even took screenshots that showed it was being sent unencrypted,” he says. “They said, ‘If you have a privacy concern, you should contact the developer.’ ” Egele and colleagues presented a peer-reviewed paper on the work, including an account of their Gowalla finding last year.

Apple did not reply to inquiries about the 2010 incident. But its first public statement on the address-book saga, made yesterday, implied that it had only just become aware of the issue.

Sooner or later, Apple may have to make more significant changes, says Ty Rollin, chief technology officer of Mobiquity, a large app development agency in Wellesley, Massachusetts. The existing design of iOS made what Path and others did “easy,” he says, and it doesn’t seem to safeguard personal data. Apple should add detailed privacy settings that provide fine-grained control over what different apps can do with the data on a phone, similar to those provided for Facebook apps, says Rollins. “That needs to happen to phones, too,” he says. “I don’t know why they’re taking this piecemeal approach now. Maybe they were trying to maintain this pristine interface.”

Apple has a reputation for tightly controlling what users can do with their mobile devices and for enforcing strict rules on which apps are permitted into the App Store. Yet in the case of Path, and some other apps, it did not seem to impose those rules. That is problematic, because Apple has chosen to rely on those rules to protect users from an app’s behavior, rather than on technical features built into iOS. Technically, an iOS app could access other personal data, including photos, music playlists, recently viewed videos, and a device’s unique IMEI identifier, which can be used for ad tracking. No one has yet reported that any popular apps improperly use that data, however.

Within the startup community, ready access to user data has been seen as a powerful tool, says Aza Raskin, cofounder of mobile health startup Massive Health. That perception may now change. “The more you know about someone, the better the feature set can be,” he says. “Privacy is sadly something that most people don’t think about [because] there isn’t enough consumer demand.” Path and others copied address books so they could inform their users when friends also joined and encourage more use of their social networks.

Apple’s aura of control may have convinced developers, security researchers, and users that personal data was being handled properly. “We’re seeing some of the disadvantages of a closed ecosystem,” says Raskin. “If that was a Web product, this would have been discovered long ago.”

Google takes the opposite approach with the Android Market. It doesn’t actively vet apps, but instead has built features into the operating system that make the data that apps can access transparent to a user. In practice, however, this may not provide much better protection than iOS does.

Although an Android user is asked to approve the data that an Android app can access, many people hurriedly tap “OK” rather than reading that list as they rush to try out their new app, saysAdrienne Porter Felt of the University of California, Berkeley. She and colleagues are writing up the results of a study of how people handle Android app permissions. “Most people don’t pay attention to them. A small amount of people do, about 17 percent,” says Porter Felt. Studies on security warnings in browsers and on Microsoft Windows have shown that repeated exposure

to such warnings dulls their impact.

There are 174 different types of permission that Android apps are required to ask for, says Porter Felt, compared to just two on iOS—for apps that want location access or that want to send push notifications.

Raskin of Massive Health says that Apple now has an incentive to develop a fundamentally new method of user privacy controls—one that does not bombard them with dialogs or present a complex panel of options. “This is something where they can really push the bar forward.”

Apple may be motivated by more than the bad press triggered by the Path case. Two members of the U.S. House of Representative’s Energy and Commerce Committee wrote to Apple CEO Tim Cook yesterday to ask a series of questions about the access that apps can have to users’ contact data. The U.S. Federal Trade Commission has become increasingly interested in what tech companies do with user data in recent years, and it could conceivably decide that Apple has neglected its responsibility to protect users. Last autumn, both Google and Facebookagreed to 20 years of regular privacy audits by the FTC after the commission charged them, separately, of “deceptive” use of private data.











































Charge Your Phone and Your Car


Over the air: Witricity’s CEO Eric Giler holds a light that is powered remotely by the pad behind it.


Eric Giler points a remote control at a small black pad leaned up against a wall, and three lamps instantly light up and a tablet computer starts charging. The funny thing is, the devices all sit several feet away from the black pad, which provides power, and aren’t plugged in.

Giler is the CEO of Witricity, a startup that hopes to revolutionize electronics by replacing wireless charging systems with ones that send power safely through the air. The nearly five-year-old company uses technology developed at MIT that extends the range of inductive wireless charging.

Witricity says its first products—for charging portable electronics—could be on the market later this year. Within a year or two, similar technology could allow electric-vehicle owners to charge their cars without plugging them in. This could be followed by wireless power for heart pumps and other medical implants.

The idea of wireless power transfer is hardly new. Nikola Tesla demonstrated a version of it a hundred years ago, and inductive chargers for electric toothbrushes and video game controllers are now widespread. But the inductive chargers available today work over only very short distances and require physical contact between the charger and electronic device, which isn’t much more convenient than plugging a device in.

Inductive charging systems work by passing a current through a coil to generate a magnetic field, which creates another electric current in a similarly sized and oriented coil in the other device. Move these coils apart, and the efficiency of energy transfer drops off quickly. To increase the distance at which the power is transferred efficiently, Witricity tunes the sending and receiving coils to resonate with each other at a specific frequency with very little energy loss within each resonator.

The distance that power can be transferred in this way depends on the size of the coils. If both the sending and receiving coils are small, as may be the case with a system for mobile phones, the charger and the phone need to be placed within several centimeters to charge efficiently. But Witricity has also shown prototypes with larger coils that can send power at distances of about a meter. (Power can also be beamed with lasers and microwaves, but this requires a direct line of sight and can raise safety concerns.)

Park and charge: These pads transmit power wirelessly from the floor of a garage to the bottom of a car.

It’s also possible to boost the signal with coils called repeaters. In the demonstration Giler gave, coils installed under carpet squares allow power to leapfrog from a wall outlet to anywhere in the room.

Witricity is one of a handful of companies working to extend the range of electric chargers.  The company has developed a prototype table that charges devices placed anywhere on its surface—even if they remain inside a backpack or purse—and a wireless keyboard and mouse that can be powered from a computer monitor, eliminating the need for batteries. (Apple has patented a similar idea.) The company has also developed a charger for electric cars. It’s a half-meter-wide pad that sits on the floor of a garage—just drive over it, and the car starts to charge.

Witricity is partnering with several companies to bring the technology to market. It has a multimillion-dollar contract with Toyota to develop charging for battery-powered vehicles (soon it might not make sense to call them plug-in electric vehicles), and has also announced a partnership with Taiwanese electronics manufacturer Mediatek to develop products for charging portable electronics.

Katie Hall, Witricity’s chief technology officer, says the company is working on components that will add the necessary electronics to a portable device. It’s also working to make charging sleeves for mobile phones that are no larger than the covers people typically use to protect their phones. The company isn’t certain how much these will cost, but Hall says the system for charging cars wouldn’t cost much more to make than the chargers that electric-vehicle owners often install in their garages anyway.

Several other companies are developing inductive chargers that can send power efficiently through the air. Siemens and BMW are developing chargers for electric cars, and Qualcomm recently bought a startup that had developed its own wireless electric-car chargers. A company called Fulton Technologies has technology that sends wireless power through a few centimeters of marble, as well as from the floor of a garage to an electric vehicle.

A handful of researchers are even working to extend the concept to allow charging of electric vehicles while they are out on the road. Researchers at Oak Ridge and Stanford recently developed detailed concepts for such a system. In a $2.7 million federally funded project, researchers at Utah State University are installing a system to charge buses as they stop along a route in Salt Lake City.

In the Oak Ridge model, 200 coils would be embedded in a section of the roadway and controlled by a single roadside device; successive coils would be energized as electric vehicles pass over them, providing enough power for the vehicle to reach the next series of coils a mile down the road.

John Miller, a research scientist at Oak Ridge, estimates that each series of coils plus the controller would cost less than a million dollars. “Wireless chargers for electric vehicles are so convenient. You don’t have to mess with plug cables. You don’t care what the weather is. You don’t even have to think about it. I think it’s going to catch on superfast,” Miller says.

6 Health Benefits of Dark Chocolate

Dark chocolate has recently been discovered to have a number of healthy benefits. While eating dark chocolate can lead to the health benefits described below, remember that chocolate is also high in fat. Use FitDay to keep track of your calories and nutrition as you work towards your weight loss goals.


1) Dark Chocolate is Good for Your Heart

Studies show that eating a small amount of dark chocolate two or three times each week can help lower your blood pressure. Dark chocolate improves blood flow and may help prevent the formation of blood clots. Eating dark chocolate may also prevent arteriosclerosis (hardening of the arteries).

2) Dark Chocolate is Good for Your Brain

Dark chocolate increases blood flow to the brain as well as to the heart, so it can help improve cognitive function. Dark chocolate also helps reduce your risk of stroke.

Dark chocolate also contains several chemical compounds that have a positive effect on your mood and cognitive health. Chocolate contains phenylethylamine (PEA), the same chemical your brain creates when you feel like you’re falling in love. PEA encourages your brain to release endorphins, so eating dark chocolate will make you feel happier.

Dark chocolate also contains caffeine, a mild stimulant. However, dark chocolate contains much less caffeine than coffee. A 1.5 ounce bar of dark chocolate contains 27 mg of caffeine, compared to the 200 mg found in an eight ounce cup of coffee.

3) Dark Chocolate Helps Control Blood Sugar

Dark chocolate helps keep your blood vessels healthy and your circulation unimpaired to protect against type 2 diabetes. The flavonoids in dark chocolate also help reduce insulin resistance by helping your cells to function normally and regain the ability to use your body’s insulin efficiently. Dark chocolate also has a low glycemic index, meaning it won’t cause huge spikes in blood sugar levels.

4) Dark Chocolate is Full of Antioxidants

Dark chocolate is loaded with antioxidants. Antioxidants help free your body of free radicals, which cause oxidative damage to cells. Free radicals are implicated in the aging process and may be a cause of cancer, so eating antioxidant rich foods like dark chocolate can protect you from many types of cancer and slow the signs of aging.

5) Dark Chocolate Contains Theobromine

Dark chocolate contains theobromine, which has been shown to harden tooth enamel. That means that dark chocolate, unlike most other sweets, lowers your risk of getting cavities if you practice proper dental hygiene.

Theobromine is also a mild stimulant, though not as strong as caffeine. It can, however, help to suppress coughs.

6) Dark Chocolate is High in Vitamins and Minerals

Dark chocolate contains a number of vitamins and minerals that can support your health. Dark chocolate contains some of the following vitamins and minerals in high concentrations:

  • Potassium
  • Copper
  • Magnesium
  • Iron

The copper and potassium in dark chocolate help prevent against stroke and cardiovascular ailments. The iron in chocolate protects against iron deficiency anemia, and the magnesium in chocolate helps prevent type 2 diabetes, high blood pressure and heart disease.