iPhone privacy question isn't 'Did you do it;' it should be 'How can I stop you?'

Senate investigators need to get beyond outrage and give users tools to protect themselves

The U.S. Senate Judiciary subcommittee hearing chaired by Al Franken Tuesday started out as an investigation into Apple's various contradictory statements about tracking the location of iPhone users.

It turned into a broader condemnation of the privacy invading potential of both smartphones and location services, which drive many of the most popular smartphone applications for both business and consumer users.

After vowing that Apple doesn't track users, CEO Steve Jobs eventually allowed as how iPhones do track the location of cell towers and WiFi hotspots – which all cell phones have to do in order to communicate with their networks.

Apple software technology VP Guy “Bud” Tribble told Franken's Privacy, Technology and the Law Subcommittee that Apple anonymizes all user-location data, and uses it only to help improve service to mobile devices.

Given that WSJ reporters were able to read a log listing the minute-by-minute locations of the phone – not the cell towers with which it communicated – and Apple's leaked plans to offer better geographic and apps that give mapped retrospectives of where a user has travelled, Tribble's point seems weak.

It's almost irrelevant, actually.

All cell phones have to track their own physical location in relation to the nearest cell tower or WiFi hotspot, identify and authenticate themselves to the network – usually including the number that provides a unique identifier for that particular device to the network to which it connects.

If the phone is configured to not store those exchanges, it's possible there would be no potentially incriminating record of the owner's location, at least on the phone.

The network keeps track, however. Carrier networks have to be able to identify each individual device in order to route calls or Internet traffic correctly.

There's nothing surprising about that to anyone who's ever hooked up a new device to a network and found it couldn't see anything. Every connected device has to announce itself to something in order to be found. Whatever tracking device is involved, on LAN, WAN or cell networks, must keep a record of where that individual device is within the network, or the device won't stay connected.

That's not "anonymized" data in the way Jobs and Tribble imply. It's very specific, and it has to be.

On the client side, setting up a phone so it had no idea where it was – except in relation to the single cell tower to which it might connect – would waste data that could be more useful to the owner of the phone than to marketers or anyone else who would use it for their own purposes.

Before switching to an Android phone, I'd given up on using my Windows Mobile for much of anything except text, email and voice calls. It was just too awkward to use.

When I wanted to go somewhere new, I looked up the location on my laptop, got a map from Google, often printed it out and brought the paper with me, and used a Garmin GPS in the car to navigate to where I was going.

If the restaurant or hardware store I was heading to was closed, I had to call someone who was online to find out why, or help look up a new place.

It took a lot of preparation and a lot of cooperation from others. It was also very frustrating – even more than when I only used paper maps and found places by phoning them and asking for directions. Back then I didn't expect to be have a personal guide and information concierge to help me get around.

With Android, Google Places, Google Navigation, half a dozen city-search and service-locating apps (all free, all responding almost as quickly on a 3G network as my laptop does on my home network), I have exactly that.

Voice recognition lets me change locations or search new ones without pulling over, or risking an accident by typing while driving. Navigation gets me lost far less often than I do on my own. Search and lookup services help me find what I want and gets local businesses more sales by bringing me in through doors I would never have found otherwise.

That is a trivial set of examples of why smartphones have become so useful in day to day life – augmenting reality in fact, if not according to the perfect-image concept of Google Goggles or whatever your favorite AR app is right now – that shutting off location services, location tracking and all the other privacy-invading functions would be a real blow to the people that use them.

Having a smart, responsive, pocket-sized computer with you all the time means you can take along all the advantages of the web without taking along your laptop or plugging in to a different WiFi network every couple of blocks.

It unquestionably puts every consumer who uses one in the sights of every marketing company and every data-stealing hacker network in the world, however.

And it does that in ways that leave consumers more exposed than they are with more traditional devices, which sit behind firewalls and NAT devices and have cookie-scrubbers and browser patches and anti-virus and all kinds of other security measures that are still insufficient, but at least provide a little protection for their users.

Phones, typically, don't. Not even the ones owned and managed by corporations that are aware that their corporate data could be pulled out of the air by WiFi sniffers while groups of employees sit around at Starbucks looking at sales reports and talking tactics during a road trip.

Franken's right that privacy and smartphone need to be addressed, both technologically by the carriers and manufacturers, and through regulation from committees like his, the FCC and FTC.

It's not enough to hear reassurances from Steve Jobs that Apple doesn't use private location data for anything evil.

It shouldn't have any choice. Businesses and consumers using iPhones should know ahead of time what information of theirs is being collected by both the phone and the network, and have control over what is done with it.

We need regulations requiring Apple and Google and Verizon and Sprint and all the others to make sure the data they use is anonymized, that the individualized data they collect is secured and encrypted, and that there is enough enforcement of traffic on public airwaves – both cell and WiFi – to make sure sniffers and hackers and war drivers sometimes get caught and prosecuted for trying to steal other people's data.

Businesses and consumers who own the phones have to do their part. They have to make sure their data are encrypted, everything's protected by passwords and that critical business data isn't stored on devices that can be easily cracked or lost.

No one should be surprised that smartphones spray private data into the ether like high pressure hoses after the firefighters let go.

Technological and regulatory measures to minimize the damage from that spray should focus on the data and the privacy, however, not on how surprised and outraged everyone is at the revelation that another vendor is collecting data to build another service for which a customer might pay.

Taking advantage of customers by giving them something they want and are willing to pay through the nose for is what vendors do, just as computers of any kind try to collect and store away every bit of data they touch, without really caring how securely they store it.

Franken's committee is going to hold another hearing in mid-May. The Senate Commerce Committee is also investigating iPhone privacy issues, as are Congressmen Ed Markey (D. – Mass.) and Joe Barton (R. – Tex.).

The question they should all be asking Apple and everyone else involved isn't "how could you invade our privacy this way?"

It's "what are you doing to make sure no one does it again."

The quicker they get answers to those questions, and put them into effect, the safer consumer and business users will be.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon