NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Important Read Re: iPhone Applications & Privacy Issues

Important Read Re: iPhone Applications & Privacy Issues

The message below, sent to me earlier today, is by far the most cogent
summary briefing regarding iPhone Unique Device Identifiers (UDIDs)
and related privacy issues that I've seen -- very much recommended for
all interested parties.

Forwarded with permission of the author.


----- Forwarded message from Craig Michael Lie Njie <Lie@KismetWorldWide.com> -----

Date: Sun, 03 Oct 2010 17:15:51 -0400
From: Craig Michael Lie Njie <Lie@KismetWorldWide.com>
Subject: Our UDID & iPhone Applications Privacy Learning... Re: [ PRIVACY
	Forum ] iPhone Applications & Privacy Issues: An Analysis of Application
	Transmission of iPhone Unique Device Identifiers (UDIDs)
To: lauren@vortex.com

Hi Lauren,

Thanks for sending out a link to Eric Smith's paper on iPhone UDID usage.

Last year we started building WasteNot, our free environmental iOS app, and 
we needed a way to uniquely identify our customers so they could access 
their accounts.  We spent a lot of time discussing the privacy implications 
and determined there were two options: use the UDID, or create our own  
identification system.

As a long-time privacy advocate (I co-founded a privacy infomediary in 
'99), I foresaw a potential privacy backlash against the UDID.  It's 
incredibly simple to access the UDID and transmit back to the server, but 
incredibly privacy invasive, easily linkable across different applications, 
and as it turns out, useless for actually tracking customer preferences 
across multiple iOS devices.

We've written a privacy chapter in our upcoming iPhone business development 
book discussing our key learning in detail, but I thought you might like 
some quick highlights of what we've learned:

* UDID is unique to each device, but only Apple can link it back to an 
actual customer unless the customer provides more information, or another 
piece of data is sent along (e.g. telephone number, GPS location for google 
maps, etc..). Many duplicitous companies collect and transmit this 
secondary information. Rarely do they do use opt-in, nor does the Apple 
device warn the user of the majority of the data collection and 

* UDID identifies the *device*, not the customer -- if a customer has a  
iPhone and an iPad, there are two different UDIDs.  If a customer loses 
their iPhone, their replacement iPhone has a different UDID.  If a family 
shares a single iPad, they all have the same UDID.

* A customer cannot change their device's UDID, nor can they stop the  
collection and transmission of the UDID (like they can block the GPS 
location for which there is an Apple alert).  IMHO, Apple should require a 
pop-up notification for "this app is trying to collect and use your UDID: 
OK / Cancel", but Apple is very against additional pop-ups as they detract 
from the customer experience.  I doubt this will ever become a feature, nor 
do I believe this would really do much other than annoy the customer with 
yet another alert they don't read or think about before clicking "OK".

* If you don't use the UDID and want to uniquely identify customers (in our 
case to store preferences and content submissions so they are accessible 
from any device running WasteNot), your options are similar to the 
web-based world. In our case, we chose to use a fully opt-in model, where 
customers first had to sign up with an account using any email address they 
prefer.  In retrospect, there are several problems with this approach:

	1) customers have generally used their real email addresses when they sign 
up for a WasteNot account.  From a privacy perspective, we don't really 
want this information, since if our servers are hacked, their email 
addresses are at risk.  UDID's are much less useful to a hacker since you 
can't send spam to a UDID. Arguably, email address collection for account 
identification is much more privacy invasive than if we had just used the 

	2) A significant percentage of people who download WasteNot do not ever 
sign up for an account.  This limits the functionality.  I'm sure this has 
resulted in several of our less-than-5-star ratings, although we use an 
opt-in system and we do *no* behavioural tracking, so I have no way to 
verify this.  My guess is that had we used a UDID approach, we would have 
had significantly higher ratings, significantly more customers, and 
significantly better press as a result.

	3) People forget their passwords, so we needed to build a password 
retrieval system, too.  All told, it was more than 250 additional hours of 
work to build and test the system to handle user account generation, login, 
logout, password retrieval, email address verification, and other things 
that wouldn't have been as necessary if we had just used a username and the 

	4) On the flip-side, had we used the UDID we wouldn't have been able to 
let our customers access their WasteNot account from any device.  This 
means that the UDID, which arguably was put in to allow for easy customer 
identification, is really only useful for behavioral tracking on a single 
device.  You still need a login system if you want your customers to be 
able to use their account from multiple devices.

Therefore, my takeaways from the last 22 months of development and watching 
our WasteNot app in the wild are:

	* You need a customer account creation and login system if you want to 
have customer accounts.  UDID's don't fix the account problem, so they 
don't really provide much value to privacy-conscious developers like us.

	* Developing an account creation system is a LOT of work, and thus the  
majority of developers who don't need multi-device accounts choose to use 
the UDID instead to save time and money.  (In other words, Apple 
incentivizes developers to use the UDID by not providing them with a 
similarly useful privacy-enhanced customer identification tool.)

	* UDIDs are only useful for tracking the behaviour on the device.  This 
makes it incredibly useful to track behaviour within an app, and I've seen 
several advertising and behavioural tracking systems that use the UDID, 
without the customer's knowledge or consent.  (One sales pitch I saw 
bragged about their ability to report on every action a user took within an 
app: every button click, every page viewed, every table cell viewed, and 
the time a person took between each action, all sent back to the server 
without any notification or customer access to that information.)

	* Thus, UDIDs are most useful to people who want to track and collect user 
behavioral data without user notification or permission (ad networks and  
behavioural monitors).  And since the UDID is the same for every app on a  
device, this is a boon to advertisers and other data aggregators.  (Think 
of how happy the DoubleClick/Google's of the mobile advertising world are 
that they no longer have to place a cookie to track a user across 
sites/apps, there's already a permanent cookie that the user cannot turn 
off.  Eric Smith's article was insightful comparing this to the Pentium 3ís 
Processor Serial Number (PSN).)

	* UDIDs are only linkable back to an individual by Apple, unless the 
individual provides more information (e.g. GPS location, email address, 
telephone number, etc.).  Unfortunately it's very easy to do this, either 
directly or indirectly.  Hopefully Apple is checking for this when they 
review apps before approving them on the App Store -- I doubt it but I 
still hold hope -- but if a developer who wanted to do this was smart, they 
would have the app query the server on load and have the server return a 
"don't collect or transmit data" response during app review, and then once 
the app was approved, switch that to "start collecting data now that Apple 
isn't reviewing this app anymore".

My take on the ideal iOS privacy solution:

	* Apple forces opt-in for data collection and transmission for each app,  
including notification of what is being collected, why, and how it will be 
used (along with a link to the privacy policy governing the collection and 

	* UDID's are generated for each app on the device in a way that two apps 
on the same device can't link their data.

	* Apple develops a simple SDK to provide a privacy-enabled, blinded user  
account system, with ID's unique per user per app (not per-device) so that 
it is as easy for developers to use that privacy-enhanced system as it is 
to use the UDID (removing the cost-savings argument for using a UDID).

I won't hold my breath.

Hope this was useful and helps further the UDID discussion and debate.  
Feel free to distribute any of the above to anyone you think might have 
interest. Anyone can contact me direct if they have any questions about the 
above, or want to know more about the privacy issues we debated and made 
difficult decisions on during development of WasteNot.

Thanks for fighting the good privacy fight!


Craig Michael Lie Njie
Founder & CEO, Kismet World Wide Consulting LLC


WasteNot has already catalyzed over 201,922 positive actions helping the  
environment in more than 40 countries on 6 continents!  Learn more with our 
quick 2-minute demo video:

On 10-10-03 16:02, privacy@vortex.com wrote:
> ----- Forwarded message from Monty Solomon<monty@roscom.com>  -----
> Date: Sun, 3 Oct 2010 15:51:11 -0400
> From: Monty Solomon<monty@roscom.com>
> Subject: iPhone Applications&  Privacy Issues: An Analysis of Application
> 	Transmission of iPhone Unique Device Identifiers (UDIDs)
> To: undisclosed-recipient: ;
> iPhone Applications&  Privacy Issues: An Analysis of Application
> Transmission of iPhone Unique Device Identifiers (UDIDs)
> by Eric Smith
> October 1, 2010
> Abstract
> Every Apple iPhone shipped since its introduction in 2007 contains a
> unique, software-visible serial number -- the Unique Device
> Identifier, or UDID. Apple provided this functionaly to allow
> application developers to uniquely identify the iPhone being used for
> purposes such as storing application preferences or video game high
> scores. While the UDID does facilitate the process of collecting and
> storing certain types of data, it also creates a tempting opportunity
> for use as a tracking agent or to correlate with other
> personally-identifiable information in unintended ways. In this
> paper, we investigate where and how UDIDs are being shared, with
> whom, and how the UDIDs are being used.
> ...
> http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf
> ----- End forwarded message -----
> _______________________________________________
> privacy mailing list
> http://lists.vortex.com/mailman/listinfo/privacy

----- End forwarded message -----

Lauren Weinstein (lauren@vortex.com)
Tel: +1 (818) 225-2800
Co-Founder, PFIR (People For Internet Responsibility): http://www.pfir.org
Co-Founder, NNSquad (Network Neutrality Squad): http://www.nnsquad.org
Founder, GCTIP (Global Coalition for Transparent Internet Performance): 
Founder, PRIVACY Forum: http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Google Buzz: http://bit.ly/lauren-buzz