Google asks journalists to tone down story of "massive" Google Play security flaw - Page 6

Quote:

Originally Posted by MacRulez 

Thanks for clarifying that for us, but for whom was that intended?  I don't recall anyone here claiming that OS X is a cloud OS.

Quote:

Quote:

Originally Posted by TBell 

I have Little Snitch installed on my Mac and I stopped using Chrome. It calls home repeatedly every session. Firefox and Safari call home maybe one a week to check for updates. Other than to check for updates, a browser has no reason to call home. You are right it is spyware. 

It's a cloud OS - how else would you expect it to work?

 

And since you used Little Snitch, can you tell us specifically what unauthorized sensitive data it was transmitting?

I know it's hard to keep track when you just make stuff up to respond to people, but at least try, a little bit.

I think I must have imagined it when Mountain Lion asked me if I wanted to allow Chrome to have my contacts.

Again, if you don't know what you are talking about, don't post your garbage here.

Quote:

Originally Posted by jragosta 


Wrong.

http://edrupler.com/content/google-chrome-–-spyware-confirmed
http://www.techgainer.com/google-chrome-browser-may-be-spying-on-all-of-us-really-its-true/

And not just Chrome. All Google software is spyware, every last bit of it. It's all about collecting information about users to sell and give to advertisers. That's their business model, so it shouldn't be a shock to anyone.

 

wtfQuote:

Originally Posted by MacRulez 

For most people making claims that might seem potentially libelous, providing supporting details for those claims would indeed matter.

 

When you use any browser on any OS, data is being sent to the server.  When you have an OS which is essentially a browser, we would expect this to be no different.

 

So unless you believe that all use of the Internet, characterized as it is by two-way communications between a client and a server, somehow satisfies the definition of "spyware", one may reasonably expect TBell to take an interest in his own words at least sufficient to explain his claims.

WTF are you talking about? Of course this is how browsers work. If I ask to view xyz.com there's going to be traffic between my computer and xyz.com. If there's other content displayed then my browser might connect to other servers as well (like images.xyz.com, forums.xyz.com or adcompany.com). All these server references would be contained within the web page itself, and this is normal.

What's being talked about is a browser that's connecting regularly to servers that have nothing to do with the web page I'm trying to view. There's no reason for a browser to do this. It should only be connecting to the web page server itself (and affiliates).

Not sure why you can't seem to comprehend this and use the asinine argument that "when you use any browser on any OS data is being sent to the server" as if all browsers are behaving the same as Chrome. They're not.

I suppose you're still one of those that thinks Google bypassing Safari was OK too.

Quote:

Originally Posted by muppetry 

Quote:

Originally Posted by Taniwha 

Quote:

Originally Posted by Tallest Skil 

Originally Posted by Suddenly Newton 
Most Google/Samsung defenders in the forums tend to argue something like "see, Apple does it too!" using spurious examples. They never actually deny that Google/Samsung did whatever they were accused of doing.

 

Exactly. And to top it off, Apple's NOT doing what Google, et. al. do! There's no "too"! In Apple's list of "Apple affiliated companies"… it's all Apple! Just under different names! It's to be understood that Apple shares the personal information you give them… with Apple! It's them! And then they go on to say that non-personal information is shared with true third-parties, and they state what that non-personal information is. 

Ah TS, are you being willfully ignorant ? The Apple definition of non-personal information is, to put it mildly, defective, as I pointed out earlier in this thread. It is really quite asinine in this context to ignore the fact that the Apple definition is absolutely contrived and not in any way compatible with internationally accepted definitions of personal information:  Restricting the definition of "personal information" to only cover DIRECTLY IDENTIFIABLE information about persons is simply a trick to deceive the uninformed.

 

 

 

If the definition had been invented by some idiot with no professional experience in privacy law it might be excusable, but that's not the case. It was defined by professionals who are familiar with privacy laws and regulations worldwide. But when it comes from a professional then it must be assumed that it is intentional.

 

The point is that it is trivial to link various pieces of "apple-defined" non-personal information to identify people. This is why the laws are formulated to include "identifiable" personal information. So please, give it a rest. Nobody can be so stupid as not to see through that. But since we don't have any insight into what apple is really doing it is a bit difficult to say more than it looks like a ruse which will create the illusion that they are not processing personal information while at the same time opening a back door to permit it.  To me it seems quite obvious that the specific inclusion of "direct" in the definition, is something that requires closer examination.

 

And before you start arguing that this is a US Company and subject only to US laws, you may wish to wise up on definitions of personal information in various state laws and federal regulations (HIPAA for example). In any case, there is not a shadow of doubt that the Apple definition is incompatible with privacy law in the majority of countries which have any such laws at all. 

 

What kinds of non-personal information do you think could reasonably be combined to permit identification of a customer?

Well this is not a hard question to answer: Let's take 2 examples.

1. you buy something on the internet, and supply your credit card, email address and login-name.

2. you buy something in a shop, pay in cash and supply your home address for the delivery, your email address in case there's some problem with the order, and your telephone number so that the delivery man  can call you to arrange a time to take the delivery.

In this case you have two datasets. The internet supplier doesn't have your home address and telephone, but the brick and mortar shop does.

Now an indexer can link the two datasets based on your email address. That, incidentally, is how many internet data aggregators function ... building links by indexing on seemingly disconnected information sub-sets. If you*re interested PM me and I'll send you an article about data leakage on the internet. It's quite revealing.

But my main point is another one:

Apples "Privacy" policy does not give you ANYTHING LIKE A USEFUL GUARANTEE. Most people probably wouldn't notice the fine distinction that Apple makes and the fact that they classify information as personal only if it is directly attributable to a person. Anything that is not DIRECTLY attributable, is "free-to-use-in-any-way-we like". So the unwary reader, and intellectually challenged AI moderators, don't understand that the definition that Apple invented is not a protection of personal information and not a guarantee at all. In fact it's a blank check as long as the data set doesn't contain your NAME.

The other point I made was that the Apple definition is in contradiction to the most widely accepted international definition of "personal information" in the laws of many countries, whicht is "any information relating to identified or identfiable natural persons"

By using this transparent trick, many people will be mislead into believing that the Apple privacy policy gives them some protective guarantees that it does NOT in fact provide. I don't think it is accidental and I certainly don't think that is acceptable or praisworthy. Seems to me it's a calculated gamble that uninformed people will be mislead to believe that they are getting something more than they are actually getting by way of guarantees.

Actually I just did a quick check in a couple of international privacy law resources (Baker & McKenzie, Linklaters). About 40 countries, including the entire EU, but also Russia, India, Argentina, Chile, Columbia, Kazakhstan, Azerbaijan, Indonesia, Philippines, Turkey, and Vietnam (among others) ALL use the "identified or identifiable" definition. So Apple is WAY off target.

And here's the Killer :-). EVEN GOOGLE defines personal information more broadly than apple's limited definition. I find that is simply hilarious.

"Personal information:

This is information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google."

For the intellectually challenged, the last sentence is the key. (Hi TS).

So, what I am saying is that the Apple definition is self-serving and deceptive and clearly in violation of the law in at least 40 countries outside of the US of A.

Self-serving: Because the main thing that US companies are afraid of in respect of privacy violations are class-actions and the FTC enforcement of privacy policies. For those who may not know, the FTC regards deviations from published privacy policies as misleading advertising, so they use that angle to make sure that companies stick to what they say they will do. The FTC does NOT have a mandate to enforce privacy law per se except where sector-specific federal laws make this possible.  So the Apple Privacy Policy can be seen more as a means to avoid both of these risks in the US. This however serves Apple's interests but goes no way to ACTUALLY PROTECTING their USER and CUSTOMER personal information.

Apart from the simple comparison to the google privacy definition, as a privacy professional I am by no means defending Google in any shape or form. But there have been enough contributions to this thread that draw attention to the shit that Google is propagating. I don't think I need to add to that.

Hope that helps to clarify the issues.

Quote:

Originally Posted by Tallest Skil 

Originally Posted by Taniwha 
Restricting the definition of "personal information" to only cover DIRECTLY IDENTIFIABLE information about persons is simply a trick to deceive the uninformed.

 

So you object to the idea of Apple stating that their customers have eyes of a certain color. You'd prefer third-parties not even know that Apple's customers have eyes at all. Got it. 

Originally Posted by Euphonious 
135 posts bickering about whether Google is more evil than Apple, or vice versa.

 

Plenty of us really need to go outside more.

 

I ask because I genuinely don't think you know: you do realize this is a discussion forum, right?

TS, with all DUE respect. Those comments are at best not constructive, and at worst simply childish. I will not engage with you at that level. Forget it.

Quote:

Originally Posted by anonymouse 

Quote:

Originally Posted by TBell 

I have Little Snitch installed on my Mac and I stopped using Chrome. It calls home repeatedly every session. Firefox and Safari call home maybe one a week to check for updates. Other than to check for updates, a browser has no reason to call home. You are right it is spyware. 

It's a cloud OS - how else would you expect it to work?

 

And since you used Little Snitch, can you tell us specifically what unauthorized sensitive data it was transmitting?

I know it's hard to keep track when you just make stuff up to respond to people, but at least try, a little bit.

 

Thank you for that clarification.  Still, whether Chrome the browser or Chrome the browser-based OS, the question remains:

Would TBell kindly take enough interest in his own words to provide the Little Snitch output he finds suspect?

Ah, so a software asked your permissions for a synching activity.  Did you grant those permissions? 

And do you believe that all software that provides options for synching, such as Apple's iCloud, fits the definition of "spyware"?

garbage - n. Anything someone finds personally inconvenient.

You're free to continue to resort to random labels if you prefer, but the readers here will note your continued absence of actual data to support your claims just the same.

Quote:

Originally Posted by EricTheHalfBee 

 

WTF are you talking about? Of course this is how browsers work.

You're off to a good start, but then:

Let's take a look at the page we're on now:  in addition to AppleInsider.com, NoScript shows JS requests for quanserve.com, viglink.com, scorecardresearch.com, facebook.com, googleadservices.com, and google-analytics.com, with cookie requests from apple.com and yahooapis.com.

I trust AI's dependence on googleadsevices.com and google-analytics.com will prompt you to close your account here, no?

And can you kindly tell us what specific requests you've seen from the Chrome browser so we can better understand how you define "spyware"?

The astute reader will note that you suppose many things no one actually said.

Quote:

Originally Posted by anonymouse 

And not just Chrome. All Google software is spyware, every last bit of it. It's all about collecting information about users to sell and give to advertisers. That's their business model, so it shouldn't be a shock to anyone.

Do they actually give identify information about individuals to advertisers, or do they merely use that information to provide options for demographically relevant ad placement as Apple's iAd does?

I can't claim to know with certainty, and look forward to your proving a URL to the page where Googgle offers specific identifying information about users as a product for sale to advertisers.

Quote:

Originally Posted by MacRulez 

Ah, so a software asked your permissions for a synching activity.  Did you grant those permissions? 

Of course, the part you are conveniently ignoring is that, prior to Mountain Lion, Chrome was simply able to grab that information.

You know, most of the rest of the Z collective of trolls has left us, why are you still here?

Quote:

Originally Posted by MacRulez 

You're off to a good start, but then:

 

Let's take a look at the page we're on now:  in addition to AppleInsider.com, NoScript shows JS requests for quanserve.com, viglink.com, scorecardresearch.com, facebook.com, googleadservices.com, and google-analytics.com, with cookie requests from apple.com and yahooapis.com.

 

I trust AI's dependence on googleadsevices.com and google-analytics.com will prompt you to close your account here, no?

 

And can you kindly tell us what specific requests you've seen from the Chrome browser so we can better understand how you define "spyware"?

 

The astute reader will note that you suppose many things no one actually said.

"The astute reader will note that you suppose many things no one actually said". Oh the irony.

I never made the claim that I personally saw Chrome requests nor did I claim that Chrome was "spyware". Do you even keep track of who you're replying to?

My comment was regarding your over-generalization about browsers connecting to servers. Are you going to claim that Chrome ONLY contacts servers listed in their web pages and never makes calls to servers that aren't related to the website, Google Analytics or Google Ads?

I use Google Analytics myself, so why would I stop visiting AI (or any site) that uses them? In fact, it's Google Analytics that allows me to call BS on the articles you previously always liked to link that try to refute claims that iOS devices comprise the majority of web traffic. Google Analytics is smart enough to tell me how many iPhone, iPad, Nexus or Nokia phones visit my site. Which is why I use it.

The astute reader would realize you're a troll who thinly disguises their posts as legitimate "concerns" or "issues". You're not fooling anyone, so why do you still keep trying?

Originally Posted by Taniwha 
Well this is not a hard question to answer: Let's take 2 examples.

 

1. you buy something on the internet, and supply your credit card, email address and login-name.

2. you buy something in a shop, pay in cash and supply your home address for the delivery, your email address in case there's some problem with the order, and your telephone number so that the delivery man can call you to arrange a time to take the delivery.

 

In this case you have two datasets. The internet supplier doesn't have your home address and telephone, but the brick and mortar shop does.

 

Now an indexer can link the two datasets based on your email address.

Is this supposed to answer the question? Home address is personally identifying information, as is the phone number and e-mail address.

What would be a "useful guarantee" if not:

Do "will not", "will be", and "will only" not mean anything?

Yes, that's known as the law, as well as the choice of the company. Don't like it, don't use the company. Both Apple and Google do this, as do tens of thousands of other companies. Personal information is protected, non-personal can be shared.

They invented no definition. You keep saying this.

No. Read the laws again.

US:

EU*:

 Read the privacy policy again.

So I'm confused. Either you didn't read the privacy policy or you don't care what it says. Personal information extends far beyond "name" to Apple. Would you prefer a "but not limited to" after the "including" there, even though everything is already covered?

*I can't seem to find an itemized list of the EU's definition of items of personal information. All the laws I'm finding pertain exclusively to the use thereof. Could you list them, with a source? What is "identifiable natural persons" supposed to entail? Note that it's singular, not plural. Your original claim is this:

Emphasis yours. Your implication is that while Apple obviously cannot release data pertaining to a person, they also cannot release data that could pertain to more than one person. Except the law says:

Singular. And yet you go on to claim:

So what was less broad? You haven't explained that.

Hey, you realize that doing this invalidates everything you've said, even if it any of it is redeemable, right?

Quote:

Originally Posted by jragosta 


Wrong.

http://edrupler.com/content/google-chrome-–-spyware-confirmed
http://www.techgainer.com/google-chrome-browser-may-be-spying-on-all-of-us-really-its-true/

First, since the best you could find was two random and rather minor blogs, I'm not sure they meet the AnkleSkater Standard of "an authoritative source".  Were you really completely unable to find any reports from any of the well-known security sites?

Still, random rants on the web can be fun, so let's enjoy them:

Did you read the titles of either article?  Interestingly, both are worded as questions, rather like the "Did Glenn Beck...?" meme from a few year back, second only in popularity to the "some people say..." technique that's a mainstay of Fox News and similar reporting.

When we look at the details, the reason for the rather careful wording of their title as a question become clear:

The behaviors described there are what one would expect for a feature that does type-ahead matching based on criteria broader than one's history and bookmarks to extend to the search engine itself.

The only potentially concerning issue cited in the second article was #4 there, but it's also noteworthy that it linked to an article half a decade old which no longer works, so there's no way to know the details of that item, or if it was addressed years ago, or even if it was ever a significant privacy issue at all.

For a little background on how the "Omnibox" works with relation to the traffic it generates, this may be useful:

http://google-chrome-browser.com/google-chrome-isn%E2%80%99t-spy

In short, neither article provided evidence nor even claims that Chrome is sending information which can be used to identify an individual.

If the sorts of things they describe concern you, you may be far more alarmed at the common user-agent string used in all browsers:

Browser Versions Carry 10.5 Bits of Identifying Information on Average

https://www.eff.org/deeplinks/2010/01/tracking-by-user-agent

Quote:

Originally Posted by anonymouse 

 

Of course, the part you are conveniently ignoring is that, prior to Mountain Lion, Chrome was simply able to grab that information.

Sure, any app can potentially do all sorts of things.  We're looking forward to your providing a URL describing a widespread incident of Chrome sending identifying information without the user's consent.

TS: Rule #1.

Quote:

Originally Posted by EricTheHalfBee 

"The astute reader will note that you suppose many things no one actually said". Oh the irony.

 

I never made the claim that I personally saw Chrome requests nor did I claim that Chrome was "spyware". Do you even keep track of who you're replying to?

Do you?  Kindly allow me to remind you what you wrote:

We look forward to your providing a link to the post in where I said that.

Irony indeed.

No, instead of indulging your straw men I'm going to stick to the claim presented:  Will you please provide a URL from, as AnkleSkater would require, "an authoritative source", which demonstrates that Chrome is sending information which can identify specific individuals?

Or if you're unable to turn up anything like that, could you at least explain how you define "spyware" so we might have any chance at all of understanding what you're claiming?

...at your sites.  I don't mean to sound disrespectful, but I have good reason to believe the World Wide Web is comprised of at least a few sites that you didn't make.  I look forward to your correction if my understanding on that isn't correct, and congratulations if so, since you must be a remarkably busy man.

Quote:

Originally Posted by jragosta 


True. But, then, I was able to read past the title - where they answered their own question in the affirmative. Reading past the title is fun - you should try it some time.

Yes, for example the other readers here who read the rest of my post before rushing to click "Quote" recognized that I made specific references to the details of each.

You're welcome to do the same, or just keep posting randomly, whichever you prefer.

Quote:

Originally Posted by MacRulez 

Do they actually give identify information about individuals to advertisers, or do they merely use that information to provide options for demographically relevant ad placement as Apple's iAd does?

Neither Apple nor Google sells personal information to third parties.  That would be like giving away the goose that lays the golden eggs.

Both companies only sell anonymous ad placements based on the info they have.

For example, Apple sells iAds based on knowledge they have about us from our iTunes registration info, our media purchases, and our device location (see graphic from Apple below):

Whenever an app requests an iAd, Apple's server looks at our profile to see what target audience we match. It also checks to see which ads we've already seen in the past month.  The server then sends back an ad to fit our profile.  The requesting company pays Apple about 10 cents for each ad view, and the app developer gets a 70% cut of that. 

Google's ads are done in a similar manner.  One difference is that anyone can go to their Google Dashboard and see (and even edit) major pieces of their profile.  I don't know of any way to do that with Apple's version of our profile.

Honestly, anyone who is upset of crying over this revelation deserves what you get here. What hell did you thing was going to happen when you take something for free. 

I do not feel sorry for anyone who had their personal information share with whom every wanted it. If it was that important you should have never agreed to use google stuff, Maybe the DoJ will go after them for this one as well, But if I was google i would stay what did all these sheep think would happen when they got a free OS with free email, free web searched, and cheap and useless apps with lots of advertising and so on. If you going to be cheap an not pay then we get to whore their information to the highest bidder.

The DoJ should just stay out of it and let buyer or in this case the begger beware. If you do not want you inform whore around then you should pay. As people already pointed out, Apple is making far more money selling you a product then selling your personal information.

Quote:

Originally Posted by habi 


What th e hell do you mean? This article says Google said it was a feature that google sends private information to 3rd parties ( developers) without consent nor mention in the privacy policy about what exactly happens!!! Your point is then fully wrong and proved wrong!!!!

Don't even try to figure out what he's talking about. KDarling just portrays reality the way he wants us to believe it is. His posts are entirely fictitious, even when describing supposed facts. He's wasting his time here, he should be working on a novel.

Originally Posted by Maestro64 

If you do not want you inform whore around then you should pay.

Another unintentionally apt statement. Thanks, autocorrect!

Quote:

Originally Posted by Tallest Skil 

Originally Posted by Taniwha 
Well this is not a hard question to answer: Let's take 2 examples.

 

1. you buy something on the internet, and supply your credit card, email address and login-name.

2. you buy something in a shop, pay in cash and supply your home address for the delivery, your email address in case there's some problem with the order, and your telephone number so that the delivery man can call you to arrange a time to take the delivery.

 

In this case you have two datasets. The internet supplier doesn't have your home address and telephone, but the brick and mortar shop does.

 

Now an indexer can link the two datasets based on your email address.

 

Is this supposed to answer the question? Home address is personally identifying information, as is the phone number and e-mail address.

Apples "Privacy" policy does not give you ANYTHING LIKE A USEFUL GUARANTEE. 

 

What would be a "useful guarantee" if not:

Personal information will only be shared by Apple to provide or improve our products, services and advertising; it will not be shared with third parties for their marketing purposes.

 

If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.

 

Do "will not", "will be", and "will only" not mean anything?

Most people probably wouldn't notice the fine distinction that Apple makes and the fact that they classify information as personal only if it is directly attributable to a person. Anything that is not DIRECTLY attributable, is "free-to-use-in-any-way-we like".

 

Yes, that's known as the law, as well as the choice of the company. Don't like it, don't use the company. Both Apple and Google do this, as do tens of thousands of other companies. Personal information is protected, non-personal can be shared.

…the definition that Apple invented…

 

They invented no definition. You keep saying this.

…is not a protection of personal information and not a guarantee at all. In fact it's a blank check as long as the data set doesn't contain your NAME.

 

No. Read the laws again.

 

US:

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

EU*:

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

 

 Read the privacy policy again.

What personal information we collect

• When you create an Apple ID, register your products, apply for commercial credit, purchase a product, download a software update, register for a class at an Apple Retail Store, or participate in an online survey, we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information.

 

So I'm confused. Either you didn't read the privacy policy or you don't care what it says. Personal information extends far beyond "name" to Apple. Would you prefer a "but not limited to" after the "including" there, even though everything is already covered?

The other point I made was that the Apple definition is in contradiction to the most widely accepted international definition of "personal information" in the laws of many countries, which is "any information relating to identified or identfiable natural persons"

 

*I can't seem to find an itemized list of the EU's definition of items of personal information. All the laws I'm finding pertain exclusively to the use thereof. Could you list them, with a source? What is "identifiable natural persons" supposed to entail? Note that it's singular, not plural. Your original claim is this:

You note that Apple defines "non personal information" only as information that does not permit association with any specific individual.

 

In the entire EU this may, and in many cases would, nevertheless qualify as personal information.

 

Emphasis yours. Your implication is that while Apple obviously cannot release data pertaining to a person, they also cannot release data that could pertain to more than one person. Except the law says:

Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;"

 

Singular. And yet you go on to claim:

which makes it an undisputable fact that Apple's privacy policy does NOT in fact give the assurances that its users may indeed expect, simply by the trick of defining personal information in a manner that is less broad than the legal definition

 

So what was less broad? You haven't explained that.

 

So the unwary reader, and intellectually challenged AI moderators…

For the intellectually challenged, the last sentence is the key. (Hi TS).

 

Hey, you realize that doing this invalidates everything you've said, even if it any of it is redeemable, right?

You seem to be determined to be both belligerant (which is something that doesn't bother me personally, get your rocks off however you can) and wilfully ignorant.

I won't go into each of the specific data elements to point out the silliness of your comments. +49 204 77 1234 could be a telephone number, but in itself it is not personal information.  Strain your brain TS. You need MORE info to make a phone number into PI. Similarly 1. Palace Place is possible a street address, but without more info you can't say it's PI ... Can you understand that ? Same for Email addresses. So whether or not a specific data item is PI depends on the availability of the extra, missing, info. And this can come from external sources, which when combined with the original data turn it into PI ! This is what apple allows, and the law prevents. Get it ??

Have you kept up so far ?? I'm typing slowly for you.

So my bone with the apple definition of PI hinges, as you very well know, on the fact that Apple uses the definition "We also collect non-personal information − data in a form that does not permit direct association with any specific individual". 

And that is the problem. They define non-personal information as above, leaving out the "direct or indirect association with any specific person" and limiting it to direct association. This is NOT what the privacy law in the vast majority of countries would accept as a legitimate definition of non-personal data. No way, because it implies that if the missing data is not in a dataset, then it is not personal information. That is crap because of the fact that linking to the missing data is both trivial and effective. Take the example of a phone number. It is no big deal to search an online phone directory for numbers, and then to retrieve the name, address and other info.  With photographic data it's a little more complex, but essentially the same issue arises. As you know there is now technology available to identify persons in a crowd or in a photo. Same problem. The hash code (or whatever is used to fingerprint the biometrics of the image) is in itself useless, but combined with data from a database of known persons, it is trivial to identify persons in a photo. Same goes for DNA fingerprints and a whole host of other biometric data.

That's not rocket science.

Then the Apple policy goes on to say that they can use non-personal data in any way. Which does NOT limit them to transferring it to third parties and which does NOT prevent the third parties from linking it with external identifying data. They only say APPLE treat a combination of personal and non-personal data (by their definition) as personal data so long as it is combined.  So in fact, as I have repeatedly pointed out, the guarantee is worthless.

It really does come down to the fine points of the legal language.

As to the legal definitions:

The EU definition is in 95/46/EC  ----> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

Look for Article 2, Definitions.

Now it's your turn. I would appreciate it if you can give the source to the definition posted earlier from "US". Is it a federal regulation, if so, which ?. Thanks.

Quote:

Originally Posted by jragosta 


What's up with all the font tags? It makes quoting your text very difficult.

Sorry, I just cut and pasted directly from the OS X dictionary.

It's one thing to scan all your emails and such for keywords, to try and target ads at you. It's not nice, but it's still only a computer program looking through your stuff, not a person. But sending your personal details to a real living person raises more concerns.

Quote:

Originally Posted by habi 

What th e hell do you mean? This article says Google said it was a feature that google sends private information to 3rd parties ( developers) without consent nor mention in the privacy policy about what exactly happens!!! Your point is then fully wrong and proved wrong!!!!

Wrong topic.  You jumped into a subthread about companies selling personal info in general.  (I know it's difficult to keep up unless you read every post.)

As far as Google's app store goes, I think that, to prevent confusion, they should prominently let buyers know what info is passed during an app sale, and perhaps give a way to opt out.

For physical internet purchases, it is assumed that our info goes to the seller.  Downloadables from an aggregate app store are usually thought of as a more anonymous type of purchase.

Quote:

Originally Posted by KDarling 

 

Wrong topic.  You have jumped into a subthread about companies selling personal info in general.  (I know it's difficult to keep up unless you read every post.)

 

As far as Google's app store goes, I think that, to prevent confusion, they should prominently let buyers know what info is passed during an app sale.

No he didn't. You've jumped into a subthread in an alternate universe. I know it's difficult to keep up if you are making it up as you go along.

Originally Posted by Taniwha 

So whether or not a specific data item is PI depends on the availability of the extra, missing, info. And this can come from external sources, which when combined with the original data turn it into PI ! This is what apple allows, and the law prevents. Get it ??

Odd, huh.

Funny how this has gone overlooked by every single government in question, then.

Guess WhitePages.com is illegal. Phone numbers are personal information, in the first place. As are addresses.

How does one link non-personal information to personal information without a baseline? You'd have to have at least one piece of personal information to, you know, get the person.

Great, so Apple is supposed to police themselves and every single other company with which they do business, preventing the use of any and all data obtained by said companies in any and all manners. Except no, that's not how it works. 

Okay.

So your actual answer to my question would be what? This gives me nothing.

Quote:

Originally Posted by jragosta 


Exactly. Heck, even when information was NOT transmitted, but simply the location of cell towers stored on the phone, everyone was all over Apple.

There is clearly a double standard.

The one who makes the most waves invites the most scrutiny. If Apple can't stand the heat, stay out of the kitchen.

Quote:

Originally Posted by Haggar 

 

The one who makes the most waves invites the most scrutiny. If Apple can't stand the heat, stay out of the kitchen.

agreed. but it was Google that pressured the Australians that first broke this story to water it down. how's that for taking the heat?

what aggravates many of us here is Google's utterly pompous phoniness about its rip it off - anything - and sell it business plan - including us - in the name of openness and universal knowledge.

Quote:

Originally Posted by Alfiejr 

but it was Google that pressured the Australians that first broke this story to water it down.

"Pressured"?

Digler may be inclined to portray it that way, but to the disappointment of some of his fans the original article says only:

"I was asked to change the headline (both the homepage headline and SEO headline inside the story), as well as the standfirst and lead (first paragraph). Google's issue was with the use of the word 'flaw."

They simply asked her, and apparently on further review she felt inclined to agree.

For those calling "double standard":  I suppose what Google should have done was to have their CEO hold a "Google Playgate" town hall meeting where he insults the journalists? But wait, only Steve Jobs and Apple are allowed to do that. Double standard indeed.

Quote:

Originally Posted by Haggar 

For those calling "double standard":  I suppose what Google should have done was to have their CEO hold a "Google Playgate" town hall meeting where he insults the journalists? But wait, only Steve Jobs and Apple are allowed to do that. Double standard indeed.

Would that be similar to when in an interview, then-CEO Eric Schmidt said that people who don’t like Google’s Street View cars taking pictures of their homes and businesses can just move afterward to protect their privacy?  That kind of insult?

Quote:

Originally Posted by Tallest Skil 

Originally Posted by Taniwha 

So whether or not a specific data item is PI depends on the availability of the extra, missing, info. And this can come from external sources, which when combined with the original data turn it into PI ! This is what apple allows, and the law prevents. Get it ??

If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.

 

Odd, huh.

And that is the problem. They define non-personal information as above, leaving out the "direct or indirect association with any specific person" and limiting it to direct association. This is NOT what the privacy law in the vast majority of countries would accept as a legitimate definition of non-personal data.

 

Funny how this has gone overlooked by every single government in question, then.

Take the example of a phone number. It is no big deal to search an online phone directory for numbers, and then to retrieve the name, address and other info.

 

 

Guess WhitePages.com is illegal. Phone numbers are personal information, in the first place. As are addresses.

 

 

Then the Apple policy goes on to say that they can use non-personal data in any way. Which does NOT limit them to transferring it to third parties and which does NOT prevent the third parties from linking it with external identifying data.

 

 

How does one link non-personal information to personal information without a baseline? You'd have to have at least one piece of personal information to, you know, get the person.

They only say APPLE treat a combination of personal and non-personal data (by their definition) as personal data so long as it is combined.  So in fact, as I have repeatedly pointed out, the guarantee is worthless.

 

Great, so Apple is supposed to police themselves and every single other company with which they do business, preventing the use of any and all data obtained by said companies in any and all manners. Except no, that's not how it works. 

The EU definition is in 95/46/EC  ----> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

 

Look for Article 2, Definitions.

 

Okay.

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

 

So your actual answer to my question would be what? This gives me nothing.

Hey TS. I've got some advice for you. Free !  .... Don't bring a knife to a gunfight. You're completely out of your depth on privacy law.  I'll ignore the more stupid comments, but take up two because you inadvertently hit the nail.

How does one link non-personal information to personal information without a baseline? You'd have to have at least one piece of personal information to, you know, get the person.

This is EXACTLY what I already pointed out and what you keep on denying. An ADDRESS is not, per se, personal information. So in your haste and determination to ague about things that you simply don't understand you actually concede the point. Thanks.

Great, so Apple is supposed to police themselves and every single other company with which they do business, preventing the use of any and all data obtained by said companies in any and all manners. Except no, that's not how it works. 

Yes. This is exactly what Apple has do do. Now I don't give a rat's ass whether you believe it or not, but this is what I spend my working days doing.  And NO, you're completely wong. It is EXACTLY how it works. That is something that we enter into contracts with business partners to guarantee. I happen to be one of the people who'se job it is to write the contracts. So when a company wants to do business with my company (actually a multinational, doesn't belong to me personally :-) ) we put terms into the contract to ensure that the partner enters into a binding and legally enforceable contract to make damn sure that they only use any personal data they get from us in the context of the business relationship, in a manner commensurate with the law and ALSO check that they have privacy policies in place which give us useful guarantees that they don't violate any privacy (or other, for that matter) laws in the context of their other business activities. We carry out Audits to check on that. So get used to it TS. That IS how it works. Our company policies require us ONLY to do business with partners who meet our code of conduct and privacy and compliance rules, and we have policies in place that allow us to fire any internal employee who violates the (privacy) law. Zero tolerance. Because of the way EU privacy law works (and to a great extent it does work) we have to do that because of the fact that by transferring personal information to ANY third party, we are 100% liable for what they do with the data.  This makes it difficult to do business with some US companies because they generally have trouble to understand that outside of the US you simply can't do anything you like to make a buck. Fortunately there are increasingly more US companies that are beginning to take privacy seriously. Google is not one of these in my view. Facebook definitely not, Apple evidently also not. There are LAWS that have to be respected. Even by APPLE !!

And the outcome of this discussion is that if and when Apple wants to do business with us, then I will make damn sure that they change their definition of personal and non-personal information, at least in the context of our service contract, to bring it into compliance with what the law requires. I will also do an in-depth analysis to ensure that security and other requirements are met in full and guarantees in place in the contracts and internal policies of the partner. If not, then I veto the proposal and it stops there. Now in some cases, we as a company do not have the means to force a specific vendor to enter into a fully compliant contract. So in that case I call in the authorities and if they approve the contract as far as it goes, then that's OK with me (I may not LIKE it, but its the law). But if the authorities veto the proposal then its dead for the entire EU. So Apple/Google/Facebook/Microsoft may be wise to take that into consideration as well.

As I said TS, don't bring a knife to a gunfight.

Quote:

Originally Posted by Alfiejr 


bullshit. they went over her head.

She failed to mention that in here article.  Do you have a source for that?

Quote:

Originally Posted by MacRulez 

She failed to mention that in here article.  Do you have a source for that?

bullshit. read her "comment" again. "i was asked" she says. that means, by her editor(s), who make decisions like that. it is very clear from her comment she did not agree with the change, since she disputes that interpretation.

now go away.

Quote:

Originally Posted by Alfiejr 

bullshit. read her "comment" again. "i was asked" she says. that means, by her editor(s), who make decisions like that. it is very clear from her comment she did not agree with the change, since she disputes that interpretation.

 

now go away.

She wrote "I was asked", and she says the suggestions were from Google.  She doesn't mention "pressure" from her editor, or anyone else.

If you have any actual information you may want to provide a link to it, or you can leave your claim unsupported as mere conjecture, whichever you prefer.

Quote:

Originally Posted by Taniwha 

Quote:

Originally Posted by Tallest Skil 

Originally Posted by Taniwha 

So whether or not a specific data item is PI depends on the availability of the extra, missing, info. And this can come from external sources, which when combined with the original data turn it into PI ! This is what apple allows, and the law prevents. Get it ??

If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.

 

Odd, huh.

And that is the problem. They define non-personal information as above, leaving out the "direct or indirect association with any specific person" and limiting it to direct association. This is NOT what the privacy law in the vast majority of countries would accept as a legitimate definition of non-personal data.

 

Funny how this has gone overlooked by every single government in question, then.

Take the example of a phone number. It is no big deal to search an online phone directory for numbers, and then to retrieve the name, address and other info.

 

 

Guess WhitePages.com is illegal. Phone numbers are personal information, in the first place. As are addresses.

 

 

Then the Apple policy goes on to say that they can use non-personal data in any way. Which does NOT limit them to transferring it to third parties and which does NOT prevent the third parties from linking it with external identifying data.

 

 

How does one link non-personal information to personal information without a baseline? You'd have to have at least one piece of personal information to, you know, get the person.

They only say APPLE treat a combination of personal and non-personal data (by their definition) as personal data so long as it is combined.  So in fact, as I have repeatedly pointed out, the guarantee is worthless.

 

Great, so Apple is supposed to police themselves and every single other company with which they do business, preventing the use of any and all data obtained by said companies in any and all manners. Except no, that's not how it works. 

The EU definition is in 95/46/EC  ----> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

 

Look for Article 2, Definitions.

 

Okay.

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

 

So your actual answer to my question would be what? This gives me nothing.

Hey TS. I've got some advice for you. Free !  .... Don't bring a knife to a gunfight. You're completely out of your depth on privacy law.  I'll ignore the more stupid comments, but take up two because you inadvertently hit the nail.

 

 

How does one link non-personal information to personal information without a baseline? You'd have to have at least one piece of personal information to, you know, get the person.

 

This is EXACTLY what I already pointed out and what you keep on denying. An ADDRESS is not, per se, personal information. So in your haste and determination to ague about things that you simply don't understand you actually concede the point. Thanks.

 

Great, so Apple is supposed to police themselves and every single other company with which they do business, preventing the use of any and all data obtained by said companies in any and all manners. Except no, that's not how it works. 

 

Yes. This is exactly what Apple has do do. Now I don't give a rat's ass whether you believe it or not, but this is what I spend my working days doing.  And NO, you're completely wong. It is EXACTLY how it works. That is something that we enter into contracts with business partners to guarantee. I happen to be one of the people who'se job it is to write the contracts. So when a company wants to do business with my company (actually a multinational, doesn't belong to me personally :-) ) we put terms into the contract to ensure that the partner enters into a binding and legally enforceable contract to make damn sure that they only use any personal data they get from us in the context of the business relationship, in a manner commensurate with the law and ALSO check that they have privacy policies in place which give us useful guarantees that they don't violate any privacy (or other, for that matter) laws in the context of their other business activities. We carry out Audits to check on that. So get used to it TS. That IS how it works. Our company policies require us ONLY to do business with partners who meet our code of conduct and privacy and compliance rules, and we have policies in place that allow us to fire any internal employee who violates the (privacy) law. Zero tolerance. Because of the way EU privacy law works (and to a great extent it does work) we have to do that because of the fact that by transferring personal information to ANY third party, we are 100% liable for what they do with the data.  This makes it difficult to do business with some US companies because they generally have trouble to understand that outside of the US you simply can't do anything you like to make a buck. Fortunately there are increasingly more US companies that are beginning to take privacy seriously. Google is not one of these in my view. Facebook definitely not, Apple evidently also not. There are LAWS that have to be respected. Even by APPLE !!

 

And the outcome of this discussion is that if and when Apple wants to do business with us, then I will make damn sure that they change their definition of personal and non-personal information, at least in the context of our service contract, to bring it into compliance with what the law requires. I will also do an in-depth analysis to ensure that security and other requirements are met in full and guarantees in place in the contracts and internal policies of the partner. If not, then I veto the proposal and it stops there. Now in some cases, we as a company do not have the means to force a specific vendor to enter into a fully compliant contract. So in that case I call in the authorities and if they approve the contract as far as it goes, then that's OK with me (I may not LIKE it, but its the law). But if the authorities veto the proposal then its dead for the entire EU. So Apple/Google/Facebook/Microsoft may be wise to take that into consideration as well.

 

As I said TS, don't bring a knife to a gunfight.

The problem with your repeated arguments on this subject is that Apple clearly defines phone numbers, addresses etc., in their privacy policy, as personal information. So arguing that they are not personal information and thus vulnerable to disclosure is irrelevant, as is claiming authority on the subject if you don't read the material first.

The problem was that she originally wanted to use the phrase "massive security flaw"... probably to get hits.

However, it was not a flaw or bug, but rather something done intentionally.

She could've come up with headlines talking about the intentional part instead.  It could've been just as dramatic, and far more accurate.

Quote:

Originally Posted by KDarling 

The problem was that she originally wanted to use the phrase "massive security flaw"... probably to get hits.

 

However, it was not a flaw or bug, but rather something done intentionally.

 

She could've come up with headlines talking about the intentional part instead.  It could've been just as dramatic, and far more accurate.

That may be true. Google could also have helped more if they had clarified that their payment system simply collects payment on behalf of the developer, and that as a party to the transaction the developer might be expected to be aware of the identity of the customer. Quite different from the purchased app getting access to PII.