http://online.wsj.com/article/SB10001424052748703983704576277101723453610.html

APRIL 22, 2011

Apple, Google Collect User Data

Apple Inc.'s iPhones and Google Inc.'s Android smartphones regularly transmit their locations back to Apple and Google, respectively, according to data and documents analyzed by The Wall Street Journal--intensifying concerns over privacy and the widening trade in personal data.

Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people's locations via their cellphones. These databases could help them tap the $2.9 billion market for location-based services--expected to rise to $8.3 billion in 2014, according to research firm Gartner Inc.

In the case of Google, according to new research by security analyst Samy Kamkar, an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It also transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.

Google declined to comment on the findings.

Until last year, Google was collecting similar Wi-Fi data with its fleet of StreetView cars that map and photograph streets world-wide. The company shut down its StreetView Wi-Fi collection last year after it inadvertently collected e-mail addresses, passwords and other personal information from Wi-Fi networks. The data that Mr. Kamkar observed being transmitted on Android phones didn't include such personal information.

Apple, meanwhile, says it "intermittently" collects location data, including GPS coordinates, of many iPhone users and nearby Wi-Fi networks and transmits that data to itself every 12 hours, according to a letter the company sent to U.S. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) last year. Apple didn't respond to requests for comment.

The Google and Apple developments follow the Journal's findings last year that some of the most popular smartphone apps use location data and other personal information even more aggressively than this--in some cases sharing it with third-party companies without the user's consent or knowledge.

Apple this week separately has come under fire after researchers found that iPhones store unencrypted databases containing location information sometimes stretching back several months.

Google and Apple, the No. 1 and No.3 U.S. smartphone platforms respectively according to comScore Inc., previously have disclosed that they use location data, in part, to build giant databases of Internet WI-Fi hotspots. That data can be used to pinpoint the location of people using Wi-Fi connections.

Cellphones have many reasons to collect location information, which helps provide useful services like local-business lookups and social-networking features. Some location data can also help cellphone networks more efficiently route calls.

Google also has said it uses some of the data to build accurate traffic maps. A cellphone's location data can provide details about, for instance, how fast traffic is moving along a stretch of highway.

The widespread collection of location information is the latest frontier in the booming market for personal data. Until recently, most data about people's behavior has been collected from personal computers: That data generally can be tied to a city or a zip code, but it is tough to be more precise. The rise of Internet-enabled cellphones, however, allows the collection of user data tied with much more precision to specific locations.

This new form of tracking is raising questions from government officials and privacy advocates. On Wednesday, Rep. Markey sent a follow-up letter to Apple asking why the company is storing customer-location data on its phones.

"Apple needs to safeguard the personal location information of its users to ensure that an iPhone doesn't become an iTrack," Rep. Markey said in a statement.

Google previously has said that the Wi-Fi data it collects is anonymous and that it deletes the start and end points of every trip that it uses in its traffic maps. However, the data, provided to the Journal exclusively by Mr. Kamkar, contained a unique identifier tied to an individual's phone.

Mr. Kamkar, 25 years old, has a controversial past. In 2005, when he was 19, he created a computer worm that caused MySpace to crash. He pled guilty to a felony charge of computer hacking in Los Angeles Superior Court, and agreed to not use a computer for three years. Since 2008, he has been doing independent computer security research and consulting. Last year, he developed the "evercookie"--a type of tracking file that is difficult to be removed from computers--as a way to highlight the privacy vulnerabilities in Web-browsing software.

The Journal hired an independent consultant, Ashkan Soltani, to review Mr. Kamkar's findings regarding the Android device and its use of location data. Mr. Soltani confirmed Mr. Kamkar's conclusions.

Transmission of location data raises questions about who has access to what could be sensitive information about location and movement of a phone user.

Federal prosecutors in New Jersey are investigating whether smartphone applications illegally obtained or transmitted information such as location without proper disclosures, the Journal reported in April, citing people familiar with the matter.

A spokeswoman for the Office of the Privacy Commissioner of Canada said the office "had concerns" about using cellphones to collect Wi-Fi data and has expressed those concerns to Google. "The whole issue of the tracking capabilities of new mobile devices raises significant privacy issues," she said.

The business of collecting location information began in 2003, when Boston-based Skyhook Inc. launched and began the practice of "wardriving"--cruising around in cars to collect information about Wi-Fi hotspots. Comparing the names and signal strengths of nearby Wi-Fi hotspots against a database allows for a cellphone's location to be determined within 100 feet, in many cases, Skyhook says.

"For the first four or five years, people thought we were nuts," said Ted Morgan, Skyhook's founder and CEO. "We invented this whole concept of driving around and scanning for Wi-Fi and tuning these algorithms."

In 2007, Google began building its own Wi-Fi database, using the StreetView cars. Last year, Apple switched from using Skyhook and began creating its own database of Wi-Fi points for use on its newest phones, although it still uses Skyhook data for older phones and Macintosh computers.

Skyhook's Mr. Morgan says the company attempts to protect users' privacy by collecting data via cellphone only when a person requests location from its servers--for instance when they are actively looking at a map. Each time a user requests location, the information is encrypted and gathered without any identifying user numbers, Mr. Morgan says. That means Skyhook can't follow a person from one location to the next, he says.

Google seems to be taking a different approach, to judge from the data captured by Mr. Kamkar. Its location data appears to be transmitted regardless of whether an app is running, and is tied to the phone's unique identifier.

In its letter to Congress last year, Apple said that it only collects location data from people who use apps that require location. It doesn't specify how often a person must use the app for intermittent collection to occur.

Apple also said in the letter that it collects Wi-Fi and GPS information when the phone is searching for a cellular connection. Apple said the data it transmits about location aren't associated with a unique device identifier, except for data related to its mobile advertising network

Apple gathers the data to help build a "database with known location information," the letter says. "This information is batched and then encrypted and transmitted to Apple over a Wi-Fi Internet connection every twelve hours (or later if the device does not have Wi-Fi Internet access at that time)," the company wrote in the July letter to Congress.

The letter, which is available on Rep. Markey's website, became newsworthy this week in light of findings from two researchers who uncovered a file on iPhones that keeps a record of where the phone has been and when it was there. The file is unencrypted and stored by default.

The discovery of this location file touched off a furor among iPhone owners who could see for the first time a trove of location data about themselves stored on their phones. The researchers, Alasdair Allan and Pete Warden, said that they had no evidence that the file was being transmitted to Apple.

Write to Julia Angwin at julia.angwin@wsj.com