iPhone/iPod Touch/iPad applications using PinchMedia
Why applications using Pinch Media might be called Tracking Software or Spyware
As an introduction, please read our article on how we classify products for detection in Spybot.
Do Pinch Media enabled apps really collect PII (personally identifiable information)?
PinchMedia gives an overview over the data they collect:
Now lets take a look at Wikipedia on PII:For each application run, Pinch Analytics collects the following information:
- the application version
- the device model (iPhone, iPhone 3G, iPod Touch, etc.) and OS version
- the device's unique identifier
- the time the application started and stopped
- any data you pass us as a custom action
- the results of a simple piracy check
- if CoreLocation is enabled (useCoreLocation:YES), the user's latitude and longitude
- if Facebook Connect for iPhone is enabled, the user's age and gender
We also receive the standard information included with a regular HTTP request, like the user's IP.
With some examples in detail:Personally Identifiable Information (PII), as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
This shows that we have three pieces of PII collected here: IP address, the UDID (unique device ID), and possibly geo-location and birthdate, which combined are PII as well.The following are often used for the express purpose of distinguishing individual identity, and thus are clearly PII under the definition used by the U.S. Office of Management and Budget (described in detail below):
- Full name (if not common)
- National identification number
- IP address (in some cases)
- Vehicle registration plate number
- Driver's license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Digital identity
- Birthday
- Birthplace
- Genetic information
The following are less often used to distinguish individual identity, because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.
- First or last name, if common
- Country, state, or city of residence
- Age, especially if non-specific
- Gender or race
- Name of the school they attend or workplace
- Grades, salary, or job position
- Criminal record
Finally, if you take a look at the definition above, you'll notice that it does not even have to be PII to be called Tracking Software or Spyware - information about the user would might be - depending on each case - sufficient for such classification.
Are there any other side-effects I may not know of?
In the first days of the iPhone, its only users were tied to AT&T and their fixed contracts with data flatrates. Nowadays, everyone can buy an iPhone, even not locked to any carrier, which means there are iPhone users out there who actually have to pay for every byte of traffic. For these, every application start (and other beacons used by the application) may cause actual costs. If the user is not sufficiently (where our opinion is that the Apple EULA is not sufficient) informed about this, the application developers is responsible for these damages (see sentence 55 of European Directive 95/46/EC). For indications on what might be regarded as sufficient, I suggest a look at the threat catecory called dialers, and the legal requirements for those.
Pinch Media allows developers to transmit data on WiFi only - if this is enabled, this problem will not appear. But if users are not even informed that Pinch Media is used, they obviously are not informed about whether its safe or not for their data plan.
