Theft With Permission

Last year, I wrote a couple of articles for the Sweet Setup with my recommendations for great apps to shoot and edit photos on your iPhone. I wanted to be thorough, so I downloaded a couple of dozen apps to choose from for each review. And, just about every time, I was asked to confirm that it was okay for that app to use the camera, then to confirm that it was okay to use my location to tag the photos, and then to confirm that it was okay to access the photo library. If the app shot video, I’d maybe also be asked to grant permission to use the microphone.

In a vacuum, these prompts for permission make sense, and it’s not like they haven’t been borne of purpose. The reason you have to confirm the use of your contacts is directly because of the Path app. If we didn’t have to confirm the use of location data, you can bet every ad-supported app would exploit it. But, since we have to permit the use of our location, surveillance-friendly developers have accepted that they should respect a user’s decision not to opt in. Right?

Of course not. The economy of surveillance capitalism has an insatiable appetite for data and, if they can’t get it legitimately, mischievous developers will figure out another way.

It’s possible to use Bluetooth beacons to approximate the location of a device. So, in iOS 13, apps are now required to ask permission to use Bluetooth, and those of us using the beta seeds so far have been pretty surprised at the number and variety of apps that have been requesting Bluetooth permissions.

Marco Arment retweeted a screenshot from Benjamin Herrin today that shows nearly fifty apps on his device that have so far thrown a Bluetooth prompt, including Lyft, IKEA, and Smoothie King. But a majority of the apps in that list are largely for media and, likely, implement Google’s Chromecast “sender” SDK, which lists the CoreBluetooth framework as a dependency. As a result, if you want to output video from your phone to your Chromecast device you, inherently, give permission for the app to estimate your location using Bluetooth. If you explicitly give an app permission to use your location, that app might hand it over to a third-party marketing and analytics firm for their own use. That’s exactly what happened to users of Accuweather’s app.

Apple does its part in trying to combat these insidious privacy violations. They have rules that disallow tracking users without their knowledge; they display permissions dialogs. But nobody’s fooling themselves: bad developers will always find a way to excavate user data. Just look at the myriad shitty uses of JavaScript on the web. Besides, asking Apple to somehow police the shuffling of user data from one service to another is a ridiculous proposition. I’m not feeling sorry for big tech companies; I’m being realistic.

This is why it’s so critical for the privacy of user data to be enshrined in law. We are being universally surveilled and there’s little we can do to change that. Permissions dialogs are far more than decoration, and it is useful to inform users about what technologies the app wishes to use, but they are no longer capable of bearing the burden hoisted upon them. Users — we — need enforceable and realistic legal protections.