Sleeping Phones Lie ⇥ washingtonpost.com

Geoffrey A. Fowler, Washington Post:¹

It’s 3 a.m. Do you know what your iPhone is doing?

Mine has been alarmingly busy. Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same — and Apple could be doing more to stop it.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

And all night long, there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address — once every five minutes.

Of course, when you click to read this article, you’ll communicate with twenty-five other domains that will pilfer information like your full IP address and other unique identifiers, any of which can be tied back to your name or email address with little effort. If you’re using Safari, though, you’ll have some protection in the form of Intelligent Tracking Prevention; you may also use content blockers with your browser. I wish there were something like ITP across iOS. Even if Apple were to do a better job of policing the App Store and prevent unnecessary trackers in apps, many developers would find a way around those rules.

Update: This paragraph is key:

Yet very few apps I found using third-party trackers disclosed the names of those companies or how they protect my data. And what good is burying this information in privacy policies, anyway? What we need is accountability.

Adequate disclosure cannot be left up to developers, many of which will ignore that rule — either because they are bad actors deliberately exploiting users, or because they are ashamed of their anti-privacy practices. That shame, by the way, is a great indicator that bad choices are being made.

Anyway, full disclosure needs to be mandated by the system in much the same way the camera cannot be used without the user’s permission. Unfortunately, those permission dialogs are already overwhelming, and I suspect many users don’t fully read them before granting permission.