I previously reported that all of the iPhone games written by Storm8, which includes Vampires Live, were stealing your iPhone cell number without your prior and explicit permission. This was Spyware. Period. I’m happy to report that they have fixed the issue and it’s time to take a look at Pinchmedia which provides the developer tools to obtain metrics for Storm8 and numerous other developers.
All of the Storm8 games received a “bug fix” upgrade. The talented Geeks from the iPhone Jailbreak Community have the facts. Please read all of the posts. Here are some juicy extracts:
Yup that is right “Small bug fixes”, withholding my laughter & taunts I got swiftly back to testing. And indeed the “Small bug fix” included the removal of the offending mobile phone number tracking.
The great news is that Storm8 applications no longer track & harvest your mobile phone number and this indeed is a cause for celebration. Kudos to the community!
My thoughts: This is great news however a number of questions still remain:
(1) What assurance do we have that Storm8 will engage in “hide and seek” and in the next upgrade put the Spyware code back in their games and resume harvesting your phone number? This kind of behavior occurred in the 2005 era with the Spyware slime bags of the Web. Certainly, we can’t count on Apple to police this behavior as they effectively have washed their hands of the issue which I will document below.
(2) Sotorm8 is publicly silent on this issue. We still need these issues resolved: What have you done with the millions of phone numbers you have stolen? Have you destroyed them? Have you already sold them to other abusers? Have you notified the millions of iPhone users that your “Bug” stole their phone numbers and the exact actions you have performed to not only correct the issue but insure that it does not happen again with ALL of your games. Please, in writing, on your letterhead, and signed by an officer of Storm8 LLC.
A look at Pinchmedia:
This company provides the tools for Storm8 and numerous other iPhone developers to obtain user metrics in their iPhone applications. Think Google Analytics in some respects for the Web. Pinchmedia distributes these tools to developers free of charge. To their credit, when this issue exploded they did take action and did a pretty good job of getting “in front of the story” BUT I still have serious issues with them.
The Pinchmedia web site contains a release which says in part:
First, we’ve released a new version of our Pinch Analytics library that makes it even easier to add application-level opt-outs. When the device owner opts out, no anonymous usage data is collected, and all anonymous usage data for that application cached on the phone is deleted. We’ve made the opt-out code as flexible as possible, so the opt-out mechanism can be placed inside the application itself or within the Settings application. Developers who wish to add these optional opt-outs can find full documentation and sample code within our developer portal.
I suggest you read the entire release and draw your own conclusions and facts. User metrics for the Web are very valuable and this aggrigated data helps site owners fine tune their sites and enhance the user experience. I use Google Analytics on this site and disclose same in my detailed Privacy policy. The iPhone is a little bit different in some respects but I have no issues with Pinchmedia providing their developers the following data in aggregated form:
application version number
unique ID of your iPhone (UDID)
points (if applicable)
iPhone model
firmware version
Start and stop time of a given application
Has the application been cracked
Did the owner Jailbreak their iPhone
All of these slivers of data which Pinchmedia provides their developers in aggregated form is very valuable. It helps the developer improve the application, tells them where to spend their development time, which features are used and remove others which are not used. Where I have serious problems is in the area of Specific consent to transmit:
your location (to 8 decimal points) via the GPS feature built into the iPhone
the ability to harvest your phone number without your specific consent
your gender (if facebook enabled)
your birth month (if facebook enabled)
your birth year (if facebook enabled)
Pinchmedia has stated that they only maintain/store the City and State of your location and their developers only receive aggregated data which would say that during a given time period 123 unique users of a given application were located in Fargo, North Dakota. Who is policing the specific consent to obtain this data? Asking developers to implement specific consent for the location or your iPhone is nice but what about the compliance of same. For example, I use Tweetie on my Iphone. The first time I used the Nearby feature it asked me for specific consent BEFORE I could find other Tweeter users near me. Evernote and PicPosterous perform a similar action to insure that I consent to disclosing my location.
Greg Yardley (Co-Founder & CEO) of Pinchmedia has posted on the iPhone Jailbreak Community web site and repeated during a Podcast on this site that developers are protected by the Apple EULA so they don’t have to hire attorneys. I’m not using his exact words but that was the message. I wish he hadn’t said this because it’s NOT TRUE and never has BEEN.
For your reading pleasure from the Apple’s Privacy Policy Terms of Sale from the App store:
“Apple is not responsible for Third Party Products, the content therein, or any warranties or claims that you or any other party may have relating to that Third Party Product or your use of the Third Party Product.”
The Apple SDK agreement which Pinchmedia and every iPhone developer must sign and agree to we have:
Local Laws, User Privacy, Location Services and Mapping:
3.3.7 Applications must comply with all applicable criminal, civil and statutory laws and regulations, including those in any jurisdictions in which Your Applications may be delivered. In addition, for Applications that use location-based APIs or that collect, transmit, maintain, process, share, disclose or otherwise use a user’s personal information or data:- You and the Application must comply with all applicable privacy and data collection laws and regulations with respect to any collection, transmission, maintenance, processing, use, etc. of the user’s location data or personal information by the Application.
- Applications may not be designed or marketed for the purpose of harassing, abusing, stalking, threatening or otherwise violating the legal rights (such as the rights of privacy and publicity) of others.
- Applications may not perform any functions or link to any content or use any robot, spider, site search or other retrieval application or device to scrape, retrieve or index services provided by Apple or its licensors, or to collect, disseminate or use information about users for any unauthorized purpose. {<— Such as selling information to telemarketers .–**Note added by agent, (Name)**}
I have also carefully reviewed the Apple Legal Notice on my iPhone and there is NOTHING in this document which effectively offers a blanket protection for developers. It’s easy to see that Apple has clearly washed their legal hands of developer compliance with respect to specific consent and data that applications harvest. Inspite of the fact that they earn about 30% of every application sale and deliver all these applications. In my view and that of others, the Operating System for the iPhone which Apple created is flawed and provides an open invitation for abuse. The bad guys can and will harvest and abuse. An exstract from the San Francisco Chronicle:
1) Apple must implement a mandatory operating system level restriction on the handling and transmission of user names and passwords. User names and passwords must be encrypted all the time.
2) Consumers must have an “opt-out-of-tracking” or privacy alternative. Ideally, all iPhone users must have their settings defaulted to no-tracking-allowed or Privacy enabled.
At a minamum, Apples actions are morally and ethically reprehensible. Mark my words and I could certainly be wrong but the day will arrive for legal action against Apple, AT&T (the US carrier) and iPhone developers. I’m not an attoreny but that’s my educated guess based on my days in the fighting Spyware club.
Pinchmedia could certainly argue that they are in fact relying on Apple’s legal clauses which are documented above to insure that their developers are in compliance with specific consent. On the other hand, I would prefer to see them tighten the screws even tighter to insure that their devlopers are in compliance. Witness their developer named Storm8 who previously stole phone numbers. I’m willing to believe Pinchmedia’s statements that they do not retain personally identifiable data on users such as their exact location, name, address, etc. However, they could certainly enhance their image by telling the world EXACTLY what their business model is. How will they make money? A lot of people view this as a critical issue to insure that sometime in the future they don’t violate privacy laws, engage and or enable Spyware distribution, Spam, and telamarketing. I have no data to suggest that they have or would BUT only time will tell so please disclose exactly how you plan to monetize your company and or any other companys you may own or have an interest in?