I completely agree with you and everyone else who takes this stance.
However in this case I'm willing to let it slide as in the past two days this story has been submitted three times* with a total of 30 upvotes and one comment between them.
In cases like this I usually upvote the first submission and file under 'Things that I think are interesting, but other people seem not to'.
Fair enough, but the official guideline is as follows:
"Please submit the original source. If a blog post reports on something they found on another site, submit the latter."
I think PG sacrifices a lot of clarity for some cleverness here, so here's my rewrite, that I believe is identical in spirit, and hopefully at least slightly clearer:
"Please submit the original source. If a blog post reports on something they found on another site, submit the site the blogger found it on."
Personally, I'm not a rules nut, but he DID ask for the official stance.
In some instances it is more appropriate to link to a blog:
Don't abuse the text field in the submission form to add commentary to links. The text field is for starting discussions. If you're submitting a link, put it in the url field. If you want to add initial commentary on the link, write a blog post about it and submit that instead.
Personally, I think a comment explaining the motivation for linking to a blog rather than the original source, as dshankar provided, is sufficient to justify a blog link.
Definitely true, but you need to determine if the blog post is adding value to the discussion, or just sensationalizing it. The world is full of people who can borrow a few lines and blow them out of proportion, but we should (and do) expect HNers' to do better than that.
A lot of blog posts wind up being just extremely wordy retweets.
I'd also submit that a blog post is the way to go if the source material is either too technical or too difficult to follow, and a blog post simply makes more sense to the HN readership. Or, even if the article is just way too long. Linking straight to a Nature article may be too much for the casual reader.
Worse, even the WSJ article has the whiff of sensationalism. For example, this is what you find very near the top of the article:
These phones don't keep secrets. They are sharing this personal data widely and regularly, a Wall Street Journal investigation has found.
An examination of 101 popular smartphone "apps" -- games and other software applications for iPhone and Android phones -- showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent.
Later on, the UDID is called "supercookie" and the article emphasizes the fact that it "can never be changed or turned off".
That would be truly scary if they showed some proof that the user, as a person, could be easily identified by their phone's UDID. Okay, the carrier has that information, but who else has it? Somehow I don't think that the relationship between your phone's UDID and your identity is something easily available to just about anyone.
The UDID and the phone owner's name are easily correlated. As soon as you register for an account on a game or app, you will connect UDID to your email or first/last name. As soon as that happens, it could easily end up in Rapleaf or another system for other data brokers to get access to.
The connection just has to happen once, in one app, for all of them to benefit from it.
On the plus side, an app getting this data could auto-register you since it knows you based on your UDID as soon as you install the app, just sending you an email confirmation and a password. :-)
In order to get any online data broker interested in your data, you have to tie it to their browser cookie.
On iOS, this is hard, thanks to sandboxing. You pretty much have to redirect the user to the Safari browser with the UDID in the query string - which is a pretty crap experience for the user, which is why it's rarely done.
Even then you've only gotten the data into the mobile browser, which is not what the data market wants to pay for right now. People still predominantly buy things through their desktop computers.
I don't know if it's vanity or narcissism or what, but everyone assumes their 'data' has a lot of commercial value. It doesn't. Back when I was running an iPhone analytics startup, I looked into all of this stuff. Wasn't even worth the development work to monetize it.
Would you have to actually redirect them to Safari or could you do something like load a hidden webview? (not quite sure of the right terminology here)
I was thinking the iOS equivalent of a webpage with a hidden iFrame.
Why do you think you need safari or a browser? There are plenty of other (and easier) ways to make HTTP connections in iOS and implement account registration.
Implementing account registration, collecting an e-mail, and then using that e-mail as a unique ID to append data to the data broker's database -- this is possible, but rightly considered PII, so no data broker does this without user opt-in. (In this case the risk exceeds the rewards anyway, but that's another discussion.)
If you're talking about setting a cookie with the data broker's user ID, which then can be read by the data broker on other websites - which is the standard way of shuffling non-PII data around in the absence of an explicit user opt-in - then this doesn't work due to iOS' application sandboxing. You can set a cookie with the data broker's user ID, but the data broker won't be able to retrieve it when the user's off elsewhere surfing the web, when it matters.
Nice. According to the panopticlick, I'm the only one with my exact plugin details. None of the other data is even needed to identify me, though being one of the .005% of people using Firefox 3.6.13 on Ubuntu 10.10 probably helps.
I am very concerned about this particular comment:
"I am a consultant for a software company that does iOS apps. It is scary how much information Apple gives us about the customer. We know everything the customer has (ever) done on their device. This includes their browsing history."
If it is true, I don't know how to do it, and I'm a product guy at an iPhone analytics company. The browser's pretty effectively sandboxed from the application, which is why everybody has to use the UDID to begin with instead of the typical user-id-in-a-cookie scheme used everywhere else.
How does jailbreaking enable normal iOS store apps to access other apps sandboxed datastore? Or do you mean that only Cydia apps can access other apps datastores?
Most of these are not "selling", they're providing normal 'connected' functionality. For example, any app that uses a name and password to access a server, they say is transmitting a password. Any app that you invoke "invite my friends", they say is transmitting your contacts.
Yes, for example, Angry Birds is doing these things. But it's by your request. The graphic doesn't show the data being "sold" or sent to marketers.
People collect location for a lot of reasons - localizing content, planning local advertising purchases, selling in-app advertising to agencies who want to buy access to a particular audience, etc. Sometimes developers just want to understand where their users are coming from out of curiosity.
Usually country and state fulfills the above purposes just fine. I've seen GPS coordinates sent off the device and then converted to country / state before the coordinates were discarded - that's how Pinch Media used to do it. Flurry typically just works with IP address, but when GPS is used, it does the rounding off on the device first so the only thing we're sent is already inaccurate.
Angry Birds only requests the following two permissions on Android-
-Network Communications
-System tools (prevent phone from sleeping)
This doesn't include even coarse location, much less a fine GPS position. Unless they're cracking your system, they can't get more than a guessed geolocation of the IP address you're at.
Nor can they access your contacts, read your personal details, steal your emails, read your phones identifier, etc.
Looking at the WSJ story, they don't even include Angry Birds under Android in their analysis. It is, I think, fascinating that there were so many stories on here about Android apps "stealing your data", yet the iPhone market remained opaque, with so many holding some unsupported notion that a high level curation guaranteed good app behavior.
In this case, despite the Android version being only ad supported, I have comfort that it can't possibly be doing what the iPhone app is doing.
I hope that this is in fact the case, and that the android angry birds isnt just gzipping my contacts db and pushing the whole lot out to an ad agency every time I load the program.
I doubt that it is, I think even the most aggressive and intrusive ad agency would see that the potential bad press that could come from this would outweigh any marketing benefits.
In actual fact, some contact data is sent out only when I use the "share with friends" function (which is never,) as you would expect? Right?
If I went to install Angry Birds on my Android phone and Android stated that it required access to my contacts lists, I would abort the install... Do you get any information like that when installing apps on the iPhone or do you have to trust that Apple makes a good decision for you? I'm not sure how the iPhone permissions stuff works, or if that level of granularity exists at all...?
The permissions stuff is tightly integrated into the android API, apps register everything they do with the OS as somewhat modular 'activities.' IIRC the permissions are enforced at this low level, each registered activity has a list of things it can do associated with it and by adding all these things together you get the permissions profile that you see at app install-time.
This Activities API is also what allows developers to so easily roundtrip to a third party app and back again from within their own app. The barcode scanner is a good example.
EDIT: another example is how Launcher Pro lets you make homescreen shortcuts that "deep link" to functionality that is sometimes several menu-levels down inside an application.
For those of you curious how to do the shortcuts mentioned in his edit, long press on a shortcut spot (empty space on the home screen, shortcut, or even one of the icons at the dock in the bottom), go to shortcuts, and then Activities. It's a pretty awesome feature, and I now have a nice link to my Google Reader account in my dock.
I get requests when an application wants to make use of my location in iOS. Android has permissions requests beyond this, but I'm fairly confident iOS has at least the one.
Ah yes, but that's not entirely accurate. You still get geo-located ads if you haven't given location permission. Apple's ads don't show a notification and since you don't know when your UUID is given out if another app has given your location ads all over can be targeted.
It's a pretty decent opt-out method, but it only works because something hardcoded in the iOS version of Safari sends the UDID as a X-Header in the HTTP request headers -- specifically to the oo.apple.com domain (and a handful of others, all owned by Apple.)
If any other company wants to offer a systemwide opt-out for its iOS software, it's a lot more difficult.
Well what's the need for that kind of information? It'll just confuse the users and Dear Leader Jobs would never expose his flock to any bad apps anyway.
> I hope that this is in fact the case, and that the android angry birds isnt just gzipping my contacts db and pushing the whole lot out to an ad agency every time I load the program.
Christ, for the startup times I get, this is a decent explanation. =\
You don't even need wireshark for that. When you install an app on Android, it displays the list of permissions that the application is requesting. One of the possible permissions is "Read Contacts". If you've installed an app that has "Read Contacts" permission, then ...err.. it can read your contacts db. If the app also has "Internet" permission, then yeah, it probably could zip up your contacts DB and push it out somewhere.
However, if the app doesn't have "Read Contacts" permission then there is no way for the app to access your contacts db, and so reason to worry about it sending your contacts db to someone.
Or course, most apps do request "Internet" permission, so I suppose those apps could be scraping up some info they do have info to and sending that out to a 3rd party. :-(
I don't want to know if my apps read my contact db, I want to know when and how much they read it. I do not trust them to tell me this. So, wireshark it is.
Also why would you ever criticize recreational protocol analysis? Especially on here.
I was pissed until I read the FAQ and discovered when they're using data and what they're using it for. Basically: If you've registered with Crystal Something-or-Other they send your data to them. The WSJ article, at least in the Angry Birds case, seems to have sensationalized things.
First off, when you install an application on Android it tells you every permission that an app asks for, i.e.:
Location
Data
Contacts
Etc
As a developer of mobile apps and a user of both flurry and AdMob, I send them a both user's "data" in order to find out the general location of the user, as well as the OS they are running and the device they own. This isn't "selling" their data, it's giving it to these analytics platforms so we can view our audience and therefore allow us to better serve our users/customers.
The same hoopla can be brought up about Google Analytics and AdWords. This isn't a new phenomenon, and it isn't a big deal.
GPS location and device UUID is a lot different than IP geo-location and cookie that Google Analytics uses. It's also not possible to block--I block Google Analytics and sometimes use proxies, but can't tell Angry Birds to not send out my info.
IP Geo-Location is a hack for when GPS Location and uniqueID aren't available, so the prudent choice to gain accurate analytic info would be to use the most accurate. Especially if you are a developer / publisher trying to tailor your functionality to your particular audience.
Android does inform you, in advance of installation of exactly what information the application would like access to so you can be absolutely aware of what information you are freely giving up when installing an application. Your only means to block access however after installation is if you have root access and modify host entries.
I believe Apple's TOS doesn't allow you to use location data if you're only using it for advertising purposes. This of course wouldn't preclude admob from doing IP Geolocation but I really have no idea how accurate this is on mobile devices.
The IP addresses I commonly get assigned on my iPhone with AT&T are either geo-located in Kansas (166.205.x.x) or Southern California (166.134.x.x). I actually reside somewhere in the middle of those points, but close to a thousand miles from either.
In the submitted subject title, the claim is that private info is being sold. However, in the original WSJ article:
Free and paid versions of Angry Birds were tested on an iPhone.
The apps sent the phone's UDID and location to the Chillingo unit of Electronic
Arts Inc., which markets the games. Chillingo says it doesn't use the
information for advertising and doesn't share it with outsiders.
Chillingo does not deny collecting the info, but they do deny using the information for advertising or sharing it with outsiders.
Just the other day I implemented a hidden webview in an iPhone app. The webview subscribes users to third-party affiliation programs (e.g. Groupon) automatically ... basically the thirdparty service is chosen based on how much money it gives to affiliates / if it's available at the user's location (that's why it needs to be automatic).
Behind the scenes a Javascript is loaded in the webview that does plain requests to these services. Because many do not provide an API, I have to fake it ... XmlHttpRequest is not enough because of all the restrictions. So I implemented my own XmlHttpRequest-type functionality by using webview-delegates, but without the restrictions.
The logic behind using a WebView is that you can load / update the subscription logic on the server-side, without updating the application in the iTunes Store. Best thing of all, this works even with Apple's earlier restrictions related to dynamic languages.
Also, the logic behind doing this client-side is that many services complain when requests come from the same IP. You cannot be caught when moving this client-side.
Just to be clear: users are properly informed they are going to get subscribed for spams from their city.
Apparently, the youtube app sends your username and password to... * gasp * Google!
Oh, the horror. Though I'm quite thankful for the breakdown, as a lot of this is probably almost completely unknown to people, some of the inclusions seem rather suspect. I wonder if they included legitimate data transmissions to pad the icon gallery / table.
Honestly, I'm not surprised - the most valuable thing most of these applications do is produce lucrative information that big budget marketers would love to sink their meathooks into.
There is nothing wrong with this business model per say, but doing it without the express consent with your users is wrong and making it personally identifiable is wrong.
With the Commerce Department and FTC reports both calling for better consumer protection, articles like this highlight how badly the current self-regulatory approach isn't working.
So they need to create paid versions and you pay for this stuff. A game of the same caliber of angry birds would sell for 20 bucks or so as a computer game. There you go, shell out the money. Oh wait since everyone wants it for free you better be willing to pay something. That something is something people see little value in giving away, but is of high value to advertisers.
Source link without the lifehacker bullshit: http://online.wsj.com/article/SB1000142405274870469400457602...
edit: Direct link to awesome visualization tool : http://blogs.wsj.com/wtk-mobile/