There’s an ever-popular adage that summarizes this story: if you’re not paying for the product, you’re the product being sold.
The global smartphone market has led to a duopoly in phone software providers. Apple’s iOS rests on hardware Apple and Apple alone controls. Google’s Android software resides in hundreds of hardware configurations from dozens of manufacturers.
In both operating systems the phones come brimming with sensors. Accelerometers tell the phone how you’re holding it. GPS knows your location. Wi-Fi and cellular radios, gyroscopes, thermostats, FM radios, and more live in your pocket.
Smartphones have moved “personal computing” to a level of personal identification traditional laptops and desktops can’t imagine. The data they gather is handled differently across hardware, software, and apps. This data can be used by the manufacturer like LG or Samsung. Or it can be used by Google and Apple. Or by the app developer, like Uber, Yelp, or a game.
Adults, kids, and especially parents with kids need to understand what’s happening in their pocket. While most apps do an adequate job of protecting kids from predators, there is more to consider about privacy.
Similarities in software, differences in hardware
Both Apple and Google have privacy policies that reveal how you use your devices. Microsoft has the same on Windows. Your device is logging the length of your phone calls, what type of calls (i.e., roaming, on Wi-Fi, etc.), your phone’s location, the device you’re using, what apps you’re using, and more. For software developers this data is important. It tells Apple when they need to increase the hardware’s battery capacity. It shows Microsoft what features no one uses, or what’s popular and needs more attention. It tells Google how many old devices they need to support.
Apple, for their part, stands alone in their treatment of data. Per their privacy policy and to the best anyone has been able to determine, Apple stores data on the phone. Apple also anonymizes data that comes to their servers. A good example is Apple Maps and Google Maps.
When you start a trip, both applications fire up your phone’s GPS. It also uses Wi-Fi and cellular radios to triangulate your position within inches. Google is reporting this back to its servers to load map data, narrate the directions, and track your speed. This tells Google Maps where traffic delays are in real-time. It also tells it what businesses are most popular nearby and at what times. This helps millions of other Google users plan trips.
Apple Maps also uses the same radios and tracking technology. Except your device location is anonymized and sent to Apple through a random number, not your email address. Halfway to your destination, your iPhone will change your anonymized number to another anonymized number. Unlike Google’s sign-in with your Google Account, this data is deleted in 90 days. Only your iPhone knows where you are all the time.
This has downsides. Apple Maps lags in the sort of real-time transit, highway, and road condition data Google supplies.
This location history, whether it lives on your phone or on a server, is what “helps” your day. If Google knows you go to the gym at 5:30 every day, and it also knows an accident has traffic stuck on the way, it can alert you to leave early on a different route.
Android devices may have different policies based on their manufacturers. Samsung, for example, says they “may collect” all sorts of data and “may transmit” that data to third parties. For instance, every time you dictate a message to your phone that data has to go to a server for processing. That data may also go to a third party host that isn’t Samsung, but is on contract with them.
OnePlus, a popular brand of Android phones was caught funneling call logs to their servers. They’ve promised to dial-back the data collection. But when you hear of investigators using metadata to build a profile about a person’s whereabouts, this is what they’re talking about. Your phone, your ISP, and your cellular provider have a log of times and numbers and general-area location data about you.
On Android and iOS with Google Maps installed, Google records this information in a timeline viewable at https://google.com/maps/timeline. Cellular providers do not show what data is collected about customers.
The solution to this is “don’t use your phone”. But for many that’s a step too far considering the value these devices bring.
Apps and privacy invasion
Every time you load an app for the first time or use a feature within it for the first time, you’re asked to allow permissions. Sometimes these permissions are for microphone access. Camera, phone, contacts, and location access are also common. On Android, SMS access can be requested along with a host of other items, like calendars.
For some apps this makes sense. Instagram can’t do much without access to the camera. But it and Facebook don’t, for instance, need permission to view your Contacts. Most games don’t need location access, but some like Pokémon Go do.
If you want to know what an app is allowed to do, go to Settings > Apps and Notifications > Choose an App > Permissions on Android. On iOS go to Settings > Choose an App. Many permissions can be revoked with a toggle. This will, however, reduce or hinder some apps from working. Uber, for instance, won’t do anything without high-accuracy location reporting. Otherwise, how can it tell a driver where to go?
Sometimes app developers go rogue. One developer discovered that granting an app permission to see your photos can reveal your location. Because all of your photos are geotagged with GPS coordinates, a skim through your photo library can reveal all the places you’ve taken a photo. Your selfies leave a trail.
Uber was recording screen activity through loopholes in device security settings on both Android and iOS.
Facebook is the ultimate data-gatherer. It tracks your movement across devices, what stories you click on, how long you hover over a “like” button, and more. If you upload your contacts, it builds a picture of who you might know, and who your contacts might know. For example, if you and your spouse hire a Realtor, you both might add that Realtor into your contacts. If your husband has contact sync enabled in Facebook, it now knows your Realtor and husband know each other. Even if you don’t upload your contacts, Facebook can still figure this out. It knows you’re married, and if your husband knows this person you probably do, too. Limiting Facebook’s access to your contacts, calendar, and high-accuracy location reporting can help deter some of this. But if everyone else allows it to run loose, it doesn’t help you much.
Your web browser is another source of data collection. The searches you perform, the device you’re using, your location, and more all tracked in the browser. Google’s Chrome browser goes further by storing this data in your account. It feeds this information back to Google allowing them to show you relevant stories you might find interesting. Safari and Edge do similar tactics.
Some privacy-minded browsers, like Brave (a Chrome variant), and, to a lesser extent, Firefox, prevent tracking by default. The reason is because of advertising.
Advertising and marketing
Google is an advertising company. Facebook is an advertising platform. Amazon is a company that likes to advertise heavily. Microsoft makes money from advertising. Apple is a hardware company, making them one supplier that cares very little about ads.
One persistent myth is Facebook listening to your conversations. Stories abound of people talking about a restaurant or product and moments later seeing an ad for it. This is a myth. It’s more likely a confirmation bias. In the case of Facebook, Google, and Amazon’s Alexa service, it’s impossible that much audio data can be collected and parsed. The amount of audio that would be streaming around-the-clock through cellular towers would jam networks. There aren’t enough servers in the world to handle this data allotment. Even governments have to be choosy about what audio they collect.
Android spends more time tracking your location for ad reporting than Apple. Google says this feature and all their location data is private to you and controllable by you. This is true, but it doesn’t explicitly mention how Google uses that data for advertising. Like most Google services, location data is used to display targeted advertising. For instance, if you spend time at a clothing store you may see ads for shirts and pants from other brands later that same day.
This is how Facebook, Google, and others make money on “free” services like Gmail, Hotmail, Bing and Google searches, and more.
To take back control you’d need to disable location access across your phone. But you’d never be able to look at a map with it. To check on Android, go to Settings > Security and Location > Location. Turn tracking off. On iOS go to Settings > Privacy > Location Services.
Increasingly, body sensors are usable by advertisers. Phones and watches with heart-rate monitors, motion sensors, and other activity trackers can learn about you. This might help you stay fit. It might also help sell you a new pair of running shoes, tennis rackets, or a bicycle. To see what info Google has on you, visit https://myaccount.google.com > Personal info and privacy. You can also change the way data is collected by going to Activity Controls.
To see what Facebook knows about you, visit https://www.facebook.com/ads/preferences.
Advice for parents
It won’t win any parents any awards for “coolest mom or dad”, but the only way to protect a child from all of this tracking is not buying them a phone. Or if you do, purchasing a non-smart phone.
By law Google and others can’t collect data on minors for advertising purposes. In the U.S., a minor on the Internet is anyone under the age of 13. Other obvious restrictions remain in place for severe illegal activity and other adult material.
Google Accounts start early. So too for Facebook, which long forbid anyone under 13 from creating an account. They relented and made special accounts for kids after most just lied about their birthday.
Google is in schools across America. Classrooms use Google Docs, Sheets, and Search for legitimate classroom work. Those accounts also come with email inboxes for communicating with teachers and parents. They’re transferable to “adult” accounts after school, however. When a child graduates the data that wasn’t indexed before is now fair game. This lets Google develop an advertising profile of adults while they’re still children. Facebook approaches their “graduation” to adulthood similarly.
Parents should always enable parental controls. On Android and iOS this limits the kinds of apps children can buy. It limits media they can consume (like TV, movies, books, etc.) to controls you set. It can also alert you to device usage and your child’s location in the world (which requires both devices have location services enabled).
To use those features, however, you have to have an account with the service providers. You have to decide where the risks are and whether the benefits are worth it. Most will decide they are worth it.
Talk to your children about safe data management, profile creation, and Internet bullying. Teach them that the words and photos they put online are “forever”. Show them what companies glean from their interaction with devices. Educate them about being smart shoppers.
Kids need to learn what makes an academic source reliable or not. They also need to know how to discern advertising. One site’s sponsored article may not be true. Another site’s ads may not look like traditional ads.
Just as billboards along the highway are hard to ignore, so too are digital ads and accounts. The difference is the billboard doesn’t tell anyone who you are.