April 26, 2011

My Status / Location Tracking / SSH for Google Cr-48 Notebook Available

Hello all. As per iPhone Location Tracking Brouhaha in Perspective + Personal Status Note I have had to scale back everything drastically for now. I do want to thank everyone who sent notes of encouragement, and I apologize for not yet responding to each of you.

There are a couple of loose ends I'd like to deal with now. The first associated with location tracking issues, the second with some software I have available for the Google Cr-48 Chrome notebook.

The new controversies regarding smartphone location tracking data continue, and apparently there will be a Congressional hearing on the topic early next month.

My current understanding is that iOS (iPhone, iPad, etc.) is keeping a comprehensive unencrypted log of location data on the user devices, perhaps at cell tower/site/sector granularity, and (according to some reports at least) sending the data back to Apple at intervals (twice a day?)

Android is reportedly (I have not dug into my own rooted device yet to check this first hand) maintaining an overwriting cache (256 entries?) of similar granularity location data, which is routinely sent up to Google. In general, this represents a much less comprehensive source of location data at the device itself (vs. iOS), since the cache is constantly overwritten by new data. Also, the cache is only accessible directly to users with rooted devices (or via various forensic data extraction equipment). It is not clear to me at this time if this Android location data collection is or is not controllable by the user via the menu-based location options (and the query about location data collection that users receive when they initialize a new Android device).

My overall view on this all is that while I would prefer that users have complete control over location data tracking on any devices and regarding where that data is collected in the cloud, I think many critics of this situation are missing some key points.

I believe that overall the iOS log on the devices is much more dangerous than the Android cache, since the former is so comprehensive. And in California and apparently some other states at least, on-device data is subject to ad hoc extraction by authorities and others without a warrant even being needed.

On the other hand, location data stored at central servers is at least protected by the associated firms' privacy policies -- I assume for example that Google would not release that data without a warrant or other appropriate court order in most or all cases, which would be a much higher standard than the very similar location data collected by the cellular carriers themselves, and apparently frequently released by those carriers with a nod and wink to authorities -- without a warrant in many situations.

This all suggests that viewing this issue in isolation in terms of iOS or Android is a mistake -- that it is necessary to look more broadly not only at carrier privacy policies but also the varying and conflicting standards for protection of user data in different contexts (local devices, "transient" storage at ISPs and other services, "permanent" storage at those entities, and so on).

Ironically, this seems to be a situation where the "traditional" stronger protections from government access to data on a local PC (vs. the cloud) are reversed -- in this kind of tracking case the local device can end up more vulnerable to such data extraction than the cloud services.

Much of this points at the continuing urgent need for strengthening and harmonization of laws regarding data protection in these areas, which I know Google strongly supports. Unfortunately, it appears that the Obama administration, like administrations before it, is resisting key aspects of such efforts (for example, the Obama admin is now actively fighting attempts to give all cloud-based email appropriate protection from perusal by law enforcement with warrants), and results from similar efforts to improve data protection in the EU appear mixed and sometimes contradictory at best right now.

- - -

If you have a Google Cr-48 Chrome notebook and would like a full-featured, browser-based (Java applet) SSH, please let me know. Making this work on the Cr-48 turns out to be nontrivial since the platform doesn't currently have integral support for Java applets. However, this can be dealt with if your notebook is in "developer" mode. Having a full-blown SSH with a variety of terminal emulation modes, etc. in a browser tab (rather than having to use a text-based virtual terminal) can be very useful. I don't have detailed step-by-step install instructions written up yet, but I have it all working. If anyone has interest I have the necessary resources available for download and would of course pass along install notes.

Thanks as always. Take care, all.


Posted by Lauren at April 26, 2011 10:36 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein