Had an interesting conversation today with Aral Balkan and others via twitter, which began when Aral mentioned some concern over the iPhone analytics package available at Pinch Media.
If you don’t know what Pinch Media Analytics is (or analytics in general), there are multiple ways I could describe it. I could describe it as “spyware that secretly gathers information about you and sends it across the Internet without your permission.” Of course, that would be a carefully designed statement, specifically engineered and worded to scare you into thinking it was evil and dangerous, and generally just an attempt to create FUD (Fear, Uncertainty, and Doubt). Or, I could go the other way and carefully craft an innocuous description that makes it sound wonderful. But let’s instead look at the facts of what it is, what it does, and what it can and cannot be used for.
Basically, Pinch Media Analytics consists of a library that is compiled into an iPhone application and a web service. Generally, when the application starts, it pings the web service with a small amount of information (we’ll cover that in a minute) and when the application is about to terminate, it pings the service again. The developer may also choose to ping the service at other various points in the application. These pings are then aggregated on the server into various reports the developer can look at, such as how many unique users have installed the application, how often and how long they are using it, how many times the app may have crashed, even how many “cracked” (pirated) copies of the app are installed (a surprisingly high number). If the developer included additional intermediate pings, one might be able to see how many users are visiting different parts of the app or game, and how much time they are spending on each part.
So, what information is being sent? Let’s get the big one out of the way first. It sends, *gasp* your device id! This is the unique hardware id identifying your iPhone. Now that sounds pretty bad, right? But don’t go having a big knee jerk reaction and freaking out. It’s not like it’s sending your social security number, drivers license, credit card, or mother’s maiden name. It’s simply a unique number that is used to differentiate two different users, so if I had 10 plays of my game today, I can tell whether that was 10 different people or the same person playing it 10 different times. There is no way for Pinch Media or any other developer to link a device id to a particular person. I imagine that Apple could probably do that, since you registered the phone with them and made your account. But unless someone is a serious hacker capable of getting into Apple or AT&T’s databases, you don’t have much to worry about. And this is not some super secret hack that Pinch Media put together in their evil labs. It’s part of the standard, approved, iPhone SDK public API. You just say:
[c]UIDevice *device = [UIDevice currentDevice];
NSString *uniqueIdentifier = [device uniqueIdentifier];[/c]
and there you are. Furthermore, this id is used by all kinds of apps. If you’ve ever played a game and submitted a high score, you’ve most likely submitted your device id to the server that stores the high score. Chances are that many iPhone advertisements also make use of the device id to know how many impressions or clickthroughs are by unique users, as opposed to one developer clicking on his own add over and over. I’m sure that the device id is used in many other ways by many other apps. So relax about it.
OK, what other data gets sent in the Pinch Media ping? Well, there’s an app id, which is a special id assigned by Pinch Media to a specific application, so they know what app to count the ping on. And various data about the hardware or software of the phone, such as whether it’s an iPod Touch or iPhone, what model, what OS, etc. It will also send location data, but it does that through CoreLocation, which automatically pops up a dialog asking the user if the application can access location first.
So, if you are running around telling people that Pinch Media is “secretly gathering information about you”, it’s definitely FUD. The only data that is remotely about YOU is your location, and it needs your permission to do so, so it’s not secret. All this is really no more than any web based analytics package can get right out of a browser – what kind of machine you are on, what OS and version, IP address, location, etc.
Now one problem people may have with this (one Aral voiced) is that a web application is on the web, but an iPhone application is like a desktop application that is trusted and installed and should not be “secretly” using any bandwidth, much less sending information, without explicit permission. I can see this point, but honestly, the lines between desktop applications and web applications are blurring more every day and I predict will be irrelevant at some point. And in the case of iPhone apps, I think it is irrelevant. An iPhone is a connected device. It’s an Internet device. Most interesting applications do have connectivity as a major component. High scores, dynamic content, web services, multiplayer, etc., etc. And I bet most of these send some or all of the same data Pinch Media is sending. Comparing this to an old fashioned desktop ask that requires permission every time it talks to the net is simply a wrong comparison.
I also know that no matter what anyone says, some people will just be against the idea of any app sending any information for any purpose without express permission. Personally, I feel that is dogmatic, rather than pragmatic. “It’s my device, I should be in control of what gets sent where.” I see that as dogmatic and I’m not going to argue right and wrong with you. The simple fact is, that if you don’t want your device to send any information, you better just shut it off now.
Furthermore, Apple has taken app security pretty seriously. All 3rd party apps run in a very strict sandbox. Other than the information described above (device id, hardware and software versions, etc.) an app only has access to its own bundle – which includes app included and installed by the application itself, and any data the user inputs into the application that the application then saves. There are, of course hooks into other apps, such as the Photo Library and Contacts, but these require user interaction and permission. I can’t write an app that just reads all your contact info and photos and uploads them to my server behind your back.
The final point I made on Twitter was, “analytics != spyware”, since the s-word was being tossed around.
Spyware is intentionally malicious software, or malware. It is designed to collect personal information about a specific user and make use of that information to exploit that user or his/her machine in some way, and often does harm to the device it is installed on as well. Malware is often illegal and almost universally frowned upon. To call any legitimate analytics package spyware is completely unfair. Analytics sends aggregated anonymous data. The purpose of using a package such as Pinch Media’s is to see how your app is being used and how you might improve it to make it a better experience so that people will use it more. In my book, that is not malicious by any stretch of the imagination.
The general problem here is that one company accumulates information on my device id. Pretty much get my personal profile of preferences and habits. This is my personal information and in worst case I should be paid if I choose to expose myself.
However it is the same currently companies doing with your banking, loyalty card data to provide you with targeted adverts.
Good overview I just want to point out two things:
Apps can get your phone number with a private API call and your address book is open for any app to iterate over and ‘steal’ contact info. One of the early multiplayer games was doing that to help you find your friends and removed the feature after complaints.
Josh
No doubt, malicious developers can and will find ways to do malicious things. This is not about what could be done. If I found out that Pinch Media was doing something malicious, I would be the first to call them out on it. They won’t last long if they do something like that.
Here is specifically what Pinch collects:
“For each application run, Pinch Analytics collects the following information:
the application version
the device model (iPhone, iPhone 3G, iPod Touch, etc.) and OS version
the device’s unique identifier
the time the application started and stopped
any data you pass us as a custom action
the results of a simple piracy check
if CoreLocation is enabled (useCoreLocation:YES), the user’s latitude and longitude
if Facebook Connect for iPhone is enabled, the user’s age and gender
We also receive the standard information included with a regular HTTP request, like the user’s IP.”
“What does Pinch Media do with my data once it’s collected?
When data comes in the door, we take it and aggregate it into a variety of reports. These reports are then made availabe to you through a web interface, our CSV exports, and our full API. We also run some system-wide reporting – using your data, along with other applications’, to produce reports by price point, by application category, by operating system, and a variety of other dimensions. The raw data itself is backed up and securely stored so the aggregated tables can be recreated in case of emergency.
Our system-wide reporting is never made public unless it’s completely impossible to determine which applications’ data were used to create it – for example, we might release a report based off of fifty applications, but not one based off of three. We never share an individual application’s data with anyone without the application owner’s explicit permission”
“Can I track individual users?
No, absolutely not. We will never report on an individual user’s usage.”
Assuming what they say on their site is true, I see nothing malicious. The “system-wide” reports are things like this:
http://www.slideshare.net/pinchmedia/iphone-appstore-secrets-pinch-media?type=powerpoint
I dont pay money to access webpages so i have to suck it up if the do all kinds of fancy tracking. But i do own my iPhone, and do own the appz en games I installed (like in: ‘paid money for it’), so why does the appz loyalty still belong to the developer? Did i only hire some right to use it or did i actually buy ownership? Why is it still sending data to the developer after i paid money to have that app? Did i pay money to let him sneak my usage info around? An opt-out would be honest.
“the results of a simple piracy check
if CoreLocation is enabled (useCoreLocation:YES), the user’s latitude and longitude
if Facebook Connect for iPhone is enabled, the user’s age and gender”
Why would any given user agree to sharing that information? How exactly (as in ‘specific’) will sharing that information improve my user experience?
Thanks for the article, Keith. I think we need such analytics options so that content developers can better understand their audiences. But it has to work in a way that the audiences find comfortable, too. Lots of work left to do.
One digression on the “webpage vs mobile” issue, though, is the current ubiquity of third-party tracking when you visit a website.
Your blog here is pretty clean, just notifying pistach.io, wordpress.com, amung.us, relaymonkey.com, and flashontap.com when a page is rendered. Aral’s page sends beacons out to a few more cross-website companies. Thankfully, neither weblog notifies the most prevalent cross-site tracking service:
http://news.ghostery.com/post/133685273/top-10-web-bug-trackers-on-the-web
In other words, we may already be in the position of the crab in the kettle on the slowly-heating stove…. 😉
I think a lot of the pain is in not knowing what the site or service is doing… having to wonder, to guess, about what data is being sent and how it is used. Does this seem plausible to you too…?
tx, jd/adobe
hmmm, Pinch collecting the info stating in your post, kp, and coupling that with Jeff’s comment, it doesn’t take much to put a name to the “anonymous” data. sure, Pinch’s collection my be benign (why do they need my location?) but by using several analytical tools in conjunction you can fill in the info blanks quite easily.
i don’t want my habits to be tracked without my permission. whether it be through my use of a Safeway Club Card (but they’re only tracking your GROCERIES–“oh so you buy a lot of booze/fatty foods/ice cream, we’d better inform your insurance company and tell them we can sell them info implicating you as a health risk”) or through Apple’s app store. this isn’t about user experience, unless by “UX” you mean the experience they want to sell you. analytics in these cases are simply a ruse by marketing folks who want to figure out what the best way to sell you their next product that you really don’t need is, how to upcharge you or where to add “freemuim” services that once were truly free.
if they’re not doing anything shady, why not just come out and say so, let folks opt in and be done with it? it’s the secrecy here that really turns folks suspicious.
I love Apple, my new MacBookPro rocks and I think you’re blog is pretty awesome too. So please understand I am not trying to bash either of you. But I am concerned.
Any device that shares its uniqueness is a little scary. If Apple is serious about privacy they should hash the deviceID with the appID and send that value instead. But lets face it, they want it for their own mining and don’t *really* care about your privacy…
I hear your argument and you are right to say analytics companies are really just trying to gather generic data that really talks about *your* app. I think the concern is really about what happens when a database containing personal information connected to your deviceID is compromised. At that moment the entire world can find out you’re most secret personal habits.
So despite the fact that you thought anonymous iPhone cash would protect you, we all now know that you were the one that spent 3 minutes of your lunch hour at the Lusty Lady last Tuesday afternoon. You called in sick but we had no idea you meant that.
🙂
Have a great day Keith
Shannon, ok, but see, now you are talking about hacking and real malware, not analytics. Just because someone *could* do evil things with your data if they wrote an app that did so, really has nothing to do with an analytics package that does not do that.
I did an interview with Greg Yardley from Pinch Media this past Monday. His company is one of the ones that provide analytics for iPhone apps. You can listen to his side of the story and what he had to say to some of our questions at http://www.theappshow.com/2009-08-18-the-app-show-episode-36-are-your-iphone-apps-phoning-home/