EU: App... because it just works

How smartphones are becoming a data protection risk

Add-on programs (gadgets) for Apple's much-loved iPhone are fun, informative and don't cost anything. At least, that's what most users thought until recently. It's now become known that these little helpers do come at a cost after all - the cost of the user's privacy. Most applications contain software designed by the firm Pinchmedia, which sends a detailed information packet to the Pinchmedia server every time the gadget is started. The contents of this packet were listed as follows on www.Handelsblatt.com on August 21, 2009:

• Identification number of the iPhone

• Model description

• OS version

• Name and version of the application being used

• Whether this has been cracked or illegally downloaded

• Whether the iPhone has been cracked, meaning that the original software is no longer running

• Date and time when the app was started

• Date and time when it was closed

• Current location of the cellphone (as geocoordinates)

• Sex of the user, in case that he or she has linked their Facebook account to the iPhone

• The user's date of birth (incl. year), if the app 'Facebook Connect' is running

Precious few iPhone owners are aware that by agreeing to the T&Cs for the iTunes store, they've also agreed to transfer their user data via so-called "App Store Programs".

Users who manage to bypass the lock imposed by Apple, which only allows the downloading of programs from the App Store, can now find a counter-application, which is allegedly able to stop user data being sent to Pinchmedia and other data logging companies.

For companies, there are two important conclusions:

1. They must carefully consider whether the loss of privacy resulting from using an iPhone is compatible with their company's philosophy, and

2. If iPhones are used, then the onus is on the company to ensure that its employees can't make changes to their iPhones to release them from their 'App Store constraints'. Otherwise, it could happen that applications are installed that act as trojans - in the classical sense - and send both personal user data and company data (e-mails, mail attachments, saved documents, etc.).